17 Aug 2018
If Google and Facebook Weren’t Ready for the GDPR – How Can You Be?
On May 25th, the General Data Protection Regulation (GDPR) rocked the digital world by ushering in a new age of data privacy standards. The landmark legislation set forth guidelines for the appropriate collection, handling, processing, and sharing of user data. Although the regulation is based in the European Union (EU), any business that interacts with the data of individuals who reside in or are residents of the EU are subject to comply with the lofty set of rules.
Given the increasingly globalized nature of business, almost all large companies – as well as an overwhelming number of small and medium-sized businesses – are affected by the GDPR.
Even after pouring billions of dollars into their GDPR-compliance efforts, some big businesses have already been slammed with lawsuits claiming these companies’ practices aren’t up to snuff with the standards of the regulation.
Considering even these companies weren’t prepared for the GDPR, are you?
Let’s take a look at where the big players went wrong, and how your efforts to comply with the GDPR can help you avoid the same fate.
How Do You Obtain Consent Properly?
When it comes to landing on the wrong side of the GDPR, consent has proven to be the kicker in the early days of the regulation’s reign. Within 24 hours of its instatement, Facebook and Google were served with GDPR-citing lawsuits, which could result in roughly $8.8 billion in fines.
So what’s the GDPR offense that could end up costing Facebook and Google billions?
Improper Consent
The lawsuit filed against Google claims that the company is unlawfully employing a system of “forced consent” by disabling users from accessing certain Android software without first relinquishing personal data.
When it comes to the complaint against Facebook, “bundled consent” is the big issue. The suit alleges that the site forced users into consenting to their policies and terms through a ‘take-it-or-leave-it’ strategy that left users who hadn’t given their consent no choice but to abandon the platform entirely.
According to Article 7 of the GDPR, this is not legitimate consent. For consent to be valid under the GDPR, it must be:
- Affirmative – the data subject must take an action to offer their consent to the data practices specified. That means that rather than presenting a default option (like a pre-checked box accepting terms or giving marketing permissions), you need to allow users to actively opt in by checking a box, or performing another affirmative action, for themselves.
- Freely given – here’s where ‘bundled consent’ comes into play. The data subject must be able to offer their consent freely without coercion, manipulation, or condition. Facebook, by making use of their platform contingent on consenting to their terms, is in violation of this GDPR guideline.
- Granular – a user needs to provide separate consents for each data collection or processing activity you’re obtaining their permission to perform. When a data subject provides their consent, they should do so in line with a particular data collection or processing activity, rather than a bundled consent that applies to multiple practices. For example, asking users to consent to your privacy policy and to receiving weekly newsletters cannot be done through a singular opt-in. They should offer consent to these separately.
If your business relies on user consent to collect personal data, avoid the pitfalls suffered by Facebook and Google by ensuring that every point at which you obtain consent fulfills the above requirements.
Decking out your forms, emails, and pages with appropriate opt-in mechanisms doesn’t need to be a strain on your time and resources either. There are plenty of compliance-centered form tools available across the web that will install consent checkboxes for you – some of which will even do it for free.
Do You Offer GDPR-Compliant Policies?
While the heart of the complaints filed against Facebook and Google was their failure to obtain proper consent, that consent revolved around their legal policies. Under the GDPR, users not only need to consent to having their data collected, but they also need to be given the opportunity to consent to the provisions laid out in a company’s privacy policy and terms.
The GDPR has both raised the bar for how businesses should get consent to their legal policies, and notably elevated the standards expected from the policies themselves – especially when it comes to privacy policies.
To satisfy this area of compliance, consider the following when crafting your GDPR-friendly privacy policy:
Make Your Policy Comprehensive
As you’ve probably noticed by now, the GDPR demands that businesses focus on details more than ever before. The regulation forces business owners and webmasters to dive into the nitty gritty of their data collection practices and spell it out for users and regulators.
For instance:
- What data do you collect?
- For what purposes do you use that data?
- On what grounds are you processing data? (GDPR Article 6 lays out six possible bases for data processing – consent, legitimate interests, vital interests, legal obligation, fulfillment of a contract, and public interests.)
- Do you share data with anyone?
- Do you transfer data outside of the EU? (If you’re an American company targeting EU citizens, your answer is already ‘yes.’ You also need to note where your servers are located and to where you may be transferring data.)
- Do you have a Data Protection Officer?
- Do you have an European Economic Area (EEA) Representative?
This is only a sampling of the kind of information you need to pack into your privacy policy to meet the level of detail compelled by the GDPR. Ideally, every interaction you have with user data will be specified in your privacy policy.
Make Your Policy Transparent
Privacy policies weren’t necessarily made for the public prior to the GDPR. While their purpose has always been to disclose the ways businesses handle the personal information of their customers, they haven’t been written with easy reading in mind – until now.
Article 12 of the GDPR is attempting to make privacy policies more readable and understandable for users without a law degree or a background in business. This section of the regulation promotes the use of “plain and clear language” and “transparent information and communication” in companies’ privacy policies.
When looking at your own policy, ask yourself: Can my customers read this and actually understand how we interact with their data?
Hint: If you’re looking at a document riddled with legalese, hidden meanings, and convoluted wording – the answer is ‘no.’
Make Your Policy Easily Available
Revisiting the previous matter of getting user consent to your legal policies, the time and effort you put into perfecting your privacy policy for GDPR compliance is rendered moot if you fail to make the policy itself accessible to your users.
Not only should links to your policies be included in pages, forms, popups, and/or emails that seek consent to those policies, but you should also maintain menu or footer links on your site where users can navigate to your privacy policies, terms of service, and other legal agreements.
Are You Advertising Your Privacy Efforts the Right Way?
The fails we’ve seen so far haven’t been limited to multi-billion dollar lawsuits, like those served up to Facebook and Google. In fact, some of the GDPR failures garnering the most unwanted attention through outlets like Twitter are those stemming from companies’ attempting to regain permission from their customers or announcing their GDPR compliance efforts via email.
If you’re planning on emailing customers to get consent or notifying them of changes to your policies, keep the following in mind in order to avoid the landmines encountered by other companies:
1. Walk the Talk
When WeBuyAnyCar emailed users about consenting to their new terms of service and opting in to receiving emails from the company in the future, consumers who chose to opt-out were met with a dead link. Providing users control over their data, and then failing to give them the proper outlet to exercise that control is certainly counter-productive to GDPR compliance efforts.
2. Honor Your Customers’ Preferences
Last year, in an attempt to get ahead of the GDPR, Flybe and Honda sent emails to their customers asking them to opt in to email marketing. Although this effort was carried out for the sake of compliance, the companies failed epically in achieving such, as they sent mass emails to their unsubscribe lists.
While the ordeal cost them a combined total of £83,000, the penalty was issued before the release of the GDPR, and would likely have been significantly higher had it been under the regulation. There’s an easy lesson to be learned from these offenses – honor your customers’ wishes and cease contacting them once they’ve unsubscribed.
3. Don’t Do More Harm Than Good
Some of the most egregious GDPR fails have been from companies shooting themselves in the foot when it comes to upholding their users’ privacy. Take the failures of Ghostery and VITL for example. Both companies sent emails meant to boast their compliance efforts and give users preference controls. However, they neglected to hide the contacts of others on the mailing list – effectively sharing thousands of email addresses without permission.
The obvious lesson here is to always remember to BCC your mailing lists. The less obvious, but equally important lesson, is to be careful and take GDPR compliance seriously. No one will be compliant overnight – and no one should try to be. Businesses should take time and care to implement measures and move forward with their data practices to match the standards beckoned by the GDPR.
Conclusion
The GDPR is a groundbreaking regulation, and far from the only of its breed. While the legislation is the first to raise the bar for user privacy to this level, more and more regulations will soon come out to match its standards.
To avoid the detrimental fines and reputational damage suffered by others at the hands of the GDPR, take cautious steps to refine your data practices, and offer your customers greater transparency and control over their information.
About the Author
KJ Dearie is a product specialist and privacy consultant for Termly. She advises small business owners on the best practices for navigating the digital privacy sphere and staying compliant with the latest data protection laws.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.
Share this Post
Write for Us
Apply NowSubscribe to our Blog
GlobalSign Privacy Policy Version 3.1
Updated June 5, 2018
GlobalSign respects your right to privacy. This privacy policy has been developed to inform you about the privacy practices followed by GlobalSign in connection with its websites, products and services. This privacy policy does not apply to GlobalSign services offered by or through our partners, resellers or other third parties, or other third party services or websites, and we encourage you to read the privacy policies of those parties.
This privacy policy will inform you about what data is collected, how we use such data, where data is processed, how you may opt out of your data being used, the security provisions around storing your data and how to correct, update or delete your data.
1. Data Controller
The data controller for personal data collected within the EU is GMO GlobalSign, Ltd., having its registered offices at Springfield House, Sandling Road, Maidstone, Kent, ME14 2LP, United Kingdom. All questions or requests regarding the processing of data may be addressed to: dpo@globalsign.com.
2. Collection of Personal Information
We collect information from you when you (i) place an order for a GlobalSign digital certificate product or other product or service, (ii) scan your servers for digital certificates using our Certificate Inventory Tool (CIT), (iii) apply for access to our managed service platforms, (iv) subscribe to our newsletter, (v) use our online chat service, (vi) download a white paper, (vii) register for a webinar, (viii) respond to a survey, (ix) fill out a form for pre/post sales assistance, (x) open a support ticket, or (xi) your use of social media.
GlobalSign is a Certification Authority and trusted third party. To fulfill requests for digital certificates or other products or services, you may be asked to enter your name, email address, physical address, phone number, credit card information and/or organizational details or other personal information.
- - Contact information such as your name, email address, physical address, and phone number.
- - Relationship information that helps us do business with you, such as the types of products and services that may interest you, contact and product preferences, languages, marketing preferences and demographic data.
- - Transactional information about how you interact with us, including purchases, inquiries, customer account information, billing and credit card information, organizational details, transaction and correspondence history, and information about how you use and interact with our website.
We may develop and acquire additional information about you using third-party (public and private) data sources such as third party databases and government agencies, as well as your browsing and purchasing history in order to process orders for certificates and to improve our services.
GlobalSign treats personal information as confidential, except for the information included in an issued digital certificate. Such information may be verified using third party commercial and government resources, and as such, is deemed to be public information.
3. Purpose of Processing
Your personal data will be used for the purposes specified below:
3.1 To process applications for GlobalSign products and services
Your information is used to provide our products and services and order processing as well as to conduct business transactions such as billing.
3.2 To improve customer service
Your information helps us to more effectively respond to your pre/post sales requests and provide technical support.
3.3 To send renewal notices
The email address you provide for order processing may be used to send you renewal notices for your expiring digital certificate.
3.4 To send service updates
In addition, subject to your consent where required, we may send you new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability.
3.5 To tell you about our products and services
Subject to your consent where required, we may send you periodic company newsletters, information about our products and services that may be of interest to you based on your use of other GlobalSign products and services, your attendance at GlobalSign sponsored marketing events such as webinars, your requests for information about similar products and services, or your sharing of data with social media sites such as LinkedIn or Facebook.
4. Legal Basis for Processing Personal Data
We will process your data for the purpose of performance of our contract with you or the legitimate interest of GlobalSign, which are our usual business activities. In other cases, we will request your consent for the processing of the personal data you may submit.
Your refusal to provide personal data to us for certain products and services may hinder us from fulfilling your order for those products or services. Also, if you deny or withdraw your consent to use personal data or opt out of receiving information about GlobalSign products and services this may result in you not being made aware of renewal notices, periodic company newsletters, new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability. See Section 10 below for how to withdraw your consent.
5. Use of Cookies and web beacons
The GlobalSign Certificate Center (GCC) uses cookies to enable the fulfillment of services. Cookies may be used when you log into the GCC, purchase products or use certain GCC functions.
In addition, like most online businesses, GlobalSign uses cookies and web beacons on our websites and through marketing related emails to gather and analyze some personal data such as the visitor's IP address, browser type, ISP, referring page, operating system, date/time and basic geographical information.
We use cookies and web beacons to compile aggregate data about site traffic and site interaction so that we can gauge the effectiveness of our communications and offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.
First time visitors may choose to not have any activity monitoring cookies set in their browser. We use an opt-out identification cookie to tag these users as having made this decision. Those cookies that pertain to site performance, experience improvement and marketing are programmed not to execute when an opt-out cookie is present in a visitor's browser. Opt-out cookies persist until a visitor clears their browser cookies, or until their expiration one year after the set date. A visitor is required to opt out again after one year in order to disable any activity monitoring cookies.
More details of GlobalSign's use of cookies can be found on our website at https://www.globalsign.com/en/repository/cookie-policy/
6. Use of application logs for diagnostics or to gather statistical information
Our servers automatically record information ("Application Log Data") created by your use of our services. Application Log Data may include information such as your IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device and application IDs, search terms, and cookie information. We use this information to diagnose and improve our services. Except as stated in section 8 (Data Retention), we will either delete the Application Log Data or remove any account identifiers, such as your username, full IP address, or email address, after 12 months.
7. Sharing of Information and Transfers of Data
We do not sell or trade your personal information to outside parties.
Within GlobalSign: GlobalSign is a global organization with business processes and technical systems in various countries. As such, we may share information about you within our group company and transfer it to countries in the world where we do business in connection with the uses identified in section 3 above and in accordance with this Privacy Policy. In cases where your personal data is transferred to countries that do not provide an adequate level of protection according to the European Commission ('adequacy decision'), we ensure your data is protected by entering into agreements containing standard contractual clauses approved by the European Commission with each of our group companies. A copy of these agreements may be obtained by contacting us as outlined in section 15 below.
Third Parties: We may also transfer your personal data to trusted third parties and our partners in order to serve purposes that are specified in section 3 above. GlobalSign uses a third party to process credit card payments and provides credit card numbers and identifying financial data directly to the third party credit card processor.
In circumstances where data is shared with such third parties, they are required to comply with confidentiality terms included in our data processing agreements. This prohibits such third parties from selling, trading, using, marketing or otherwise distributing GlobalSign customer data.
As Required by Law: We may also release your information when we believe release is appropriate to comply with the law or protect our rights, property, or safety.
It is our policy to notify customers of requests for their data from law enforcement unless we are prohibited from doing so by statute or court order. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically precludes member notification, such as an order issued pursuant to 18 U.S.C. §2705(b).
Mergers & Acquisitions: We may also disclose your personal information to third parties who may take over the operation of our site or who may purchase any or all of our assets, including your personal information. We will contact you using the details you provide if there is any change in the person controlling your information.
8. International Transfers
The third parties, subsidiaries and affiliates to which your personal information can be disclosed may be located throughout the world. Therefore, information may be sent to countries having different privacy protection standards than your country of residence. In such cases, we take measures to ensure that your personal information receives an adequate level of protection, which includes the EU Standard Contractual Clauses to protect your personal information.
9. Data retention
The personal information we collect is retained for no longer than necessary to fulfil the stated purposes in section 2 above or for a period specifically required by law or regulation that GlobalSign is obligated to follow.
To meet public CA audit requirements as detailed in the GlobalSign Certification Practice Statement, personal data used to fulfill verification of certain types of digital certificate applications will be retained for a minimum of 10 years depending on the class of product or service and may be retained in either a physical or electronic format. Please refer to the GlobalSign Certification Practice Statement for full details.
After the retention period is over, GlobalSign securely disposes or anonymizes your personal information in order to prevent loss, theft, misuse, or unauthorized access.
10. Opting out; withdrawing consent
If at any time you would like to unsubscribe from receiving future emails, we include unsubscribe instructions at the bottom of each email.
Renewal notices may be cancelled on a per digital certificate basis by logging into your GlobalSign Certificate Center (GCC) account and disabling renewal notices.
Email preferences for CIT related/collected information can be updated and changed within CIT.
If GlobalSign is processing your personal data based on your consent, you may withdraw your consent at any time via the GlobalSign Preference Centre at https://downloads.globalsign.com/acton/media/2674/preference-center-login or by contacting us at one of the addresses shown in section 15 below.
11. Your Rights
You are responsible for providing GlobalSign with true, accurate, current and complete personal information. Also, you are responsible to maintain and promptly update the information to keep it true, accurate, current and complete.
You have the right to access and modify your personal data stored on GlobalSign systems. You can exercise your rights by contacting us in writing. We will require you to provide identification in order to verify the authenticity as the data subject. We will make reasonable efforts to respond to and process your request as required by law.
To the extent of applicable law, you may have the right to request erasure of your personal information, restriction of processing as it applies to you, object to processing and the right to data portability. You may also have the right to lodge a complaint with a supervisory authority.
If you provide any information that is untrue, inaccurate, not current or incomplete, or if we have reasonable grounds to suspect that such information is untrue, inaccurate, not current or incomplete, we have the right to suspend or terminate your account and refuse any and all current or future services.
12. How we protect your information
We implement a variety of security measures to maintain the safety of your personal information when you place an order or enter, submit, or access your personal information. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL).
After a transaction, your transaction-related information will be kept on file to meet audit requirements and facilitate renewals. We do not retain any credit card details.
13. Relevant laws
GlobalSign commits itself to protect the personal information submitted by applicants and subscribers for its public certification services. GlobalSign declares to fully respect all rights established and laid out in European Union and Member States' laws and regulations:
- - European Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and as replaced by Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the EU General Data Protection Regulation); and
- - Provisions of the GlobalSign CPS.
14. Changes to our Privacy Policy
If we make material changes to our privacy policy, we will inform customers by emailing a notice of the availability of a new version with a link to the new version.
15. Contact Us
If you have any inquires, or questions regarding our privacy policy, please contact us at:
- We use the data you submit only for purposes identified in section 3 of this privacy policy.
- You have the right to review your personal data that GlobalSign holds and check it for accuracy.
- You have the right to correct data in the case that errors may be found in our records.
- You have the right to request that any of your personal data be erased. i.e. right to be forgotten.
- You have the right to obtain and reuse use your personal data for your own purposes
- You have the right to request that GlobalSign restrict the processing of your personal data under certain circumstances.
- You have the right to object to our processing of your personal data.
14. Changes to our Privacy Policy
If we make material changes to our privacy policy, we will inform customers by emailing a notice of the availability of a new version with a link to the new version.
15. Contact Us
If you have any inquires, or questions regarding our privacy policy, please contact us at:
https://support.globalsign.com/
https://www.globalsign.com/en/company/contact/support/
https://jp.globalsign.com/support/
or
Deputy Data Protection Officer
GMO GlobalSign, Ltd.
Springfield House Sandling Road
Maidstone, Kent ME 14 2LP
United Kingdom
dpo@globalsign.com
16. Our Office Locations
GMO GlobalSign K.K., Tokyo, Japan
GMO GlobalSign Ltd., Maidstone, Kent, UK
GMO GlobalSign N/V, Leuven, Belgium
GMO GlobalSign, Inc., Portsmouth, NH, USA
GMO GlobalSign Russia LLC , Moskva, Russia
GMO GlobalSign Pte. Ltd, Anson, Singapore
GMO GlobalSign Certificate Services Pvt. Ltd., Delhi, India
GlobalSign China Co., Ltd., Shanghai, China
GMO GlobalSign Inc., Manila, Philippines
GMO GlobalSign FZ-LLC, Dubai, UAEFeatured Blog:
Lessons in Digital Transformation from a DPO Post-GDPR
