How to (and How NOT to) Create a GDPR Notice

How to (and How NOT to) Create a GDPR Notice

If your business has an online presence, you've probably heard of the European Union's General Data Protection Regulation (GDPR). This sweeping legislation went into effect in May of 2018 and if you thought it wouldn't affect your business, think again.

Is your GDPR Notice ready to go?

The GDPR will have global influence. Unless you can absolutely guarantee that no users from the EU will ever find their way to your website, you'll need a GDPR notice and compliant consent measures.

Keep reading to find out more and see some GDPR Notice examples.

GDPR Basics

Feel free to read the GDPR in its entirety on the official website, but here are some of the basics that will affect the average business:

  • Consent is not valid unless it is "freely given, specific, informed, and unambiguous." Basically, that means a "clicked" agreement is required.
  • Privacy policies must be "concise, transparent, accessible, and written in clear and plain language."
  • Your data collecting and processing practices must be easily accessible to the consumer and free of charge to access.
  • TermsFeed infographic: What EU GDPR means for businesses (resized)

The GDPR applies to any website or mobile application collecting data from individuals located in the EU. Since the internet is a global marketplace, this means it could be applied to virtually any online business located anywhere in the world.

Failure to comply with these statutes regarding the personal information of EU residents could result in hefty fines, which can and will be enforced in other nations like the United States and Canada.

One important note is that these regulations do not apply to EU citizens living outside of the EU. Many websites are geographically coding consent notices to pop up only for EU IP addresses, so that users outside of the EU will not be bothered by the additional pop-up notices. This functionality is purely up to the preferences of each business.

If you're relying on consent as a legal basis for collecting and processing user data, your notice is a great place to get consent from users.

This is a simple example of a GDPR-compliant cookies notice from Evidon:

Evidon - Crownpeak Cookies notice updated

You can see in the screenshot of Article 7 below that the GDPR requires user consent to be clear and freely given. This is another way of saying that the visitor must actively agree to the collection of his information.

GDPR Article 7: Consent clauses 1 through 4

The common practices of browsewrap, implied consent or pre-checked boxes will no longer be considered valid.

Join In UK makes opting into its newsletter a condition of registering for the site. This is definitely not considered clear and freely-given consent. Here's an old example from the older opt-in form:

Join In UK: Create My Profile form

And here's the updated opt-in form that requires users to actively give consent:

Join In UK: Updated Create My Profile form to be GDPR compliant

Always opt for clickwrap rather than browsewrap if your notices ask for consent.

The GDPR Notice is fundamentally a more complete and consent-oriented cookie notice.

Here are the key recommendations for cookies consent from the EU Information Commissioner's Office (ICO):

  • Tell people the cookies are used
  • Explain what the cookies are doing and why you use them
  • Obtain the person's express consent to store a cookie on the device before storing them

The key differences here are that you need to explain what the cookies are doing from the get-go and obtain active consent before placing the cookies.

If cookies are collecting analytics or sharing information with third-party advertising partners, this information must also be communicated within the initial GDPR Notice.

The Crazy Egg GDPR Notice mentions both their use of anonymous cookies and third-party services, and requires users to give consent before using the site:

Crazy Egg: Cookie and Privacy Policies notification with checkbox for I Agree consent and opt-out link

It is also suggested by the ICO that companies allow users to select which cookies they will allow, with an easy way to opt-out of the cookies they object to. Although this is not a mandatory part of the GDPR Notice, it is recommended to avoid any confusion or liability with EU users.

This GDPR Notice by Marsh allows users to read about and select which cookie preferences they prefer before using the website:

Marsh: GDPR-compliant cookie settings page

Finally, provide a link in the GDPR Notice to your Privacy Policy or Cookies Policy where visitors can read more about the information that is collected about them. This Policy should include a complete list of cookies along with information on how to opt-out of those cookies.

Hewlett Packard Enterprise links to its Privacy Policy within the GDPR Notice. The Privacy Policy also details the use of cookies and the types of cookies employed:

HPE GDPR compliant cookies notice

TermsFeed: Cookies Consent - How to add Your Solution

Use our free Cookie Consent Solution to create, customize and add a Cookie Consent notice to your website.

  1. Click on the Cookie Consent link at the top of our website. Our Free Cookie Consent Solution will open:
  2. TermsFeed: Cookies Consent Solution

  3. Choose your consent preference: Implied or Express:
  4. TermsFeed Cookies Consent: Choose your consent preference - Step 1

  5. Customize your Cookie Consent widget with your website name, banner notice type and color palette:
  6. TermsFeed Cookies Consent: Customize your consent - Step 2

  7. Copy your Cookie Consent code and add it to your website page code before the closing of the </body> tag.
  8. TermsFeed Cookies Consent: Copy your Cookie Consent code - Step 3

  9. Adjust your website's JavaScript to accommodate your users' selections for consent:
  10. TermsFeed Cookies Consent: Adjust your website&#039;s JavaScript to users - Step 4

More Examples of Compliant GDPR Notices

Google has professed open support for the GDPR and is proving it through a high level of compliance. Not only has Google implemented the measures shown below, but it has built an entire website dedicated to privacy and compliance.

Upon navigating to Google from any EU member state, a large and insistent banner pops up asking to inform you of important privacy information.

On click, this GDPR Notice appears:

Google

This GDPR Notice gives the user a thorough rundown of the information Google collects about devices and activity, why this information is collected, and who Google shares it with. If the user clicks 'Other Options,' they may modify the types of information that Google collects. Also included is a link to the Privacy Policy which provides more information about cookies and how to block them.

Google

Note the required call to action at the bottom of the notice, prompting users to actively agree to the collection of data. This informational page about cookies within the Google Privacy Policy includes an explanatory video:

Google Privacy Policy: Types of cookies used - video and clause

Google also provides users with this complete cookie chart and a link to manage cookies:

Google Privacy Policy: Cookies used chart excerpt

A chart like this can help your users make informed decisions when deciding which cookies to allow and which to opt out of.

Next up, the BBC gives us another great example of how a GDPR Notice should function. Any user from the EU will automatically see this conspicuous banner when they land on the homepage:

BBC Cookies Notification

This GDPR Notice provides a brief rundown of the kinds of cookies the BBC implements and why. They give the visitor three options, all requiring a specific action on the part of the user: 'Continue,' 'Change settings,' or 'Find out more.'

Upon clicking either 'Change settings' or 'Find out more,' you will come to a page of links to learn more about cookies or manage cookies:

BBC: About Cookies and Cookie Settings menus

The link to change cookie settings takes you to this page, where you can pick and choose which cookies to allow on your browser:

BBC Cookies Settings screenshot updated

The BBC also provides a detailed cookies chart where users may read about each cookie placed and its function:

BBC Performance Cookies Used chart excerpt

Overall, the BBC follows every GDPR guideline to the letter.

MailChimp presents EU visitors with comprehensive understanding and control of cookies, starting with this pop-up banner on the homepage:

MailChimp

When users click the 'Cookie Settings' link, they're presented with this window where they can learn more and/or turn off the cookies they do not wish to have installed on their browsers:

MailChimp

MailChimp's Cookie Statement includes a list of all the cookies Mailchimp employs, along with the function of each:

MailChimp Cookie Statement: Categories and functions of cookies chart

This helps users understand the actual purpose of each of the cookies when deciding whether to allow the use or now.

Remember: Make your GDPR notices easy to understand. Link your relevant agreements within them for added clarity. Always use a clickwrap method to obtain agreement, and always let your users revoke that agreement/consent.

Other Categories:

Jaclyn Kilani

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.

Don't miss our next article!

Subscribe to our email newsletter.