How to (and How NOT to) Create a GDPR Notice

If your business has an online presence, you've probably heard of the European Union's General Data Protection Regulation (GDPR). This sweeping legislation went into effect in May of 2018 and if you thought it wouldn't affect your business, think again.

Is your GDPR Notice ready to go?

The GDPR will have global influence. Unless you can absolutely guarantee that no users from the EU will ever find their way to your website, you'll need a GDPR notice and compliant consent measures.

Keep reading to find out more and see some GDPR Notice examples.

GDPR Basics

Feel free to read the GDPR in its entirety on the official website, but here are some of the basics that will affect the average business:

• Consent is not valid unless it is "freely given, specific, informed, and unambiguous." Basically, that means a "clicked" agreement is required.
• Privacy policies must be "concise, transparent, accessible, and written in clear and plain language."
• Your data collecting and processing practices must be easily accessible to the consumer and free of charge to access.

The GDPR applies to any website or mobile application collecting data from individuals located in the EU. Since the internet is a global marketplace, this means it could be applied to virtually any online business located anywhere in the world.

Failure to comply with these statutes regarding the personal information of EU residents could result in hefty fines, which can and will be enforced in other nations like the United States and Canada.

One important note is that these regulations do not apply to EU citizens living outside of the EU. Many websites are geographically coding consent notices to pop up only for EU IP addresses, so that users outside of the EU will not be bothered by the additional pop-up notices. This functionality is purely up to the preferences of each business.

Notices and Consent

If you're relying on consent as a legal basis for collecting and processing user data, your notice is a great place to get consent from users.

This is a simple example of a GDPR-compliant cookies notice from Evidon:

You can see in the screenshot of Article 7 below that the GDPR requires user consent to be clear and freely given. This is another way of saying that the visitor must actively agree to the collection of his information.

The common practices of browsewrap, implied consent or pre-checked boxes will no longer be considered valid.

Join In UK makes opting into its newsletter a condition of registering for the site. This is definitely not considered clear and freely-given consent. Here's an old example from the older opt-in form:

And here's the updated opt-in form that requires users to actively give consent:

Always opt for clickwrap rather than browsewrap if your notices ask for consent.

New and Improved Cookie Notices

The GDPR Notice is fundamentally a more complete and consent-oriented cookie notice.

Here are the key recommendations for cookies consent from the EU Information Commissioner's Office (ICO):

• Tell people the cookies are used
• Explain what the cookies are doing and why you use them
• Obtain the person's express consent to store a cookie on the device before storing them

The key differences here are that you need to explain what the cookies are doing from the get-go and obtain active consent before placing the cookies.

If cookies are collecting analytics or sharing information with third-party advertising partners, this information must also be communicated within the initial GDPR Notice.

The Crazy Egg GDPR Notice mentions both their use of anonymous cookies and third-party services, and requires users to give consent before using the site:

It is also suggested by the ICO that companies allow users to select which cookies they will allow, with an easy way to opt-out of the cookies they object to. Although this is not a mandatory part of the GDPR Notice, it is recommended to avoid any confusion or liability with EU users.

This GDPR Notice by Marsh allows users to read about and select which cookie preferences they prefer before using the website:

Finally, provide a link in the GDPR Notice to your Privacy Policy or Cookies Policy where visitors can read more about the information that is collected about them. This Policy should include a complete list of cookies along with information on how to opt-out of those cookies.

Hewlett Packard Enterprise links to its Privacy Policy within the GDPR Notice. The Privacy Policy also details the use of cookies and the types of cookies employed:

How to Add Your Cookie Consent Solution

More Examples of Compliant GDPR Notices

Google has professed open support for the GDPR and is proving it through a high level of compliance. Not only has Google implemented the measures shown below, but it has built an entire website dedicated to privacy and compliance.

Upon navigating to Google from any EU member state, a large and insistent banner pops up asking to inform you of important privacy information.

On click, this GDPR Notice appears:

This GDPR Notice gives the user a thorough rundown of the information Google collects about devices and activity, why this information is collected, and who Google shares it with. If the user clicks 'Other Options,' they may modify the types of information that Google collects. Also included is a link to the Privacy Policy which provides more information about cookies and how to block them.

Note the required call to action at the bottom of the notice, prompting users to actively agree to the collection of data. This informational page about cookies within the Google Privacy Policy includes an explanatory video:

Google also provides users with this complete cookie chart and a link to manage cookies:

A chart like this can help your users make informed decisions when deciding which cookies to allow and which to opt out of.

Next up, the BBC gives us another great example of how a GDPR Notice should function. Any user from the EU will automatically see this conspicuous banner when they land on the homepage:

This GDPR Notice provides a brief rundown of the kinds of cookies the BBC implements and why. They give the visitor three options, all requiring a specific action on the part of the user: 'Continue,' 'Change settings,' or 'Find out more.'

Upon clicking either 'Change settings' or 'Find out more,' you will come to a page of links to learn more about cookies or manage cookies:

The link to change cookie settings takes you to this page, where you can pick and choose which cookies to allow on your browser:

The BBC also provides a detailed cookies chart where users may read about each cookie placed and its function:

Overall, the BBC follows every GDPR guideline to the letter.

MailChimp presents EU visitors with comprehensive understanding and control of cookies, starting with this pop-up banner on the homepage:

When users click the 'Cookie Settings' link, they're presented with this window where they can learn more and/or turn off the cookies they do not wish to have installed on their browsers:

MailChimp's Cookie Statement includes a list of all the cookies Mailchimp employs, along with the function of each:

This helps users understand the actual purpose of each of the cookies when deciding whether to allow the use or now.

Remember: Make your GDPR notices easy to understand. Link your relevant agreements within them for added clarity. Always use a clickwrap method to obtain agreement, and always let your users revoke that agreement/consent.