9 GDPR mistakes you can easily avoid

With the introduction of the General Data Protection Regulation (GDPR) and the planned ePrivacy Regulation, a lot has changed for website operators. The correct processing of personal data now plays an even more important role and must be presented transparently on your website for every user. 

But there are still many operators whose website does not meet the requirements of the GDPR at all or only partially. This can result in a warning and high penalties.

That's why today we would like to show you the nine most serious sources of error that you should avoid at all costs on your website. 

9 GDPR mistakes you can easily avoid

1. Incorrect imprint

Every website operator who provides a service, goods, and information in the form of e.g. texts on his website is obliged to comply with his duty to inform according e.g. to the so-called provider identification obligation, which is regulated in the German Telemedia Act (TMG) § 5. 

This means that you as the operator must provide certain information about yourself or your company within the imprint (first name, last name, street, postal code, place of residence). Consumers or competitors should always have the possibility to inform themselves about the operator and thus the possible contractual partner. 

2. Insufficient privacy policy

With a privacy policy on your website, you ensure that you inform your visitors about the collection and processing of personal data. The visitor must be able to see at any time what data is stored for what purpose and how it is processed. 

This includes data such as the IP address, browser data, cookies, analysis tools (e.g. Google Analytics), the Facebook pixel, and more. In addition, the visitor must be able to decide for himself which data may be stored and also decide against it afterward. 

3. Missing cookie notice 

Since almost all websites use cookies, the GDPR or ePrivacy Directive obliges you as a website operator to obtain the user's explicit consent before setting the cookies. 

For this purpose, a so-called "cookie notice" must be displayed as soon as the visitor visits your website for the first time. In this "notice", the visitor must be informed about the setting of cookies and have the opportunity to decide which cookies he wants to allow and which not. 

The cookie notice must also reference to or link to the privacy policy so that the user can inform himself about the storage and processing of his data. 

4. No anonymous tracking

If you use tracking tools such as Google Analytics on your website, you are obligated to transmit the data to the third-party providers exclusively anonymously. This means that even a person who agrees to the tracking must not be identifiable by the third-party tool. 

5. No commissioned data processing

The GDPR requires that you conclude a contract for commissioned data processing with all service providers who store personal data. This is to document that the service providers also handle any personal data transmitted responsibly and with the utmost care. 

Data protection authorities can request such a contract at any time and check whether you have complied with the obligation to commission data processing. 

6. Faulty contact forms

Yes, even contact forms are affected by the GDPR. Because as soon as you include a contact form on your website, visitors can enter personal data there, such as first name, last name, email address, etc. 

Therefore, this data must be transmitted encrypted (HTTPS) and you must refer or link to the privacy policy in the contact form. In addition, it makes sense to note directly in the contact form how you handle the data and how long it will be stored. 

Here, a checkbox for the consent to the processing of the data can remedy the situation. 

7. No encrypted data transmission

As a website operator, you must ensure that all data - and especially personal data - is encrypted. If you use forms on your site (see point 6), for example, the data they contain must not be transmitted unencrypted. 

Basically, your entire website should be converted to SSL (HTTPS). This is the only way to ensure that all data is transmitted in encrypted form. 

8. Facebook pixel without consent

The Facebook pixel is a tracking pixel from or for Facebook. You can use it to track which pages a certain user visits or which actions he or she has performed and subsequently advertise them on Facebook in a very targeted manner. 

Among others, a recent ruling from Bavaria obliges website operators to set the Facebook pixel only after the visitor has consented to it. 

9. YouTube videos and other "embeds" transmit personal data

If you want to embed YouTube videos on your website, you can easily do so by inserting the embed code from the video into your page.

The problem: With embedding, numerous data such as user browser data are transmitted to the Google server. This applies to YouTube videos as well as other services like Google Maps, Vimeo and similar.

Even YouTube's "Enhanced Privacy Mode" does not remedy this situation: The "NO-COOKIE" code means that YouTube no longer displays personalized advertising, but personal data is still transmitted.

As a website operator, you must therefore ensure that YouTube videos and other "embeds" are loaded only after your visitors have given their consent.

Conclusion

The GDPR has brought many changes with it and with the ePrivacy Regulation even more are on the way. This increases the demands on you as a website operator - but many of the changes are easier to implement than it seems at first glance.

Our Borlabs Cookie plugin supports you with a variety of the above-mentioned points and allows you to implement them on your website in a privacy-compliant way.