In general the basic concept is this: If you accept data from your users, you have to:
- Be upfront about what you’re using it for outside of expected business purposes
- Gain their explicit consent before using it for any other purpose (don’t pre-fill ‘yes’)
- Notify them in a timely manner if their data gets leaked
Seems pretty easy right?
It seems like this is the sort of thing we really shouldn’t need regulations around right? I mean, businesses want to treat their customers well don’t they?
For an eye opening look, check out this study on web design anti-patterns by the Norwegian goverment.
This is a personal example of how not to comply with the GDPR.
I recently clicked through on google news to westernjournal.com (not linked).
I was presented with this screen:
Nice. So far so good, a big old “I do not accept button.”
However, clicking on the button leads to this page:
It also set all these cookies:
This is after I said I don’t want to be tracked. It also set cookies for the following domains:
It’s unlikely that this company has any presence in the EU, so they really didn’t need to comply with the directive at all, but if you’re going to do so, why spend all that time and money and then just make it a charade.
As it stands now, this site is not compliant with the directive. You aren’t allowed to block someone because they didn’t want to give you data that isn’t necessary to provide them with the service.
That’s the end of my rant.. Thanks for reading.