Recently, we have been contacted by more and more clients who need to check whether their GDPR settings match what should be on the website. And perhaps this question has occurred to you too. Websites often host e-shops, SaaS applications, or the application is uploaded on different platforms (Google Play, App Store). Collectively, we can call them "apps" (apologies to all the engineers, developers and the others in the industry, it's really just to simplify!).
These apps often contain registration forms, contact forms, newsletter sign-ups, cookie bars. They may also collect other data in the background that the user is not aware of.
However, not all app or website operators are thinking enough about the right settings in terms of GDPR and other privacy regulations. Some app operators believe that all they need to do is to write "some documents" and put them on the web and everything will be "OK". Unfortunately, that is not the case.
An example from which lessons can be learned is the Grindr app.
The Norwegian watchdog intends to fine the app more than EUR 10 million. It is an app with more than 13 million active users that is used for location-based dating (similar to the well-known Tinder app). It should be noted that the Grindr app is used for dating gay, bi or trans people. This app shares GPS location, user data and the very information that a particular person is on that app with third parties for marketing purposes. The Norwegian authority concluded that this information alone, that the user is using the app, is information about the sexual orientation of the person, which is a special category of personal data.
In order to share data with third parties for marketing and advertising purposes in the case of profiling and the storage of location information, consent to the processing of personal data is undoubtedly required. Similarly, this will also apply to the sharing of information relating to the sexual orientation of data subjects.
Such consent must be free, specific, informed and unambiguous.
We have discussed what such consent should look like in one of our articles on our website.
The above example is just one of many that can happen. However, it is a common offence of app operators. Forcing consent is simply not possible and the user must freely decide whether or not to give it. It certainly cannot be associated with a check-box, through which the user has consented to the processing of personal data for other purposes and legal grounds.
Try checking these areas on your app/website:
Do you have an up-to-date version of the information document that informs users about how you handle personal data? The elements it must contain are set out in Articles 13 and 14 of the GDPR.
You can find inspiration on virtually any website. This is a very widespread document. But beware! Do not copy! And at the same time don't rely on "This is a big player in the market, he must have it right."
Do you allow registration? What check-boxes do you have when completing registration? Practically, you can divide them into two basic types - mandatory and optional.
Optional check-boxes will then typically be - consents to the processing of personal data (e.g. just for sharing for marketing purposes, storing sensitive data, etc.). Furthermore, it is common to have an optional check-box for "opt-out of receiving commercial communications".
You might ask: "What do you mean objections to receiving commercial communications"?
If you register your customers on the website/app, you can send them commercial communications (newsletters, or as a wonderful client of ours once said, "marketing small talk in your email"). Sending commercial communications to your customers is also possible without consent (there is a legitimate interest for direct marketing). However, only similar products and services must be offered. In addition, you must allow them to opt-out before sending the first communication.
That is what this optional check-box should be used for. Simply, if a user "clicks" it, they don't want to receive marketing stories. But if they don't "click" it, you can do so. However, you must allow him to opt-out in every email.
Are you dealing with them? Do you know when you need consent to store them and when you don't? For example, you don't need consent for technical cookies, but you still need to inform the user about them. Where? Anywhere on the site, preferably maybe in the footer, but take note you mustn't hide the document under thousands of clicks.
For other cookies (e.g. analytics, marketing cookies) the situation is more complicated. For these, it is no longer sufficient to simply inform. There are countless articles on the web about how the Czech legislator got the law wrong and it allows cookies to be stored until the user gives his/her objection. This option is probably possible for now (the Data Protection Authority is a bit vague about it).
On the other hand, we may soon be facing an amendment to the Electronic Communications Act, which should already set the rules correctly, i.e. require active consent for storing cookies. In addition, the ePrivacy regulation, which also provides for active consent, is probably coming next year.
Congratulations, you are most likely thinking about data protection and privacy on the Internet. However, the above are only the most common issues and any specifics of your application can only add to the obligations.
Drop us a line then! Together we will review your website/application and set up GDPR on the website/application.
If you are interested in a full check of your website, we can provide that as well. As part of the site check:
As an output from us, you will receive a summary document that simply tells you what you have and don't have right on the site, including recommendations on how to fix the problem.