GDPR Website Consent

The May 25th deadline for the new European Union GDPR (General Data Protection Regulation) law is fast approaching, and many website owners are scrambling to understand and meet the requirements for compliance.

The risks of noncompliance

With fines for infringement of up to €20 million, or 4% of worldwide annual revenue, whichever is higher, the risks for noncompliance are very real.

In some cases, websites are simply shutting down citing that GDPR "creates uncertainty and risk" - risk that they can't justify taking.

What has changed?

Many of the data collection practices that have become commonplace will no longer be permitted. Among the various requirements such as data portability, right to erasure, and general data protection, one of the more challenging requirements for sales and marketing teams to implement is around consent.

GDPR sets a high standard for consent and states that:

Consent requires a clear opt-in. Silence, pre-ticked boxes or inactivity will not constitute as consent.
Consent requests must separate from other terms and conditions.
You must be specific and granular as to what data is being collected and why. Vague or blanket consent is not enough.
You must name any third party controllers that will be handling the data.

What does this all mean to me?

The simplest way to explain it is that you cannot collect any data, and thus load any tools onto your site that collect data, without first receiving explicit consent from the visitor.

Teams on average are using more than 12 different tools. Some are using more than 31 tools across their sales and marketing stack.

From Google Analytics, to the Facebook Pixel, Hubspot, Marketo, Mixpanel, Adwords, and many more... All of these tools will set cookies and immediately begin collecting data when you install them onto your website.

This default behavior we're accustomed to is no longer permitted under the GDPR.

Designing a website consent flow

At BigPicture.io, to meet compliance requirements for our own site, we researched, developed, and implemented a tool to handle this.

Here's what it looks like...

Cookie notice When the website loads, we show a notice at the bottom of the screen with a link to Cookie Settings.

Cookie Intro When you click on Cookie Settings, it opens an intro screen that explains what this is.

Privacy Controls After clicking "Next", the visitor is then shown a granular breakdown explaining the different categories of data collection, what the data is used for, and what tools we're loading.

Privacy Controls Save Settings From there, the visitor can opt-in to the different categories and when satisfied, save their settings.

Revoke consent After saving, the preferences will close and a button will appear in the bottom corner of the page for the visitor to come back and modify their settings at any time.

Only after saving their settings, will the selected tools load in the background for the site.

Using it for your own site

If that all sounds complicated and like a lot of work, we completely agree.

We’ve been through rounds of meetings with lawyers and our product design team, and it’s been a long, painstaking process.

We'd like for others not to have to go through that painful process. That’s why today we’re making our tool available to all our customers, even those on our free tier.

To make setup as easy as possible, we built a new section in our app where you can add this to your site with no extra work.

The new Consent Flow editor in the app.

And while much of our implementation is coupled with our service, we’re also exploring what it would take to release parts of what we’ve built as open source software to minimize what others need to build. Stay tuned for updates on that front.

Want to see the consent flow in action?

We have a geolocation check in place to only load the tool if we detect a visitor from the EU, so if you're in the EU, you should already see it loaded on this page. If you're not in the EU, you can override the geo check and see it live by clicking here.