I’ve concluded that it isn’t. It’s their business, not mine. If VAT changed and they were selling something, I’d expect them to contact me to make the relevant change.
I will however, be approaching active clients, offering them a GDPR-in-a-box service. Once I’ve figured out what it is!
Completely agree with this. You can also add a compulsory agree button to your form. If they don’t click it the form doesn’t go. No need to get over-anxious about this - particularly as a small business. So long as you are trying to do the right thing any contact from the powers that be will be educational rather than punitive - that’s certainly the official line from the UK’s ICO.
Here comes the solution:
I just watched the video about Will’s Cookie Manager stack. Together with another stack such as Gateway, it appears to be a good start in the process of turning a website to a GDPR-compliant one. The thorn of getting a properly drafted privacy policy remains, however.
Will’s solution does it the correct way, that is, blocking display of all content before user consent is given. However, I can guarantee you that absolutely NONE of my clients would be OK with this. No client of mine would like to see their website’s content blocked, even temporarily, because of some obscure law. All my clients, I can vouch for it, would want their slideshows, animated banners, videos, and what have you to load as fast as possible and be displayed as soon as a user visits their page.
The question is, can we just ignore this stupid, useless law just as we completely ignored the stupid, useless cookie law? None of my clients bothered with the cookie law in the least, and neither did I. To this day, if you ask them, most of them (or perhaps all of them) will tell you they had no idea what that is (was).
I’ve been registered under the DPA since November 2000 and frankly I think it’s great that the law is being tightened up at last. Invasion of privacy is a big issue.
From my (limited) understanding of GDPR, the main differences are that (a) contact details etc on any mailing list and/or record system (whether computerised or not) can only be on it with the express consent (opt-in) of the person/organisation concerned - ie, details cannot be added by implication; (b) anyone has the right to request what data/information is held and for the information to be provided free of charge and within 1 month) - currently there is a fee of £10; © the information can only be held for the purpose stated at the onset; also for duration of that purpose - ie, for example if I enquire about a particular service or product then you cannot put me on a mailing list for any other service or product, unless I’ve agreed to be on that list; (d) and the information has to be stored securely and inaccessible to unauthorised persons.
Where the relationship is contractual, GDPR doesn’t apply to the same extent.
Years ago, I had created from scratch a massive mailing list (approximately 1500 contacts (corporates and high-net worth individuals, massive by my standards) for my newsletter for clients and contacts, but what with the cost of publishing, printing, postage, etc, I ditched it. When I started, it cost me total 50p (£0.50 GBP) for each newsletter, printed 8-16 pages, stapled, bound in a laminated cover and distributed 4 times a year, by the time I stopped the postage alone was 50p. I considered distributing by email but that wouldn’t have reduced the cost of publishing and initial printing (via pdf) and the time and effort in maintaining and growing the list; also it would’ve suffered the same disadvantages as a printed version in not necessarily being kept for future reference by the recipient. Nowadays, I put my newsletter on my website and since the site doesn’t require any registration, log-in, etc., anyone can read it - also, the potential readership is not limited by my prejudices! On balance, I reckon I get as much new business from each newsletter as before but with the added benefit of effectively nil cost and permanency. As a way of keeping in touch with existing clients/customers and attracting new customers, personally I don’t think one can beat an effective website. (Thank you Rapidweaver)
Every day I receive newsletters via RNS from my chosen sources. Every so often, whenever I buy something or simply from visiting a site, I am asked if I’d like to sign up for a newsletter: the process is in my view old-fashioned, I provide my email, I receive a confirmation link to activate. In some cases, particularly when the mailing list is administered by an intermediary I am told that my email address is not compliant! I often wonder how many businesses lose out thanks to their mailing list companies. Whether I actually receive any newsletters depends upon how progressive the particular business/organisation. USA businesses tend to be more active on that score, but their marketing style is often very formulaic and manipulative. Sign up for this and that, buy this and that, and suddenly you’re hooked into a seemingly never-ending round of paying out for this and that. Depending upon how relevant to my needs and aspirations affects how long before I unsubscribe. It seems to me that collecting email addresses for the sake of it is pointless.
I don’t think I’ve answer your question, except to suggest why bother collecting personal data/information for the sake of it when the website itself used to its full potential is ample.
ps - As a rule, I avoid signing up for newsletters where the website mentions sign in with Facebook, Google, Twitter, etc. Also, before shutting down my computer, tablet, phone, etc I clear all (unwanted) cookies, delete all local storage files and any databases.
I think you are completely missing the point here. Neither the new laws nor the stack are about hiding the entire content. All that needs to be hidden before the user gives his OK, is content that draws the IP address from the user. That affects GoogleMaps, FontAwesome, GoogleFonts and Google Analytics, just to name the most important ones. In particular Analytics and GoogleMaps are difficult to handle otherwise, so for those cases the stack is a good solution. Your slideshows, images etc. don’t have to be affected by it.
OK, then, let’s see… Google maps.
The Google Map is never on the home page. The visitor will already be bothered once to click on the “I Agree” button on the home page for consent to a cookie/privacy policy or similar nonsense.
So when the user navigates to the actual map page, the cookie manager is supposed to be activated, and the visitor gets bothered again! Only this time, the map content is not even shown unless there is a click on some type of “I Consent” button, right?
And the process gets repeated when the visitor navigates to the reservations form or the contact form, right?
Well, I believe all this is beyond ridiculous, and again, none of my clients would even think of implementing it on their websites, and rightfully so.
IMHO, discussing if clients should follow rules and laws isn’t helpful here…
There might be different consensus how to implement the laws in the correct way. Telling your client that they don’t have to follow the new laws doesn’t help them.
I would never tell them they don’t have to follow the law. In fact, it’s a revenue opportunity for me (once I figure out how to implement it).
I am just asking whether it is wise for all of us to fall in line behind the stifling bureaucracy from Brussels. If most of us refuse to comply, what are they going to do? They can’t put us all in jail, and I do not know that the bureaucrats in Brussels have the power to impose penalties, including fines, that cannot be collected anyway. We do not have a signed European institution, anyway.
If I were located in the US, I would not give this stupid law the time of day.
I don’t know where you are located. Your local Government has to fulfil the GDPR.
In Germany, where I am from, it’s called the DSGVO. And we have a lot of lawyers just waiting for the enforcement date of 25 May 2018 to write adhortatory letters.
I am in Greece. We collectively pissed on the previous cookie law. Not sure what the deal is with this new abomination.
In UK, the Information Commissioner’s Office is empowered to penalise and enforce. Details here: ICO GDPR
In my experience, any attitude along the lives of " all this is beyond ridiculous" generally emits from people that consider themselves above any law that doesn’t meet with their personal approval.
Like it or not, the bottom-line is that if the law is not complied with then it’s being broken. Whether possible to wriggle out of the consequences of breaking the law depends upon knowledge of the law and loopholes.
As to whom should shoulder the blame for the consequences of breaking the law, I should think anyone entrusted to create and design a website for someone else and that does not ensure compliance would be considered aiding and abetting.
I’d rephrase that to:
…any attitude along the lines of “all this is beyond ridiculous” generally emits from people who dislike increased government intervention in their lives and business, and who wish to remain free.
Thanks for the kind words about the stack.
Opt-in / opt-out has been a point of contention for a number of years, since the original cookie tracking laws came into force in 2011. Some interpreted the law to mean people were fine with cookies and could opt-out if they wanted to or change their browser settings. Others took a more stringent approach of getting people to give consent and opt-in to everything. Then there was also confusion about what actually constituted as essential and non essential cookies. Hence the mess we have today.
But GDPR is more than cookies. It is also looking at the bigger picture of where other user data might potentially be leaking away from on a website.
Of course with my solution, you could reverse engineer things. In other words, set everything to load by default. Then provide the ‘big red button’ so a user can choose to bail-out afterwards if they don’t like being monitored. But by that stage, it is possible some cookies have already been set and user data harvested by a third-party. So with that method, you may not be very close towards achieving full GDPR compliance, based on how you choose to interpret the rules.
CookieManager uses server-side PHP code, so it is checking for the user consent cookie long before any stacks placed within itself are sent downstream and viewed by the user. This offers an effective means of quarantining stacks, based on user consent being given or not. It will work great for most stacks and code you place within. It will not work for some stacks that sneakily hide calls to outside services in the head of the page or in other files (like CSS or Javascript) - those will need updating or exchanging for something else. The browser console can provide clues as to where there might be data leaks occurring.
In instances where the user preferences dictate that stacks placed inside CookieManager should not be shown, you can display an alternative polite message and / or the opt-in button. That will give a clearer indication to the end user (or client) why something is not displaying for them.
There is never going to be a perfect solution that pleases everyone. As I told someone on the phone this morning, this is lousy legislation the EU wrote to chase-after the likes of Facebook, Amazon and Google. But it has inadvertently clobbered the small person with a huge technical conundrum too. I am of the opinion that the existing data protection act we had in the UK since 1998 was adequate enough. Similar laws existed in other areas too. And all modern web browsers already have strong defense against third-party trackers.
I cannot choose to ignore GBPR for my own customers or clients I am managing websites for. I have no clue how the EU intends to chase-after individuals and organisations outside of its jurisdiction. And if they were to start down the route of blocking websites and censoring what EU residents can access, well, the implications of that are really dangerous for the ‘open’ web.
For now we can only try our best, until either the EU revises / clarifies the laws or there are technological changes in how data is handled online.
I’d hope that commonsense would prevail.
It doesn’t seem reasonable to go after me for aiding and abetting over a site with a contact form that I built 6 years ago for someone for £300.000.
Or at least I’d hope so!
Rob
Freedom eh! I’m told there are approximately 62 reasons for the authorities to enter a person’s property without needing the person’s permission beforehand.
I agree with you in principle, but GDPR isn’t about intervening in people’s lives and business, but protecting people’s lives and privacy from the risk of misuse of data/information about their lives. If all businesses could be trusted to not disclose, share, sell etc data/information to third parties, and in the case of website not install cookies and other ‘hidden’ files onto people’s computers under the guise of providing a better service etc, then there would be no need for any law to keep order.
When I go shopping and pay cash for a purchase, the shop doesn’t normally insist upon fathoming my private life. Even if I pay using credit or debit card, my financial relationship with the card provider is between the bank and myself and any credit agency. Nothing to do with the owner of the shop. But on-line, I am required to provide all manner of personal information and to accommodate all manner of stuff on my computer before being allowed to buy something; and to have no control over what the business does with that data/information afterwards.
For someone such as yourself who wishes to remain free, why should government be singled out for intervening when in practice any number of businesses are just as invasive?
You seem to think it’s all about protecting people’s lives and privacy. This may be the intend, but forcing us to create consent forms on websites will do ABSOLUTELY NOTHING for data privacy!
I am already respectful of people’s privacy, and so are my clients. We do not send out spam emails, ever, and take reasonable steps to protect their personally identifiable data. We do not need compulsory forms on a website under penalty of law to do that. We have been doing it ourselves before any law would mandate it.
On the other hand, spammers and scammers will continue to roam free, costing legitimate businesses and unsuspecting individuals millions of dollars every year. No stupid EU website consent law will have the slightest impact on them.
Once this BS is enacted, it won’t stop. In fact, it has already started, with the stupid cookie law. The GDPR is just the “natural” progression of this kind of government interference. It’s just like sales tax. Once enacted, some politicians find a way to increase it every so often. From 2% to 5% to 10%… What’s the sales tax in the UK now? 20%? In Greece it is 24% and keeps on rising, every other year.
Same thing with this website consent nonsense. Every once in a while, some politician will add to this, forcing us to have a gazillion items visitors will have to check on or “agree to” before proceeding to read the content. People never bother to read privacy policies and cookie statements. They just hastily click OK because they want to get to view the website content and know that if they don’t click “OK” or “I Agree” they will be denied access. It has already become a spontaneous reaction from 99.99% of the users. That’s beyond ridiculous, to quote myself.
It’s great to have laws in the books that protect people. I’m all for that. But forcing us to modify our websites as mandated is just a waste of resources and a lost cause.
I’ve just come across this document from the European Commission that covers GDPR. I found it surprisingly useful.
Your mileage may vary!
Rob
Try this site. It can produce both english and german private policy drafts.
Hi, this site only produces the imprint (site notice) and no privacy policy texts. So keep in mind this will not help you with the GDPR.