Guidance to help ensure compliance with cookie privacy laws and GDPR
Additionally, Privacy Laws are evolving rapidly. It is your responsibility to stay up with the applicable changes in your region.
Cookies and Web Beacons
Cookies are small text files that web servers typically send to users’ computer when they visit a website. Cookies are stored as text files on users’ hard drive, and can be accessed by web servers when the user visits a website or views an advertisement.A session cookie is a cookie that stores information as a user is using the Site but is deleted once the browser session is finished.A persistent cookie is a cookie that stores information as a user utilizes the Site and stores and uses that information in connection with future visits of the user to the Site.Third-party cookies and/or web beacons are cookies or web beacons provided by our technology and/or advertising partners.Any third-party cookie or web beacon that we authorize for use on the Site only collects that information described below for the same stated purposes as if we were directly collecting the information.For a third-party cookie or web beacon, the third-party will have access to the collected information in order to provide us with information or services to enhance the performance and functionality of the Site.
The cookies and web beacons we use collect non-personally identifiable information about users of the Site, including: browser used to access the site, date and time, the URL of the page being loaded, users who have visited a particular website(s), any previously assigned cookie identification (a unique identifier assigned to a user to identify repeat visitors), browser window size, the geographic location of the user, device and operating system used to access the Site. The information we collect from these cookies and web beacons is used to determine information about a user’s visit to our Site, including the number of visits, average time spent, pages viewed, navigation history through the website, and other statistics. This information is used to enhance the users experience while visiting our Site and to improve the performance of our Site by, among other things, allowing us to monitor Site performance, making the Site easier to use, measuring the effectiveness of promotional placements, and tailoring the Site (including the ads and offers a user receives) to better match a user’s interests and preferences.
Users who prefer not to accept cookies can set their Internet browser to notify them when they receive a cookie or to prevent cookies from being placed on their hard drive.If you consent to our collection of cookies and you subsequently wish to withdraw your consent, you will need to manage the settings on your web browser to delete all cookies and disallow further acceptance of cookies. Please note that disabling cookies on your browser will prevent us from tracking your activities in relations to our Site, however, it may also disable some of the functions and features of the Site and the Site may not work properly.
If you would like to determine your consent status, please contact us at: [INSERT CONTACT EMAIL HERE].
If you do not wish to accept cookies or web beacons in connection with your use of this Site, please discontinue use of the Site.
For instance, if you are in the EU, you are required to request permission prior to placing cookies on a visitor's browser. Here's what a popup like that might look like.
This example is taken directly from the EU’s information page regarding Cookies, which also provides a “Cookie Consent Kit” to automatically provide the required header/banner.
Our platform also allows you to submit personally identifiable information about your users.
Feathr now allows you to provide us with specific information about individual users, some which will likely be considered personally identifiable information (PII) under U.S. and other jurisdiction’s privacy laws. PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
It is very important that you disclose to your users what PII you collect and how you share it. Your failure to do so accurately could lead to liability.
- In a section regarding information collected, you should disclose that you collect the names and emails (along with any other PII you collect).
- In a section regarding how information is shared, you should disclose that PII will be shared with third party analytics vendors who work to help you customize your users’ experiences. In this example, that language might read:
[Your Company] works with third party vendors to provide a more customized experience for you. To do so, we disclose personally identifiable information about you (specifically, your name and email address) to those vendors, though we do not allow them to re-sell or use that information for their own purposes.
We strongly encourage you to have language drafted for this purpose by your own legal counsel as necessary for your site and the information you collect and share. Feathr makes no representation or warranty that you will be in full compliance with the law by utilizing the above language or disclosure. Additionally, Privacy Laws are evolving rapidly. It is your responsibility to stay up with the applicable changes in your region.
Here's a link to an article on How Feathr Secures Your Data.
About GDPR Compliance
GDPR, or the General Data Protection Regulation, is a set of rules and regulations that establishes certain new protections for the personal data of EU residents and new consequences for keepers of such data that do not comply with the new rules.
In addition the steps recommended above, here are some thing you can do to in order to ensure compliance with GDPR, particular within the context of your usage of Feathr.
- Use GDPR principles as a guide for all your data handling. There’s no need to treat EU and US (and other countries’) residents differently, as it will become an unsustainable headache. GDPR is an excellent guideline to determine best practices and future-proof data services.
- Perform an audit of all your data partners. That’s any processor, vendor, platform, or tech partner you use that holds or has access to your user data. These partners, like we do at Feathr, should be taking on the majority of the GDPR compliance burden. The first and most important step to take with your data partners is to document your intent to comply with GDPR. Draft a contract or an addendum to an existing contract that explicitly communicates a commitment to comply with GDPR. Note: we are not lawyers and this is not legal advice. Please review any steps listed in this article with your organization’s counsel.
- Have an access plan. Document a plan for or with each data partner for how you (or they) will respond to new subject access requests enacted by GDPR. The new data rights (listed in the ICO link above) require organizations to respond to certain requests, and you need a plan in place for each.
- Know where to direct data subjects. Each data partner should have a process and web-based location where data subjects can go to submit requests. Usually a web page or a portal, you and your data partners must be able to provide request opportunities for every user. Speak to your data partners individually about how and where they handle such requests.
- Gather explicit consent. To remove uncertainty, add checkboxes to any forms with which your users interact that permits explicit agreement with data regulations, or “opt-ins.” An example of this would be a checkbox at the bottom of an event registration form that reads “I understand and agree that a meeting planner will have my contact details for the purpose of planning meetings (such hotels accommodations, transportation, activities, etc.) Please note that if this box is not checked, then we are unable to secure your logistics for attendance at the meeting.” For more information and examples, check out this link from gdpr4meetings.com: Consent for Registering Attendees and Speakers
- Update your privacy policies. Be clear about what data you’re collecting, why you ask for it, and what you do with it. Notify your users of updated privacy policies through email, website popups, or whatever means is most efficient for your business.
- Assign a Data Protection Officer. In almost all cases this will be a role that is required to be identified in your organization. Thankfully, the person in this role doesn’t need to be an international data privacy lawyer or a network security expert. It just needs to be someone who can manage the documentation and process around data requests and follow up on some finer points.
Consider self-certifying under EU-US Privacy Shield. This is important if your organization directly stores and transacts data, has a custom-built data platform, or an on-site deployed AMS, email system, or database. For more information, check out the Privacy Shield website here: https://www.privacyshield.gov/PrivacyShield/ApplyNow. It will substantially simplify the legal basis and ability you have to transfer EU data out of the EU.
If you have any questions about implementing this into your website, please reach out to firstname.lastname@example.org or your dedicated Customer Success Manager. If you have legal/language questions, please consult your own legal counsel.