You can access the updated guidelines by here.

The two key changes clarify that:

Websites and other services may not use ‘cookie walls’, as these do not permit valid consent to be collected.

‘Cookie walls’ require the user to agree to the placing or reading of cookies (or similar technologies) on the user’s device in order to access a website, service or functionality.

The EDPB gives the example of a website provider putting into place a script that blocks content from being visible except for (i) a request to accept cookies; and (ii) certain information about those cookies. There is no possibility to access the content without clicking on the ‘Accept cookies’ button. The EDPB takes the view that in these circumstances the website user is not presented with a genuine choice whether to consent or not. The consent is not ‘freely given’, and therefore not valid under the GDPR.

Actions such as scrolling or swiping through a webpage will not under any circumstances constitute valid consent under the GDPR.

This is because the GDPR requires consent to be given by ‘an unambiguous indication’ of wishes indicated by a statement or a ‘clear affirmative action’ of the user. Scrolling and swiping do not meet this requirement because they may be difficult to distinguish from other activities or interactions.

The guidance also clarifies that if consent is given by scrolling or swiping then it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it (another requirement for valid consent).

The post EDPB guidelines on Consent appeared first on DS Partners Law Firm.

1.Consent Forms

Consent forms should be clear and explain the data that is collected and how it is used in a clear and unambiguous language. Website users must be informed how long their personal data will be retained, and the classes of individuals with whom the information will be shared. The exact types of data that will be collected through use of the website must be clearly explained.

2.Privacy Policy

It is highly advised not to just copy and paste someone else’s privacy policy. It is unlikely to contain the proper information for your website. It is necessary to consult an expert and draft your policies in a way that users are not left scratching their heads and leave without actually understanding how their data are being handled. The whole point in making your website GDPR complaint is to be as transparent as possible to the users.

3.Cookies

The use of cookies should also be outlined in your privacy policy and what the various personal data collected will be used for. Users need to be able to easily opt out of cookie tracking in their browser’s privacy settings.

If you are using third-party plugins such as Google Analytics to capture autonomous data, then you still need to make your users aware of this via your privacy policy.

4.Rights of the data subject

Website users have many rights based on Chapter IV of the GDPR. Amongst others they have a ‘right to be forgotten’ so that they can have their details removed from a website and the database if they request it. Websites should therefore have a process in place that enables this procedure and also facilitate a way that users can request this, whether mentioning it clearly in a privacy policy or elsewhere on the website.

It is important that website visitors can get in touch with a site owner to exercise their GDPR rights and freedoms, so all contact information needs to be up to date. It must be easy for visitors to make contact should they wish to exercise their right to be forgotten, request a copy of any data that is collected and processed, and check their personal data for accuracy.

5.Handling the data

Security of user or customer data is a matter of great importance. Website owners are required to keep all data secured in an encrypted environment. By adding an “https” protocol to your website, you are helping encrypt the data that users fill on your site.

6.Email Marketing

Email subscriptions are a very effective tool for a website, especially for digital marketing purposes. But for an email marketing campaign website owners will ask users for their email address, which comes under the category of personally identifiable personal data. Proper care should be taken when it comes to understanding how this data is handled. Users should not be getting any unwanted emails in their inbox without their consent or any other legal justification.

It is finally, the responsibility of all website owners to familiarize themselves with the GDPR rules and make their websites GDPR compliant the soonest. If you own or operate a website, get familiar with the GDPR requirements, check to make sure you obtain consent or establish any other legitimate purpose, before personal data are collected and processed, ensure data subjects’ rights and freedoms are protected, and make sure all personal data is stored securely. The best way to go about it if you are having trouble with GDPR compliance is to seek expert legal advice.

The post How to make your website GDPR compliant appeared first on DS Partners Law Firm.