The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.
What is GDPR, the EU’s new data protection law?
The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. Source
European countries are obliged to implement the GDPR. As of now it’s recommended to go the extra mile and be as law-compliant as possible, even if cookie laws are not fully implemented in many countries yet and rather count as guidelines.
Personal data is any information that relates to an individual who can be directly or indirectly identified: Names and email addresses, but also location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions.
The overall objectives are to increase transparency, accountability and data security. And ultimately give back control to the user, who [as a data subject] has these rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Since 2016 the EU parliament is working on a draft for “ePrivacy”, which takes data privacy some steps further: by holding accountable providers of web browsers, regulating machine-to-machine communication (see Internet of Things, e.g. GPS data), an obligatory end-to-end encryption, opt-in cookie consent (cookies need to be proactively approved, before they can be used), the opposite is opt-out (the user can revoke cookies afterwards and is not proactively informed).
For each use, case or business model there are different factors and requirements that need to be considered. At Taikonauten we went through such an evaluation ourselves to offer our clients the most efficient solution and reduce development and UX overhead.
Our criteria to choose a third party cookie consent provider:
Where is the server located? Which are the valid laws for that server location? Can we host the service ourselves? Is the service even open source?
How does pricing scale for new domains or subdomains? Are subdomains included? What about sub pages? Is the pricing fixed or dynamic?
How easily can the tool be integrated? Are there npm packages or JS frameworks? Are there CMS plugins available? Is the tool compatible with Frontend frameworks like React or Vue.js? What about client-side or server-side rendering? How complete and helpful is the documentation?
Does the tool support multiple languages? Can we adjust the tools for multiple regions with different legislation?
Can we customise aspects of the cookie banner such as branding, colors, fonts and texts? Do we need to hack CSS rules or are there properties, configuration files or JS frameworks to do so? Can all texts be replaced?
Can websites be scanned regularly and automatically to update the cookie declaration? Can the contents of the cookie declaration be automated?
What about A/B testing? Can consent data be exported?
Take data privacy of your users seriously and make it part of technical conception and UX design.
Get legal support up front if you’re designing or developing websites. Be on the safe side and avoid unnecessary costs and efforts later.
Stay up to date with latest regulations and install a privacy manager in your team or company, dedicated to this topic.
Reduce coding overhead by using a third-party cookie and consent management tool.
Prepare for scalability: think of what happens when the website adds multi-language support, new domains/ subdomains or the number of users increases. Consider that each consent tool has different payment plans and scale less good for different scenarios.
If you work with multiple clients, pick a tool that covers 90% of your cases in order to reduce your tech stack.
What did we choose at Taikonauten
At Taikonauten we build websites for different clients, each with very individual requirements: from corporate websites, online shops and digital service platforms. Trust and credibility towards their clients is a key ingredient for their success, which needs to be reflected in the choice of technology. As such, Klaro’s open-source approach and its highly customizable, versatile set of features made us choose Klaro as our go-to cookie consent tool. Read this article to learn more about how we work with Klaro in our projects.
💬 What is your take on data privacy at the faces of design and web development? Let us know in the comments below!