How to Make Your Website Compliant with the GDPR – Step 5: Design Sites Around “GDPR Consent”

With enforcement of the GDPR only days away, the balance of power in the marketplace is shifting into the hands of the individual, and companies that embrace it rather than fight it stand to benefit by building deeper bonds of trust with consumers.

Although some companies in the US are still questioning whether the legislation applies to them, enough companies are taking it seriously that spending projections for becoming GDPR-compliant among US companies is over $42 billion.

Preparing for the regulation requires investment across an organization, one area of which is a company’s website. In our last post, we covered step 4 of getting your website GDPR-compliant, which was to set up a privacy rights infrastructure. In this post, we’ll cover how to design websites around GDPR consent.

You may have heard the term “privacy by design” before. Privacy by design is the concept that data protection should be the default experience that’s built into systems from the start, rather than added later as an afterthought.  Too often companies have been reactive, rather than proactive when it comes to protecting the data of their customers. Although it’s not a new term (it was coined in 1995), it’s become part of the GDPR conversation. This same principal applies to your company’s website as well, which is what we’ll cover here.

The GDPR specifies a website operator needs to honor “data protection by design and by default.” To ensure you’re meeting the high threshold for valid consent, any user’s on-site experience should allow them to clearly assent by “a statement or a clear affirmative action.”

Ideally, companies should be incorporating this framework into their websites during the design process rather than trying to work it in after the fact. If that’s not possible because of timing or budget, it should absolutely be something you work into your requirements during your next website redesign.

So, what are the “design and default” measures to take to ensure that your website is compliant with GDPR mandates?

• A persistent banner must be displayed on the site, requesting users to consent where appropriate. However, they must still be able to access the site even if they haven’t yet given their consent.
• The banner and all supporting information about data privacy and consent must be in easy-to-understand language, not legalese, and should clearly explain how and why you want to collect their data.
• Silence, pre-ticked boxes, or inactivity does not constitute valid consent, nor can consent be inferred through a website visitor’s actions such as going to another page on the site.
• Consent is not considered freely given if there’s a “clear imbalance” between the visitor and the website operator/company/organization. One weighty example? You can’t make a service conditional upon consent, unless the user’s data is necessary for the service.
• A user should be able to view a clean and comprehensible list of all vendors and the data being collected, and allow for consent to be specifically given for each.
• The user should be told that they’re able to easily revoke their consent at any time, and request that their personal data be erased.

Although these are only a few examples among many that ensure your website puts privacy at the center of the user experience, this concludes our blog post series on the basic steps towards getting your website GDPR-compliant.

To get all five steps on “How to Make Your Website Compliant with the GDPR”, download the eBook.