On May 25th the European Union’s (EU) new security policy goes into force. Even if you are not located in the EU, you should do a careful review as you may still be able to be sighted with a penalty as website visitors may be located in the EU.
Below are my recommendations on what to do with the pending 5/25/18 EU required changes.
First, it is important to know that I am not a security policy consultant, but I am making recommendations to you that may be helpful as you review your own policies and procedures.
Even though you may not advertise or target the EU, website owners are still required to protect and adhere to the guidelines that the EU has laid out and is forcing Google and other tech firms to embrace legally.
My Recommendations
Move to https from http to allow for a greater level of website security and encryption of form submissions from an https page.
Enewsletters – stop doing auto subscribe for any newsletters (if you still do this). EU Users, now based on the new requirements, must state that they are desiring to opt in to your list.
No online forms should request sensitive information like health information, insurability, etc. If you need this for your business, you need to find a more secure way to ask than using a website form. In the USA we have HIPAA rules and you should already be compliant.
Update your privacy policy to be transparent on what you track and how you use that information, how you secure it, and who you share it with.
The most important part is to make sure to have in the links in your privacy policy content to allow people to opt out of Google Tracking and Doubleclick the third party vendor Google uses.
Review in Google Analytics the new data retention sections and other settings that Google has recently rolled out and that are live now. These are available now under the admin section. You will need to work through each option to choose the one that is right for you and then list your selections for transparency on the policies page in the Analytics section. I have personally selected data retention for my own site of 14 months, right now the default is 26 months.
There are a number of other new settings in the admin section in Google Analytics on server sessions and visitor identification. You will want to look at that for sure to make sure you do not need a new configuration update.
I would recommend you move to the newest version of Google Analytics code if you can at this time so that you can affect change to some of these settings that are only available to sites using the new code snippet.
Review your own website visitor geo information. If you have a number of visitors from the EU, you may also need to create a cookie approval doorway option for your site. One where the user has to click their approval for a cookie set to enter into your website. This becomes crucial to get this approval if you are using Google Remarketing, Google AdWords, and any website tracking tool or conversion codes. If you are using Facebook Remarketing you need to get cookie approvals too.
Become aware of the EU data retention rules, operations to remove personal data when requested, but most of all be transparent of what you do with information you collect.
If you are heavily involved in selling to or have strong visitor numbers from the EU, get up to speed now on what is required as it may be time consuming to make changes and institute new security policies.