Landing Page GDPR Compliance: Everything To Know

If you’ve stayed up to date with recent updates and news, you know that landing page GDPR compliance is taken very seriously now. The recent Cambridge Analytica scandal with Facebook makes data privacy and security an issue you can’t dismiss. The European Union became rather serious about it, and on May 25 of this year, the EU’s General Data Protection Regulation (GDPR) was launched.

Many digital marketers and CMO’s have been worried and perplexed by GDPR since it’s release. This post is meant to help you navigate your GDPR compliance and make sure your landing pages operate smoothly given the new data security rules.

What does GDPR mean for small and medium-sized businesses? How can you implement it on landing pages? And how will it affect the data analysis in Google Analytics? You’ll find answers to all these questions in this article, and even a little bit more.

Let’s start with an explanation of the basic GDPR concepts. We’ll walk you through the most important points to make sure that your business’s actual bottom line isn’t harmed by GDPR penalties.

For starters, GDPR was launched so EU citizens can fully control the processing of their own personal information. “Personal information” here can come in many shapes and sizes, such as:

• Name
• Address
• Location
• Online Identifier
• Information about health
• Income
• Cultural Identity
• etc...

GDPR not only gives EU citizens more control over their personal information, privacy, and data security. It also helps businesses by providing a normalized set of rules across all EU companies processing data. Therefore, GDPR compliance equalizes competition across the board and gives each company the same opportunities, as well as responsibilities.

The new regulations are meant to increase customer confidence in businesses and vice versa.

Remember: first and foremost GDPR was launched to protect the data of digital users. Make sure that your business goals, marketing strategies, advertising, and tracking all reflect this same respect for user’s privacy.

You can breakdown the basics of GDPR compliance into three different categories. Below, we’ll address the most important aspects of each to make sure you keep your landing pages and paid campaigns in the green.

For starters, you need to be as transparent as possible throughout the data transfer process. Give users an opportunity to abandon marketing activities such as newsletters, promotions etc…

You should also make sure to explicitly tell them why they’ve been added to certain lists. For example, in your initial welcome email, you should say something like: “You’re receiving this email because you signed up for our newsletters.”

Making sure there’s a clear and easy way to remove themselves from the list is also important.

In terms of actual data transfer, it’s regulated that you must give users the access to choose what data they transfer to your company. It’s also emphasized that you obtain clear user consent for processing their data. If children are included, parental consent is needed.

In terms of consent to data transfer you need to clearly and explicitly communicate with your users about data collection, your uses of the data, what data your collecting, and more. GDPR even requires you to explicitly state how long you'll hold on to the user data. Here are some easy guidelines for you to follow:

When requesting data, explain in a simple and easy to understand manner: who you are and what you do, who will receive this information, what are the purposes of processing it and how long it’ll take to store it.

If you collect user data, you should inform customers; make sure that a person, not a robot, makes a decision when an application ends in a refusal.  

Give users the right to be incognito. Delete the data on their request if it doesn’t contradict the interests of the policy.

Pay special attention to the protection of information about health, race, personal life, and religious/political beliefs.

You should make it a point to protect the users’ data by default. Because GDPR compliance emphasizes user protection, you should be aiming to do the same.

You also need to keep a weather eye on how you store your data. Small and medium business must store data if processing:

• is regular
• can violate human rights and freedoms
• is connected with confidential information or criminal records

Lastly, whenever tracking and/or leveraging personal data, you need to include a privacy policy and opt-out options for your users. A privacy policy should contain:

• the name and contact details of the company
• goals of data collection
• the rules of transferring data to another country or company
• the names of the third parties whom data are transferred to
• types of private data that are collected
• the period of data usage after which it’s deleted
• description of security measures taken to process data

Compliance with these rules and regulations is controlled by local bodies for the protection of personal data, and their work is coordinated by the EU. So keep in mind that this isn’t something you can ignore and get away with.

The cost of breaking the rules can be quite high. You can end up paying 4% of your company's annual revenue or up to 20 million euros, whichever is bigger.

Google Analytics is, in fact, a data processor for people from all over the world. So they had to take special measures to comply with the new GDPR standards.

Google Analytics users work with data, that’s why they’re so-called “data controllers.” Therefore, they also need to change some settings to meet the GDPR standards.

Google Analytics changed their service and now allows you to delete information about users upon their request.

Also, you can specify in settings how long the data about site visitors and events will be stored before automatic deletion, which is a nice time saver when you have to delete user data after it’s no longer being used. FYI: The default is 26 months.

IMPORTANT NOTE: This  only applies to individual data, not general information about page views.

Make sure the information you collect in Google Analytics meets the stated goals. In general, a collection of personal data is contrary to the Google Analytics Terms of Use. If it turns out that you’re passing such data to Google Analytics, discuss with your dev team how it can be fixed.

You can still find out the location of the site visitors, but you need to enable IP anonymization. With it, the last part of the address is reset. You’ll see traffic sources on your site, but the information won’t be as accurate as before.

Anonymization is rather simpler with Google Tag Manager. Open the Google Analytics tag, select More settings — Fields to set. Then, click anomyzeip in the Field name box, type “true” and save the changes.

GDPR compliance can get kind of technical when it comes to landing pages, both design wise and in the back-end coding. For now, we’ve written up this straightforward guide for you to learn the basics for GDPR landing page optimization.  

First and foremost, as we’ve stressed thus far throughout the post, make sure you have a readily visible Privacy Policy. This is the main document which must conform to GDPR to keep users informed.

Here are some basic guidelines for your privacy policy:

• Clearly states which Personal and Non-personal information the system collects.
• Lists the purposes for which information is collected.
• States the rights which the user has (Art. 15 — 18 GDPR).
• Data Retention Policy.
• Data can’t be stored for longer than necessary for the purposes personal data was collected (Art.5 GDPR).
• International transfers of personal data (Art. 45 GDPR).
• How data will be protected.
• Contact information, including a legal address; Contacts of Data Protection Officer, if any.
• Terms of Use - it’s necessary to add bold text "The Website is available only to individuals who are at least 16 years old” if the system doesn’t work purposefully with children or children's content. Otherwise, you need to add Age Checks functionality to the system, the checkbox on the registration page and the receipt of parental consent if the user is less than 16. (Art. 8 GDPR).
• Compliance & Security is optional, but users are already asking what you have with the GDPR. So it's better to have a resource where it’ll be detailed how you organize data protection.
• Payment Policy, Cookie Policy — describes how payments are made, and what cookies the system uses.

You also need to run your registration/thank you pages through some GDPR compliance optimization as well. This is where the actual data is collected, so it’s vital that you don’t end up getting penalized on your conversion forms, etc. Keep in mind that the goal of GDPR is to help make users feel safer and help businesses trust the data the receive more. For that reason, the below (new) landing page best practices ought to be followed:

• The number of fields should be minimal and reasonable (‘data minimization’, Art. 5 GDPR)
• Granular Consent (Art. 7 GDPR)
• A mandatory checkbox to agree with the Terms of Use and Privacy Policy
• A separate checkbox if you want to sign up a user for a mailing list

• A user should be able to change any field about himself (Art. 16 GDPR)
• Delete an account button (Art. 17 GDPR). A user must have the ability to remove himself and all of his information from the system
• Restrict Processing Mode button (Art. 18 GDPR). If a user has turned on this mode, then personal information should no longer be available in public access, for other users and even system administrators. As the GDPR positions, for the user, it’s an alternative to complete removal from the system
• Export Personal Data button (Art. 20 GDPR). It can be uploaded in any format: XML, JSON, CSV
• Granular Consent again (Art. 7 GDPR)
• The ability to give/withdraw consent to the actions of the system on work with personal data (for example, a subscription to news or marketing material)

GDPR compliance goes past just how you collect data and how transparent you are with your users in regards to that data collection. In order to be completely GDPR compliant, there are also some rules for how you organize and handle the data you’re collecting.

• Personal Data Protection Policy (Art. 24 (2) GDPR)
• Inventory of Processing Activities (Art. 30 GDPR)
• Security incident response policy: you need to notify your supervisory authority about the leak within 72 hours (Art.33 GDPR) and the data subject that his/her data has flowed away (Art.34 GDPR)
• Data Breach Notification Form to the Supervisory Authority Art. 33 GDPR
• Data Breach Notification Form to the Data Subjects Art. 34 GDPR
• Data Retention Policy Articles 5(1)(e), 13(1), 17, 30

Nice to have policies:

• Data Disposal Policy
• Backup policy
• System access control Policy
• SLA and escalation procedures
• Cryptographic control policy
• Disaster Recovery and business continuity
• Coding standards and rollout procedure
• Employment policy and processes
• In order not to produce a bunch of documents, you can combine them into one IG Policy (Information Governance Policy)

There is no clear guideline in the GDPR which security controls to use, but the architecture must be built on the principle of Data protection by design and by default, according to Article 25 of the GDPR. The basics for site protection and save network security for users usually includes the following:

• Firewalls, VPN Access
• Encryption for data at rest (whole disk, database encryption)
• Encryption for data in transit (HTTPS, IPSec, TLS, PPTP, SSH)
• Access control (physical and technical)
• Intrusion Detection/Prevention, Health Monitoring
• Backups encryption
• 2-factor authentication, Strict authorization
• Antivirus
• And others depending on the system

Many site owners implementing GDPR on their domains are doing so reluctantly. They find only negative aspects of it, such as reducing base audience, conversions, delivery, etc.

In this article, however, we want to emphasize the hidden benefits of implementing GDPR on your campaigns and landing pages. The benefits beyond the obvious one of not having to pay massive fines, of course. Let’s take a look at an example for a clearer picture.

Serpstat — an all-in-one SEO platform — combined GDPR implementation with an aggressive email database cleanse to radically improve their open rates. And what did they start with? A good ol’ fashioned GDPR-aligned privacy policy.

The problem with having a "dirty" email database is you’re dealing with a lot of dead addresses or addresses that don’t ever open your newsletters. This leads to your emails getting marked as spam in the future. And if left unaddressed, Google can even block your addresses if a high enough percentage of your emails start getting blocked/spammed.  

Therefore, it’s often necessary to reincarnate the base of your email list by recovering and removing the addresses that don’t ever open your emails.

This should eliminate the absolutely ineffective email campaigns you’re running. And, while it may lower your overall send volume, it doesn’t really affect your reach, as you’ve only removed completely disengaged emails.

Serpstat did this several times, and even decided to combine this email list reincarnation with their implementation of GDPR.

First, they added every registered user to an email database. This way they could identify duplicate IPs (like in the case of users entering multiple emails to game the system). In most of these cases, the bulk of these multi-email accounts are dead, so at best you can hope for one of the 3-5 emails to actually get opened.

These are the types of email addresses you don’t need clogging up your email list — they’re what will lead to a higher spam-rate.

So what did Serpstat do to clean the email database under the GDPR?

Serpstat team logged out every single user. Now, when he/she enters it again, a pop-up appears and says that the service implements GDPR and he/she should log in again if they agree on the Policy.

The email only re-enters the database for real after the user enters “Agree.” This threefold type of verification made sure that everyone who was receiving emails had due interest in the subject.  

Serpstat was able to emphasize their new GDPR compliance to reaffirm the interest and loyalty of their email audience.

As a result, Serpstat removed about 30% of the base, but the open rate increased from 23% to 78%.

I think it’s safe to say that that type of increase in performance is well worth GDPR compliance.

By now, the value of GDPR compliance should be pretty crystal clear. At the bare minimum, the actual monetary value of complying to the new EU regulations is 4% of your annual revenue or 2 million euro (whichever is higher).

On top of that, looking at GDPR with a positive lense and using it as a tool to help improve the quality of your base audiences and the transparency of your marketing efforts, you can actually leverage GDPR to improve your performance.

Don’t think of it as one more set of rules to handcuff your marketing team. Think of GDPR compliance as one more way to better serve and protect your user base.

(P.S. Special thanks to Serpstat for some awesome research for this post :) .)