GDPR applies to you as well
I also ask you for consent on my website before letting you use the site. I’m not doing that because it is the best user experience, but because I am legally required to. Here’s the kicker: if you run a website, you most likely need one of those as well and don’t even know it.
The GDPR does not only apply to tracking visitors with Google Analytics. There are many other things you can do on your own site that you also need consent for. Even if you don’t set any cookies yourself, you might use a service that does. For example, you are not allowed to show a YouTube embed without getting the all clear from your visitors. It doesn’t matter if they play the video or not.
To be compliant, you need to ask your users for permission before you embed those services. These are a few of the things you need to get prior consent from your visitors for:
- using Google Analytics, with or without IP anonymization
- embedding videos from YouTube or Vimeo
- embedding tweets or Instagram posts using those services’ widgets
- loading fonts from a service like Google Fonts
- storing your visitors’ contact form submissions somewhere
Take embedding tweets as an example. Not showing the tweets is not enough. You’re not even allowed to request the embed-script required for it. Same goes for webfonts provided by a third party. Without a visitor’s consent, you’re not allowed to load the stylesheet provided by Google Fonts.
The UK’s Information Officer’s Office (ICO) lists a few exceptions to the GDPR. They say that data processed for “a purely personal or household activity” is fine. Whether portfolios and blogs are personal or household activities is not clearly defined. When faced with a potential 20 million Euro fine, it seems best to follow the regulation anyways. Even if you get it slightly wrong, trying your best will likely be in your favor in the event of a compliance case.
If you need help getting started, hit me up. I’m happy to help you out in this minefield that is the GDPR as best I can. Note that I am no lawyer and cannot give legal advice, but I’ll help you take your first steps.
To opt out of tracking scripts on websites, you can set the “Do Not Track”-setting in your browser. Unfortunately, websites are not required to honor it.
By setting canonical links on posts shared on services like dev.to, Hashnode, and Medium, you can start building a SEO reputation for your own domain.
When we need to gather statistics or other logs from our projects, we don’t always need to use full, privacy-invading analytics solutions.