- My compromise for GDPR
- The merchant of chaos – who is making the money
- Which punishment can you be subjected to
- How do you know you can be penalized?
- Cookie banner – done simpler
- Hiding tools – server-tracking
- Cookies Yes | No
- Conversion Tracking – take some risk
- Specific tips to get your wordpress website GDPR “conform”
Note: this article is a work in progress. It is not fully complete. AND IT IS NOT LEGAL ADVICE. I happen to have spent lots of time on this subject but I am not pretending to be a lawyer. This is only my experience.
Getting a website ready for GDPR is in theory easy. The problem is that you can’t advertise with them anymore – effectively.
By asking people to be tracked, about 80% say no. The moment you attempt to minimize this by making it difficult to reject tracking etc…, you are in violation of GDPR.
If you don’t have enough data, there is not point in collecting data.
A website that collects no data, will perform in most cases worse than a website that collects lots of data. This leads to website owners having to pay more money for ads and other complicated tools. Which means more money for Facebook and Google.
A compromise is needed to simplify things.
However getting your website more GDPR conform can actually improve the speed and user-friendliness of it.
Later in the article, included my recommendations for WordPress.
My compromise for GDPR
- Minimize the use of external tools
- Avoid being warned by lawyers by loading tools out of their reach – bit controversial but more on that later.
- Take a calculated risk with “must-need” tools like conversion tracking.
These tips might seem controversial and by all means, they are not totally GDPR compliant. The problem is that GDPR is very, very difficult to implement. It is so far reaching that hardly a single company is really 100% compliant.
The merchant of chaos – who is making the money
Most people who do give suggestions in this regard are exaggerating, recommending things that significantly hinder the success of a website or plain incorrect.
So why the panic? Well, there is money to be made.
Some lawyers are urging companies to use cookie banners. They are also making money recommending tools they have partnerships with.
Companies will therefore use professional tools to “manage consent”, which cost about 20 EUR a month. The problem with many of these tools is that you need consent to manage consent with an external company. It is a oxymoron situation and doesn’t work. (These tools save cookies and load content from external servers)
Again, most lawyers recommending these tools are earning money recommending these tools.
On the other hand, violations of these rules only produce draconian penalties when the governmental privacy offices induct you and you are penalized. Lawyers sending you warnings only cost you 150 EUR the first time. In many cases you can just ignore them.
This doesn’t mean that you shouldn’t apply the rules. It just means that you should do so with your well-being and the well-being of your users in mind.
But let’s take a step back.
Which punishment can you be subjected to
Firstly, draconian penalties due to GDPR are seldom since they must come from the privacy departments of the governments which seldom take interest in smaller companies. It is possible to be fined up to 4% or max 20 Million EUR for not keeping up with the GDPR.
The main threat are lawyers trying to make some money.
So, the main issue to fix is being warned by some lawyer who wants to earn a quick buck.
On the other hand, it is not even legally determined if competitors can warn you through an lawyer.
How do you know you can be penalized?
The way this happens by “professional” lawyers who systematically warn companies, is that they use tools to check, if a website loads certain code. A website is loaded, and they have a simple script that checks, if such code is loaded from the Google or Facebook server.
Here is a simple video showing how you can check if your website is “conform”. 99% of the lawyers trying to fine you will do a simply scan like this – manually or automatically:
If the scan is negative, you won’t be warned.
They nearly always search for tools from Google or Facebook. These companies have the worst privacy records in Europe and pretty much all their services need permission before being loaded.
Therefore, by making sure that services from these companies are not loaded initially, we stay out of range of these lawyers.
All software by these companies should only be loaded after visitors have been notified or accepted the terms. Later on this page, I will give you some advice how I implemented this recommendation.
Cookie banner – done simpler
Apart from being very irritating, these banners are mostly covertly lying. “we care about your privacy” is one of the biggest lies. Most people using these tools just want to say, we want to collect your data so please say ok.
Instead of using vague terms in the banner with sentences like “we care about your privacy”, be specific and open.
Apart from it being closer to the truth, it also probably legally better. For example: If you get permission from someone who is not informed, then the permission has little value. If you make it really, really clear for what you are getting permission for, then it is valid.
Take a look at the banner from Google from the date 15.11.2022:
Notice how they standardly use website tracking. Google is probably the most scrutinized company in terms of GDPR. If they can do this, then you can do it too.
The notification should include a direct message saying that we use cookies and marketing tools to optimize the performance of the website. Without these we would have to pay much more for our ads. On the other hand, by sending data to Google or Facebook, you get more relevant ads when you use their tools.
This way people are explicitly aware of tracking and can always leave the website, if they want to.
Do not load these script without permission or anonymizing and loading them locally.
Hiding tools – server-tracking
As I mentioned further up, if you use external tools. Especially those from Google and Facebook, I recommend that you only use them in such a way that they are hidden from the browser and the user.
While this sounds like you are trying to conduct clandestine activities, this is not the case. Data is only send straight to Google or Facebook, if you load their tools in the browser. If you however load it on the server, Google and Facebook only have access to data you send them. This gives you more control.
The nice thing however about GDPR is that a whole new technology called server-sided loading evolved so that you can use tools like Google Analytics in such a way that it is GDPR conform and more reliable.
Basically your browser sends data to your server, your server anonymizes the data and it is sent to Google or another provider.
Server-sided tracking make it impossible for trigger-happy lawyers to see that you are using Google Analytics. But I still recommend that you use these tools with caution and responsibly.
Cookies Yes | No
Depending in which country you are active, you must have permission to save cookies. In Germany they are very strict rules – permission is needed.
My personal recommendation is to avoid cookies from Google, Facebook or similar companies. I wouldn’t bother too much about other tools.
For example, if you save a cookie from an external company, it is technically not correct unless you have permission or the site can’t run without them.
However, it can be a pain to install it differently. These external companies don’t abuse your data, they do it for convenience. So I would personally let them save them. The risk is quite low.
But I wouldn’t save cookies from tracking companies unless you have actual permission.
You can avoid this altogether with tools that save the data somewhere else. Server-sided tracking sometimes offers solutions that don’t use cookies.
Conversion Tracking – take some risk
The core of performance ads is tracking. That means that one needs to know which ads are producing results. While there are tools like “matomo” that can be used, my experience has been that they are cumbersome and not good. Facebook ads for example work very poor, if you don’t send the data of conversions to Facebook. The least is the IP address, so FB knows which ad and which settings bring your results.
Therefore, I would track ALL users with or without their consent WHEN they use a form, convert, or call a company.
Make sure that you definitely include that in your privacy page.
This is not 100 % in conformity with GDPR, but in my eyes a person who contacts a company can be expected to inform himself of the privacy details before contacting a company.
These people can be expected to know that data will be saved once they interact with a company, for example:
- If you open a website in a browser your IP address will be saved in the server.
- If you will out a form, your data will be saved in the form and so on.
This is a pretty good justification. 😉
Just don’t misuse this liberty. This is a calculated risk.
Regular users who just view a page or two I would not track without their permission or a clear notification.
Specific tips to get your wordpress website GDPR “conform”
Remember these are not legal advice but friendly advice. I pretty much only use WordPress, so this is mainly for wordpress.
Privacy policy
To prepare a good privacy policy use a GDPR generator. There are many, just google for “Datenschutzerklärung Generator“
Tracking – Google Analytics or Matomo?
Recently there has been more and more companies that use tools like Matomo or E-Tracker to avoid getting fined. The problem with these tools is that they cost money and don’t deliver the same data that I need in order to evaluate the performance of my website. And I can use Google Analytics in a way that conforms with GDPR.
I would not use Matomo. My preference is to use Google Analytics server-sided.
Google Analytics server-sided
There are several solutions for server-sided tracking, but I use my own wordpress server-sided tracking solutions.
How does it work?
A regular tracking solution like Google Analytics works like this – all requests are handled and sent directly to Google or Facebook:
Server-sided tracking works differently, it sends data to the server and then from there it is sent to Google or Facebook. In this way, data can be anonymized completely.
Youtube videos
If you use youtube, a GDPR solution can save your loading time big time.
Youtube loads directly from Google and even saves cookies. In order to avoid that you can add a script to block the video until people give permission to watch the video.
My preference is to locally store the thumbnail and only load the video once a person actively presses play. As you can see on this page that we set-up with our own solution:
Videos
If you like this, you can contact me for it.
Google Fonts
While in the past it was common to use these types of Fonts directly from Google. One can simply load them to one’s own website and load them from there.
Facebook is tricky to use. One is able to use their conversions API to send request through to their server. The problem with this, is that it doesn’t work, if you anonymize the data. Facebook needs to get the IP addresses in order for it to work.
I therefore would only use this with permission. Don’t let it load without the permission from users.
For conversion tracking, you can compromise and load the code whenever a conversion is completed. But that is something you will have to decide, if you want to take a calculated risk.
Google Tag Manager
I actually love the google tag manager and I have used it extensively in the past. A great tool but unfortunately tricky when it comes to GDPR.
In the past I used it to create cookie banners and to manage the whole consent of users. The problem is that too many people including lawyers think that this tool is non GDPR conform, for the sole reason that it is loaded from an external website.
So for this reason, I don’t recommend it anymore. I know they have a server solution but I haven’t tested it enough to give an opinion.
Font Awesome – ok with GDPR?
Like most websites, we use Font Awesome. If clients don’t feel comfortable about it, we can save the fonts locally. Personally I don’t load it locally, I don’t think it is a problem. The server Font Awesome is very clear about who they use the data – unlike Google, and they definitely don’t abuse the personal IP address of visitors. For me that falls under “legitimate interest”. You can read their privacy policy here.
reCAPTCHA
Another culprit in the journey towards gdpr compliance is this wonderful tool of reCAPTCHA. Our solution to make recaptcha gdpr compliant, is to use a plugin that delays the loading until a person actually engages with a form. That way only people who are intending to contact you through a website are screened, which is in the interest of users also. You can use our plugin for contact form 7. It works like a charm for all versions.