GDPR applies to you as well

Posted on (updated Sep 19, 2023)

The General Data Protection Regulation has been in effect since May 2018. While its effects weren’t very clear before that, we now have a better understanding of what it requires. Pretty much every website now asks you to accept their cookie policy before letting you in. It is as annoying as it is necessary.

I also ask you for consent on my website before letting you use the site. I’m not doing that because it is the best user experience, but because I am legally required to. Here’s the kicker: if you run a website, you most likely need one of those as well and don’t even know it.

The GDPR does not only apply to tracking visitors with Google Analytics. There are many other things you can do on your own site that you also need consent for. Even if you don’t set any cookies yourself, you might use a service that does. For example, you are not allowed to show a YouTube embed without getting the all clear from your visitors. It doesn’t matter if they play the video or not.

To be compliant, you need to ask your users for permission before you embed those services. These are a few of the things you need to get prior consent from your visitors for:

  • using Google Analytics, with or without IP anonymization
  • embedding videos from YouTube or Vimeo
  • embedding tweets or Instagram posts using those services’ widgets
  • loading fonts from a service like Google Fonts
  • storing your visitors’ contact form submissions somewhere

Take embedding tweets as an example. Not showing the tweets is not enough. You’re not even allowed to request the embed-script required for it. Same goes for webfonts provided by a third party. Without a visitor’s consent, you’re not allowed to load the stylesheet provided by Google Fonts.

Consent has to be explicit. Saying “you accept our cookie policy by using the site” is not enough. Your visitors need to take a concrete actions, like pressing a button. You cannot assume opt-in before they have done so.

The UK’s Information Officer’s Office (ICO) lists a few exceptions to the GDPR. They say that data processed for “a purely personal or household activity” is fine. Whether portfolios and blogs are personal or household activities is not clearly defined. When faced with a potential 20 million Euro fine, it seems best to follow the regulation anyways. Even if you get it slightly wrong, trying your best will likely be in your favor in the event of a compliance case.

If you need help getting started, hit me up. I’m happy to help you out in this minefield that is the GDPR as best I can. Note that I am no lawyer and cannot give legal advice, but I’ll help you take your first steps.

Grid overlay