3 Steps to make your website GDPR compliant

As a true online showcase for a company, it is now unthinkable to do without a website as the business stakes of these are so high.

But if these spaces offer unparalleled visibility to companies and are so practical, we must not forget that they are above all intended for users and that in order to achieve most of their objectives, especially marketing, companies need to exploit as much information as possible on traffic and use of the site and therefore to process personal data.

Thus, between tracking, advertising, the deposit of cookies, tracers and pixels, and the multiplicity of actors who can capture data, websites are one of the main sources of risk in terms of invasion of privacy.

The issue is all the more important as websites can be used as a benchmark by their future clients and users to assess the compliance of the organisation that publishes them, or even be directly audited by the data protection authorities to verify compliance (particularly on the subject of cookie management).

To ensure that a website is compliant with data protection rules and the General Data Protection Regulation (or GDPR), the publisher must ensure that:

• that it provides a framework for the deposit of cookies and tracers through the collection of user consent and specific information on the subject;
• that it provides complete information on the methods of processing personal data collected on the site by means of a confidentiality policy and specific information notices;
• that it provides a framework for data collection forms;

In this post, our data law experts discuss the necessary actions to make your website compliant with the GDPR.

1) The management of cookies and trackers

Cookies (or trackers, pixels, etc.) are the lifeblood of online privacy.

Cookies are small files deposited on the terminals (computers, smartphones, tablets, etc.) of a visitor when consulting a website or a mobile application. These cookies can be used to measure the site’s audience, to record information such as the display language, the shopping cart, or the user’s connection identifiers, but also to follow the user’s browsing path, to provide targeted advertising, or to geolocate the user.

It is essential to pay particular attention to them and to ensure that you have technical and legal control over their use.

All users of a website must be informed of the deposit of cookies on their terminals, and consent to their deposit beforehand in certain cases.

Informing the user of the deposit of cookies

The information must be provided at two levels:

Firstly, via brief information, often in the form of a “banner” or pop-up, specifying at least the purposes for which cookies are deposited, the possibility of accepting or not accepting their deposit, and a link to the cookie policy;

Then via a cookie policy which indicates for each cookie :

• Its owner (the publisher of the cookie)
• Its name
• Its purpose (what it allows and the information it provides),
• Its retention period
• Its qualification in order to determine whether the visitor’s consent is necessary for its deposit or not

Obtaining consent to deposit cookies

The cookie “banner” mentioned above must serve two functions: the first is to provide initial information to the website user, the second is to allow the user to choose whether or not to accept the deposit of cookies on his or her terminal, or even to select the categories of cookies that he or she accepts and those that he or she refuses.

From the GDPR perspective, cookies are divided into two categories: those that require the user’s prior consent to be deposited and those that are exempt (in particular, cookies that are strictly necessary for the operation of the site and equivalent).

When connecting to the website for the first time, the user should therefore see the banner appear and be able, with one click, to choose to accept or refuse them all, or to choose on a case-by-case basis.

Any collection of consent must be proven upon request by the authority, and the CNIL recommends that this proof be kept for 6 months.

It is highly recommended to implement a cookie management tool or Cookies Management Platform, also called CMP. This is an interface that allows you to manage the cookie banner, as well as your visitors to configure how their cookies are used on your site.

This implies, on your part, the ability to configure the tool you have chosen according to the cookies you use, in order to block their use according to the choices of your visitors.

Finally, you should of course check your tools (such as Google Analytics, Matomo, Datadome, ContentSquare, Hubspot, etc.) that are likely to place cookies on your site to ensure that they allow you to comply with the regulations applicable to their use.

2) Managing information through a privacy policy

Because personal data is now a priority and intrinsically linked to any individual browsing the internet, awareness of the need to protect it has, in parallel, made it imperative for website publishers to draft a privacy policy that complies with the GDPR and the requirements of the data protection authority (CNIL).

Thus, for your website to be respectful of the personal data and privacy of Internet users, it must provide, via simple and permanent access, the most transparent information possible on the use of the data that is made.

Indeed, the use of your website leads in most cases to the collection of personal data from visitors or users, for example by collecting their identifiers when creating an account or their contact details if they subscribe to a newsletter.

It is therefore advisable to draft and make available a privacy policy.

The policy should be easily accessible – at the click of a button – from all pages of the website so that the visitor can access it at any time (often through a link at the bottom of the page).

It should be written in a concise manner, using simple terms, neither too legal nor too technical, and adapted to the target audience;

The GDPR imposes a certain formalism when a data subject receives information about the processing of his or her personal data. The privacy policy must therefore include at least the following elements

• The identity of the data controller and the contact details of your DPO, if appointed
• The legal basis for the data processing (e.g. consent for sending a newsletter)
• The categories of data you collect and process
• The purposes – the objectives – of the data collection and processing that is carried out;
• The recipients or categories of recipients of the data (data controller, subcontractor, technical service providers, etc.)
• The transfers or absence of transfers of data outside the European Union
• The length of time the data is kept
• The rights of data subjects (such as access, rectification, deletion, opposition, erasure) and the effective means of exercising them (by e-mail, by post, or via integrated functionalities)
• The right to lodge a complaint with the supervisory authority

The privacy policy should also indicate when it was last updated, and visitors to the website should be informed (by any means) of any substantial updates.

Note: there is no need to add data protection elements to a “legal notice” page as the information about data processing is already fully described in a privacy policy.

3) Supervision of data collection forms

In addition to the collection of data through the deposit of cookies, your website may collect data directly from the user in different ways depending on the use and in particular via a contact form, an account creation form, a newsletter registration form, etc.

In each of these cases, certain rules must be respected to ensure compliance with the GDPR.

• Only information that is strictly necessary to achieve the purpose of the collection should be requested: for example, to subscribe to a newsletter, the only information required is the user’s e-mail address
• If you wish to obtain more information, you must specify which information is mandatory and which is optional by means of an asterisk for example
• In the event that some information is collected via a free-field box, you should warn the user not to fill in sensitive information in order to save you some additional obligations, and to limit your need to moderate the information in your databases

Furthermore, in order to comply with the formalism required by the RGPD1 , each data collection must be accompanied by specific information specifying the processing methods.

In other words, in addition to having a privacy policy that describes all the processing carried out, each point of collection of personal data must display an information notice.

Don’t worry, to make your task easier and avoid confusion, these information notices can display a reduced content, and refer to the privacy policy which will be more global.

This is known as two-tiered information:

• Level 1: a short information notice that only indicates the purpose of the data collection and the identity of the data controller, with a “read more” reference to the privacy policy
• Level 2: the privacy policy

By complying with these information obligations, you comply with the requirements of the GDPR and authority’s guidelines on transparency and you build trust with your website visitors and users, which can only be beneficial to your business.