How to collect customer data in compliance with GDPR
Have you just accepted or declined cookies after clicking on this blog article? Then you've already had your first encounter with the General Data Protection Regulation (GDPR). With its introduction in the European Union in 2018, the rules for collecting and processing personal information have become much stricter.
How can businesses design their websites to not only capture valuable customer data but also remain fully GDPR-compliant? This blog post guides you through the basic steps and best practices for collecting user data on your website in a way that is both effective and legally compliant.
The essential in brief:
- GDPR-compliant customer data collection is mandatory in the EU, protects your users' privacy, and strengthens trust in your brand.
- Consent Management refers to the management of user consents and is crucial for the efficient processing and security of user data.
- With Teavaro’s advanced Consent Management Platform, you not only optimise data collection but also set new standards in terms of data protection.
What does GDPR-compliant mean?
GDPR stands for "General Data Protection Regulation" and is a regulation of the European Union (EU) that aims to strengthen and unify the protection of personal data within the EU. The GDPR came into effect on 25 May 2018. It establishes strict rules for businesses and organizations that process personal data of individuals within the EU, and enhances the rights of individuals with respect to their data.
‘Privacy by design’ means that data protection must be integrated into the development of products from the outset.
‘Privacy by default’ means that the highest data protection settings should be preset automatically.
The guidelines of the GDPR include, among others:
- the right of access to their data,
- the right to rectification
- the right to erasure (also known as the "right to be forgotten"),
- the right to restriction of processing
- the right to data portability, and
- the right to object to data processing.
The TTDSG (Telecommunications Telemedia Data Protection Act) is a German law that complements the GDPR. It helps to explain and supplement the rules of the GDPR specifically for internet and telecommunications services in Germany. Simply put, the TTDSG ensures that the GDPR's data protection rules also clearly apply to things like cookies on websites. Thus, both sets of regulations work hand in hand to ensure that our personal data on the internet is well protected.
What is a GDPR-compliant website?
A GDPR-compliant website is a website that adheres to the rules of the GDPR (and in Germany, additionally, the TTDSG) to protect the private information of its visitors. Here are a few key points such websites must consider:
- Inform about data collection & obtain consents: The website must clearly inform the user about what information is being collected about them, why it is being collected, and how long the data will be kept. The website must ask for the user's permission before collecting their data.
- Protect user data: The website must ensure that the stored data is secure and that no unauthorised person can access or steal it.
- Preserve user rights: Every user has the right to know what data the website has about them and can request that this data be altered or deleted.
Who is obliged to have a GDPR-compliant website?
GDPR compliance applies to all organizations and companies, regardless of their size or industry, that process personal data of individuals in the EU. This also includes companies outside the EU if they offer goods or services to individuals in the EU or monitor the behavior of individuals within the EU.
For which website does the GDPR apply?
- Online shops with customers in the EU: An online store based in the USA that sells goods to customers in Germany must comply with the GDPR because it processes data from EU citizens.
- Social networks: Platforms like Facebook, Instagram, or LinkedIn, which have users in the EU, are subject to the GDPR because they collect and process personal data.
- Small and medium-sized enterprises (SMEs): A small software company in France that maintains a customer database must meet GDPR requirements.
- Freelancers and sole proprietors: A freelance photographer in Italy who operates a website and collects customer data on it must also be GDPR compliant.
For which websites does the GDPR not apply?
- Individuals for personal or family activities: If an individual stores emails or contact details of friends and family for private purposes, this does not fall under the GDPR.
- Companies outside the EU without EU citizens as customers: A local restaurant in Australia that does not process data from EU citizens and does not offer services in the EU does not need to follow the GDPR.
- Public safety and government agencies under certain circumstances: Certain data processing activities that are in the interest of national security or law enforcement may be exempt from the GDPR, although other strict data protection regulations often apply here.
So, it can be summarised: As soon as your website pursues a commercial or public purpose and you store data from users in any form (for example, through a contact form), your website is already subject to GDPR obligations.
Sharing customer data with Third Parties- When is it allowed?
In Germany, sharing customer data with third parties is only allowed under certain conditions. Clear and explicit consent from the customers is essential. This consent must be informed and specific and cannot be hidden in general terms and conditions. Moreover, the sharing of data must correspond to the purpose for which it was originally collected, to protect customers' privacy and comply with legal requirements.
User consent is mandatory: 4 types of consent statements
- Classic Cookie Consents: if cookies are used to collect behavioural data, users must actively consent. This often occurs via cookie banners or pop-ups on websites.
- Classic Marketing Consents: companies obtain explicit consent from users before using their basic data for marketing purposes, sending emails or newsletters, sending SMS for advertising purposes, or making phone calls.
- Legitimate Interest: in some cases, there may be a legitimate interest for the company in collecting data. It must be ensured that consumer rights are respected and that there is an opportunity to object.
- Execution of a contractual relationship: using contractual data for advertising purposes is only possible if the customer has explicitly consented to it, or, if a legitimate interest exists, the customer has not objected to the processing.
What are the consequences if a website is not GDPR compliant?
In 2023, for example, Meta was fined 1.2 billion euros in Ireland because, in the opinion of the data protection authorities, it illegally transferred personal Facebook data to the USA. A clear signal to everyone: when it comes to the protection of personal data, the EU can't take a joke.
Non-compliance can have serious consequences, including:
- Hefty Fines: Violations can lead to fines of up to 20 million euros or 4% of global annual turnover, whichever is higher.
- Reputation Loss: Data breaches can shake the trust of customers and partners, which can be damaging in the long term.
- Legal Disputes: Individuals whose data has been misused may claim damages, leading to costly legal proceedings.
- Operational Interruptions: Authorities can demand the cessation of certain data processing activities until compliance is ensured.
- Reviews and Audits: Violations can result in stricter scrutiny by data protection authorities.
- Loss of Business Opportunities: Non-compliance can lead to businesses being shunned by privacy-conscious partners and customers.
Therefore, it is of utmost importance for businesses and organizations to ensure that their online presence and data processing procedures are GDPR-compliant to avoid these risks.
How to collect customer data on your website in compliance with GDPR
Make your website GDPR and TTDSG compliant: Learn what legal requirements you need to meet and use practical tips to make your website GDPR compliant.
- Technical Privacy: encrypt your website with an SSL Certificate (HTTPS Encryption)
- Problem: Websites without an SSL certificate are insecure, especially when transmitting important data such as credit card information. These sites also rank lower on Google, which diminishes user trust.
- Regulation: The GDPR requires secure technical measures, including HTTPS encryption for websites. This regulation ensures that data is securely transmitted.
- To Do: Website operators should activate an SSL certificate to switch from HTTP to HTTPS. This provides a secure connection (recognizable by "https" in the address bar and a lock icon), protects user data, and improves Google search rankings. Activation is usually simple and can often be done directly through the web host.
To activate an SSL certificate for your website, first contact your web hosting provider to select an appropriate certificate—there are both free and paid options. Apply for activation directly through the provider, often possible via the customer portal. After activation, verify that your website address now begins with "https" and displays a lock icon, indicating a secure connection. Also, ensure to switch all website links to HTTPS to fully ensure security.
- Create compliant cookie banners
- Problem: Visiting websites often results in cookies being stored. Cookies are small text files stored on the user's device to track certain information such as login details or settings. They enhance the user experience by, for example, saving the hassle of refilling login data or retaining the contents of the shopping cart. However, the use of cookies under the General Data Protection Regulation (GDPR) requires the user's consent since they can collect and process personal data.
- Regulation: Before storing cookies on user devices, informed consent in the form of a cookie banner must be obtained. Users must be informed about the use of cookies and must not be disadvantaged if they decline.
- To Do: Implement a Consent Management Platform (CMP) on the website to inform users about cookies and allow them to give or withhold consent. This ensures GDPR-compliant handling. Choose a GDPR-compliant CMP and integrate it into your website. Customise the cookie banner to educate about cookies and enable consent or refusal. Test the functionality to offer users a transparent choice.
3. Review social media plug-ins and embedded videos
- Problem: Websites often use social media plug-ins and embedded videos that can collect personal data without the users' knowledge.
- Regulation: Users must give their consent before their data is captured by social media plug-ins. Website operators are also required to disclose in their privacy policy that user data may be transferred to third parties.
- To Do: To better protect user privacy, consider implementing 2-click or Shariff button solutions. In the 2-click solution, a button only becomes active after an explicit click by the user, preventing automatic data collection. The Shariff solution also requires an active action by the user before any data processing occurs, but it provides a more user-friendly one-click option.
- Make contact forms GDPR compliant
- Problem: Contact forms on websites collect personal data, which can lead to privacy issues without appropriate precautions.
- Regulation: Clear user consent to the privacy policy is required before using the contact form. Data should only be collected to the extent necessary, and users must be informed about data processing, data retention duration, their rights, and the privacy policy.
- To Do: Include a clear privacy notice in the contact form that informs about data processing and storage, user rights, and the privacy policy. Use SSL encryption for secure data transmission and delete the data once the purpose of the request has been fulfilled.
- Create a record of processing activities for your user data & enter into data processing agreements
- Problem: It must be clear and transparent which user data you store on your website – and on what legal basis or for what reasons.
- Regulation: If you collect personal data on your website, you must accurately record what user data you collect, why, and how long you store it. If you use services like Google Analytics or Mailchimp, you must also make specific contracts (data processing agreements) with these providers to ensure that they comply with data protection rules.
Attention: Companies that store their website data with an external service provider (host) must sign a specific data processing agreement because personal data such as customer information are also stored there. If a company maintains its server but someone else is responsible for the technical aspects, this agreement is also necessary if access to personal data is possible.
- To Do: Document transparently in the record of processing activities how you handle personal data and enter into data processing agreements with Third-Party providers who process personal data, to ensure GDPR compliance.
- Place the privacy policy and right to withdrawals on your website
- Problem: Every website that collects personal data must have a privacy policy. This statement must be easily accessible to inform users about the handling of their data.
- Regulation: The General Data Protection Regulation (GDPR) requires that websites not only provide a privacy policy but also place it in such a way that it can be accessed from every page. This statement must clearly lay out the scope and purpose of data processing, the rights of the data subjects, and information about Third Parties like Google Analytics. For multilingual websites, appropriate translations are required.
- To Do: Ensure that your website has a privacy policy. It should be easy to find, ideally in the footer on every page. In the policy, inform about data processing, user rights, and Third Parties like Google Analytics. If your website is multilingual, you also need the policy in these languages. It's important also to mention the right to withdrawal.
Note: Website operators use log files to monitor and log visitor activities. These contain data such as the time of page access, URL of the visited page, browser information, and anonymised IP addresses. The processing of this data must have a legal basis, and your website's privacy policy should inform visitors about this.
- Make your newsletter GDPR-compliant
- Problem: If you offer a newsletter on your website, you must ensure that it complies with data protection rules. This includes handling email addresses and obtaining user consent.
- Regulation: For newsletter sign-ups, the GDPR and UWG (Unfair Competition Law) require explicit consent. The double opt-in procedure is necessary to confirm the email address and to prove consent.
- To Do: Enter into a processing agreement with your newsletter service provider. Clearly state in the signup form what the email address will be used for and link to the privacy policy. Use the double opt-in procedure: After signing up, send a confirmation link via email that the user must click. This proves that the consent was voluntary. Remember to store the consent in case of inquiries.
- Collecting customer data for personalised Marketing: check tracking tools for GDPR compliance
- Problem: As a website operator who uses tracking tools like Google Analytics, you must ensure that these tools comply with data protection regulations. Particularly, users must be informed about the use of such tools and have the opportunity to decline their use (opt-out).
- Regulation: The General Data Protection Regulation (GDPR) requires that all tracking tools that collect personal data be listed in the privacy policy. Users must have the option to opt-out, and IP addresses must be anonymised to preserve privacy. Often, explicit consent from users is required for the use of such tools.
- To Do: Ensure that all tracking tools you use are listed in your privacy policy. Provide users with an easy opt-out option. Anonymise IP addresses to prevent user identification. Enter into a data processing amendment with providers like Google. Consider that explicit consent from users is required for certain tracking activities, especially for retargeting and remarketing.
Teavaro's consent management platform for GDPR-compliant collection of customer data
In today's digital world, protecting users' privacy is a central concern, especially in light of the strict requirements of the General Data Protection Regulation (GDPR). Teavaro offers a comprehensive solution with its consent platform, which not only ensures compliance with these regulations but also enables effective and user-friendly collection of user consents.
GDPR-compliant, Person Centric Consent Management
The design of consent banners, often used as the first link between users and websites, plays a crucial role in complying with GDPR. These banners must not only be clear and understandable for an optimal customer experience, but also offer users a real choice about whether and how their data may be used. This approach enhances Customer Engagement of your website visitors, rather than deterring them with a flood of opaque consent banners.
Integrated audience matching tools
Furthermore, Teavaro integrates Audience Matching Tools that enable businesses to legally use data for Custom Audiences on platforms like Google or Facebook. These tools are crucial for determining which customer data can be collected and how it may be used, particularly in regard to targeted advertising efforts.
Teavaro distinguishes itself in this field by providing a platform that enables the effective management of consent and cookie banners, as well as general marketing consents. By integrating Utiq-Consent into the Teavaro Consent Platform, this process of user identification is further optimised by offering a specialised form of cookie consent management that can be seamlessly integrated into the existing system. This includes:
- Consistency Across Multiple Devices
- Unified Experience Across All Platforms
- Cross-Domain Applicability
- Server-Side Storage
Teavaro's Consent Platform not only provides an advanced frontend for consent management but also includes server-side consent management for cookie banners, offering a comprehensive solution to the challenges of online privacy under GDPR. This approach ensures not only the secure and person-centric collection of customer data but also an optimal First Party Data strategy in an era of increasingly disappearing Third Party Cookies.
FAQ: Collecting customer data: what is allowed and what is not?
Here, we have compiled some frequently asked questions and answers about collecting customer data for you. Please note, however, that the information provided is general guidance and does not replace legal advice.
What customer data is allowed to be collected?
What is prohibited in the collection of customer data in Germany?
How can customer data be stored in the B2C and B2B sectors?
Conclusions:
- GDPR Compliance: Effective and legally compliant customer data collection is essential for data protection and the trust of your website visitors.
- Consent Management: The use of GDPR-compliant consent banners and the management of consents enable a secure and efficient handling of user data.
- Teavaro's Solution: By integrating Teavaro's Consent Management Platform into your website strategy, you not only optimise the collection and management of customer data but also enhance your commitment to data protection and user experience.
Maximise data protection and user experience with Teavaro
Teavaro Consent Management also allows you to manage Utiq consents for your own website, marketing consents, marketing objections and blacklists on the server side. Based on its own 1st-party ID-Graph, the platform enables GDPR-compliant linking and analysis of customer data without jeopardising privacy.
Learn how Teavaro can support your business in achieving GDPR compliance in your customer data collection and discover the benefits of an advanced consent management solution. Start now and ensure data protection and compliance with Teavaro.