Does the General Data Protection Regulation (GDPR) Affect Your Website, App, or SaaS? How You Can Comply & Avoid Fines

James Chiodo, Certified Information Privacy Professional CIPP/US

What is the General Data Protection Regulation?

The General Data Protection Regulation  (GDPR) is the most important change in Internet privacy laws in over 20 years. It contains 250 pages of tough privacy laws and regulations that will affect many business and website owners worldwide.

In this article, we’ll break down what the General Data Protection Regulation is and how you can comply with these new laws if they apply to your website. The GDPR promises substantial fines for non-compliant businesses and website owners.

If you own a website or mobile app, you’ll want to read on.

Who Does the GDPR Affect?
The GDPR affects anyone who runs a business or website that collects or processes information about citizens who live in the European Union (EU). The GDPR can affect you no matter what country you live in. If you collect information from EU citizens, process orders from them, or if they visit your website, at least some parts of the GDPR will apply to you. It’s obvious that the GDPR has been drafted with the intention of catching overseas companies, individuals, and other entities that are not complying with it.

How Do I Know If My Website Collects Information from EU Users?
It’s your job to check your website analytics to see if you are getting visitors from the EU. Unless you block all EU citizens from visiting your website, or you have a website focused on local businesses only, you are likely getting visitors from the EU. You could be exempt from the GDPR if you do not collect information about EU citizens, or if your website does not use cookies (though most websites do). Even if you don’t collect direct information from EU citizens, if your website plants cookies when a visitor lands on your website, you would still be obligated to comply with the cookie consent laws.

What Does It Mean for Me and How Do I Comply?
If the GDPR applies to your website, you will need to make significant changes in the way you collect information from users of your website and in how you provide privacy disclosures to them. Many website owners may find it hard to set up a user consent process that complies with the GDPR. You will also need to update your website privacy notice and keep up with privacy laws to avoid fines and potential lawsuits.

Choosing a Legal Basis for Collecting and Processing Personal Data
If visitors from the European Union can interact with your website or buy products or services from your website or mobile app, you are required to state the legal basis for collecting and processing their personal data (PD) in your privacy notice.

Choosing the right legal basis for collecting and processing a user’s PD under the General Data Protection Regulation (GDPR) is not always obvious and in some cases, can be challenging. Most website and mobile app owners think they must get consent to use and process a user’s PD. Consent is only one of six legal options for processing a user’s PD. Most professionals agree that you should only use consent if none of the other options apply.

You need to choose which of the following legal basis for collecting and processing PD best applies to you. For most website and mobile app operators, it is highly likely you will be choosing option 1, 2, or 3.

OPTION 1: Our legal basis for collecting and processing your personal data (PD) is based on consent.
If you decide to use consent as the legal basis for your using and processing users’ information, you should double-check to guarantee the validity of your consent process. The U.K.’s Information Commissioner’s Office says that new GDPR consent is unnecessary so long as the “old” consent complies with the GDPR requirements. If you cannot prove that your old consent complies with the GDPR, then you may be required to get new consent. Getting new consent from users could be more of a challenge than you think.

The legal definition of consent
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” for the consent to be verifiable. Consent must be supported with records of the consent.

Other requirements if you use consent as your legal basis for collecting and processing PD

Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
Active opt-in: Pre-ticked opt-in boxes are invalid.
Granular: Give granular options to consent separately to different types of processing wherever appropriate.
Named: Name your organization and any third parties who will be relying on consent – even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
Documented: Keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.

The trouble with using consent as your legal basis for collecting and processing users’ personal data (PD) under the GDPR.

Choosing the right legal basis for collecting and processing a user’s information is not always obvious and in some cases, can be challenging. Most website and mobile app owners think they must get consent to use and process a user’s PD. Consent is only one of six legal options for collecting and processing a user’s PD. Most professionals agree that you should only use consent if none of the other options apply.

Although consent seems like a simple and clear method for the legal processing of a user’s PD, it does have its problems. Using the consent method for processing gives individuals more choices and control over their information. As an example, if you are using consent as the legal method to process and use an individual’s information, and you decide you want to use their data for another purpose, then you are required to ask for their consent before you can use their data for the new purpose.

If an individual refuses to consent, or they do not reply with your request, you cannot use their information and are required to remove their information from your data base. Users can also withdraw their consent at any time. If they do, you have to delete their information. If you do not comply, and a complaint is filed, you could face a fine. Another conundrum could arise. Suppose a user’s consent is withdrawn, and later, you find out you have a legal obligation to process their information. You could conceivably be put in a bad position of violating your privacy notice or fail to comply with your legal obligation to process their information

OPTION 2: Our legal basis for collecting and processing your personal data (PD) is based on and the necessity for the performance of a contract or to take steps to enter into a contract.
This is a common legal basis for using and processing users’ information when you need to collect information to process an order or service requested by a user. If this is more applicable to your website or mobile app operations, it is probably a better choice and easier to comply with than choosing consent as a legal basis.

OPTION 3: Our legal basis for collecting and processing your personal data (PD) is for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Legitimate interests are another basis for the legal processing of users’ information when it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, (including commercial benefit) except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

OPTION 4: Our legal basis for collecting and processing your personal data (PD) is necessary to protect the vital interests of a data subject or another person.
Processing of a user’s information is allowed if it is necessary in order to protect the vital interests or physical integrity of a data subject. This generally covers public authorities such as educational institutions, hospitals, government institutions and the police.

OPTION 5: Our legal basis for collecting and processing your personal data (PD) is for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Processing of a user’s information is allowed if it is essential for the performance of a task carried out in the public interest or in the exercise of official authority entrusted in the data controller.

OPTION 6: Our legal basis for collecting and processing your personal data (PD) is necessary for compliance with a legal requirement.
Processing is permitted if it is necessary for compliance with a legal obligation. Processing is permitted if it is necessary for compliance with a legal obligation under EU law or the laws of a Member State.

The New Cookie Consent Laws are Much Harder to Comply With

● How to comply with the GDPR and ePrivacy Regulation cookie requirements.
The GDPR and ePrivacy Regulation require that you get consent from users before you store certain types of cookies on their electronic devices (computers, tablets, mobile phones, etc.). In other words, you must ask users if they agree to your website’s use of cookies and similar technologies before your website gains access to their personal information or plants cookies on the device they use to interact with your website.

One exception to this rule is when the user requests a specific service; in such a case, no express consent for cookie use is required. The other exception is when a website does not plant cookies on a user’s device when the user first lands on the site. Also, website owners may not make their service contingent upon a person’s consent for cookies unless those cookies are required for the functioning of the website’s service.

● Different cookies will require their own specific consent
Websites that use a variety of cookies for different purposes will be required to get consent for certain categories of cookies that are not ‘strictly necessary cookies’ (e.g., separate consent for advertising and tracking cookies).

● You are required to give users the right to withdraw their consent
A website user will have the right to withdraw their consent for the use of cookies and their personal data (PD) at any time. When a visitor first lands on your website you are required to give them free choice when agreeing to your cookie policy. Conversely, if they decide they want to revoke their consent for cookies or personal data (PD) at a later date, you are required to give them a way to revoke their consent that is just as easy to carry out as initially giving their consent.

● You are required to keep track of a visitor’s consent
The website owner is required to keep a record of how and when they received a user’s consent for the use of cookies and to process the user’s personal data (PD). They must also keep a record of exactly what the user was told at the time of consent. When processing a user’s consent for the use of cookies and PD, the website owner is ultimately responsible for proving that the user consented. Complying with this requirement could be challenging for many website owners.

● Google requires its users to comply with the EU cookie consent laws
Google’s User Consent Policy requires all websites using Google AdSense and other products that interact with EU visitors to comply with the European Union cookie consent laws.

● Explicit consent is required for special types of personal data (PD)
The GDPR prohibits requesting and processing special types of PD like political and religious beliefs, health data, and information about a person’s sexual orientation, sex life, genetic data, and biometric data for purposes of uniquely identifying a person. Photos will be considered biometric data if technical procedures are used that allow identification of a natural person. The exception to this rule is if the user gives explicit consent to the processing of such personal information. However, the GDPR allows member EU states to pass laws that restrict or prevent the processing of certain types of PD, even if the user gives explicit consent.

● Mobile and desktop applications are not exempt
The same cookie compliance and privacy regulations that apply to websites also apply to mobile applications.

But I Already Use a Pop Up on My Website That Says, “This Website Uses Cookies.” Doesn’t That Comply? No, that type of pop-up message will no longer be compliant for getting a user’s consent for cookies.

These website cookie consent methods will not comply with the GDPR and the ePrivacy Regulation

“Implied consent” – When a user first visits a website, immediately loading cookies in their browser will no longer comply with the GDPR.

“By using this site, you agree to accept cookies” – This commonly used phrase for pop ups and other messaging systems will no longer be compliant, as it does not offer real free choice. Also, users who do not consent cannot suffer a loss of service. Websites will be required to provide some service to those users who do not accept cookies.

“Pre-checked boxes” – Pre-checked boxes and other consent-by-default mechanisms will no longer be valid methods of consent.

“Telling users to change their browser settings” – Instructing users on how to block cookies will not comply with the new requirements, as it does not stop other tracking mechanisms. Also, it doesn’t give the user enough choices for consent, nor does it make it just as easy for the user to withdraw consent as to give consent, as required by the GDPR.

Any request for consent to process a user’s PD is required to be presented in a manner clearly distinguishable from other information. It should contain clear and plain language that is easy to understand, and be in a form that is made easily available.

There could be further changes to the cookie laws before the GDPR takes effect in 2018. As of the writing of this article, these are some of the planned cookie requirements for website owners.

Is Your Website’s Privacy Notice Compliant?

Your website privacy notice will almost certainly require updating to comply with the GDPR. Here are some of the requirements you will need to disclose in your website privacy notice to users:


● Contact information for the Data Controller
● The contact information for the DPO if applicable
● How you collect their PD
● How they can choose what types of information you process about them
● Your legal basis for collecting and processing their PD
● Where the processing is based on legitimate interests, details of what they are
● The different ways you will use their PD
● Whom you will share their PD with
● How you secure their information
● The length of time you store their PD
● Their right to file a grievance with authorities
● Telling them about their rights and how to make them actionable?
● The international transfer of their personal information
● Whether their information will be transferred to other countries
● Their right to request, change, restrict, make portable or erase their PD
● The names of entities with which you share their PD for direct marketing purposes

Do You Collect Personal Data (PD) From Children Under the Age of 16?
The GDPR limits the gathering and processing of a child’s PD without parental consent. The age of consent was raised from 13 (identical to the Children’s Online Privacy Protection Act (COPPA) in the US) to 16 years old. However, it permits the member EU states to set a lower age limit, though not below 13.

Currently, a business or individual must get the consent of a parent or guardian before they process the PD of a child under the age of 16. However, at the time of this writing, the UK has said that it will lower its age of consent to 13. Reasonable efforts must be made to substantiate that a parent or guardian gave the correct consent. Different regulations for the age of consent between the US and EU could create big challenges for businesses and website owners offering products and services globally to children 16 years of age and under.

Security and Processing Information
Businesses, individuals, and those who process information for them (data processors) are required to implement correct technical and administrative procedures to ensure a level of security appropriate to the type of information being collected and processed. These procedures include:

(a) The encryption and pseudonymization of PD.
(b) The ensuring of the integrity, confidentiality, availability, and rigidity of processing systems.
(c) The capacity to restore access to PD in a timely manner should a technical or physical event incident occur.
(d) A process for regularly assessing, testing, and evaluating the efficiency of technical and administrative procedures for guaranteeing the security of information.

Certain categories of personal information that are considered sensitive will require greater protection. Following is some information considered sensitive:

● Medical information
● Financial information
● Social security numbers
● Criminal convictions or charges
● Race or ethnic origin
● Religious beliefs
● Sexual lifestyle
● Political opinions
● Social welfare
● Information about children
● Membership in a trade union
● GPS or other location data
● Genetic information
● Biometric information

The definition of sensitive information will, to some extent, depend on the jurisdiction from where it is being collected.

Data Protection by Design and Default
Businesses and websites are required to put in place technical and data protection measures when creating new products and services or other processes that collect PD and other information. By default, they are also required to implement correct organizational and technical procedures to ensure that only PD needed for each purpose is processed. When PD is processed, they must use technical measures such as pseudonymization and data minimization to meet the requirements of the GDPR.

Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a process designed to measure the security and privacy provided by the system or process being measured, and to suggest improvements. Businesses creating new services, products, and other information-gathering activities may be required to perform a DPIA. There are considerable requirements and guidelines for conducting a DPIA.

A DPIA will be mandatory for businesses processing certain types of data on a large scale. If their new technologies are likely to result in a high risk to the freedoms and rights of natural persons, businesses will be required to perform a DPIA of the new processing operations to protect PD before the new technologies are put in place. When carrying out a DPIA, a business will be required to obtain the advice of a data protection officer.

Non-compliance with a required DPIA can result in fines of up to 2% of a company’s total worldwide annual revenue for the prior year.

Designation of a Data Protection Officer (DPO) or Representative
In some circumstances, businesses not established within the EU but affected by the GDPR may be required to designate a representative within the EU. Also, if you are in the US and certain provisions of the GDPR apply to your business, you might be required to designate a data protection officer (DPO).

The data controller and the processor shall appoint a data protection officer (DPO) where:

(a) The processing of information is carried out by a public authority.
(b) The main activities of the business or the data processor consist of regular and systematic monitoring of EU individuals on a large scale; or
(c) The core activities of the business or the data processor consist of the processing on a large scale of special categories of data relating to criminal convictions and offenses.

The DPO shall be chosen by the controller based on their professional skills, qualities, and, specifically, expert knowledge of data protection law and practices. The data protection officer may be an employee of the business or an independent contractor, including an outside law firm or other qualified privacy professional. Unless they cannot perform their duties, a DPO should stay in their position for a minimum of two years.


GDPR Investigative and Corrective Powers and Fines

GDPR authorities will have broad investigative powers, including:

A. Ordering the data controller or processor to provide any information it requires.
B. Forming on-site investigations using data protection audits.
C. Issuing warnings and reprimands about processing operations.
D. Enforcing a temporary ban on operations and ordering the erasure of PD.
E. Ordering the suspension of information flow to individual organizations in other countries.
F. Imposing fines.

Significant Fines and the Right to Sue
The GDPR can impose fines of up to 20,000,000 Euros or 4% of a business’s annual revenue for violations of specific provisions like cross-border data transfer and consent requirements. The GDPR also makes it significantly easier for private individuals to sue businesses for compensation when the businesses are noncompliant.

Data Processors are at Risk, Too
Those who process the information on behalf of businesses (data processors) also face the risk of fines and lawsuits for noncompliance with the GDPR. Data processors are required to comply with several important GDPR requirements, like using correct security procedures, keeping acceptable documentation, assigning a DPO, and routinely providing data protection impact assessments.

There are more than 250 pages of regulations in the GDPR that contain more obligations for website owners, business owners, and data processors than what is described in this article. If you need help complying with the GDPR, please contact me for a free consultation.

James Chiodo
Certified Information Privacy Professional (CIPP/US)

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More