5 Steps to GDPR Compliance

Image for 5 Steps to GDPR Compliance

Whether it’s an inconspicuous banner at the top or bottom of a website, or a more in-your-face pop-up notification, it’s nearly impossible to miss that many websites are now asking you to accept “cookies” in order to get access to their content. What’s the reason, what does it all mean and who doesn’t like cookies?

Before you start salivating, the cookies we’re talking about consist of information — not chocolate chips — and their purpose is to help websites track visits and activity. It sounds a little ominous but it’s this data that records visitor login information to save time on subsequent visits. It also ensures that items placed in a cart stay in the cart, even if another link on the website is clicked.

And as helpful as they are, cookies — and other pieces of personal data collected by websites to enhance visitor experiences — are becoming increasingly regulated worldwide. For websites that have customers or visitors from countries in the European Union (E.U.), strict rules are now in place that requires compliance with General Data Protection Regulation or GDPR.

What is GDPR, and how does it affect my company's website?

Implemented in May 2018, GDPR is a regulation in the E.U. that addresses consumer privacy and data collection. Its primary goal is to empower E.U. citizens to have more control over their personal information and how it’s used. Companies with a website that is frequented by E.U. citizens (whether or not the company is located within the E.U.) must follow specific steps to be compliant and avoid fines and penalties.

What does my website need in order to be compliant?*

1) A Privacy Policy

Privacy Policies are required by laws intended to protect a consumer’s privacy. Protected information (also known as Personally Identifiable Information) includes names, email addresses, street addresses, phone numbers, credit card information, blood type, marital status and much more.

If you’re thinking this doesn’t apply to you because you’re not selling anything on your website or creating visitor sign-in accounts, think again. It’s possible — and even likely — that you could be doing it unknowingly. Do you use Google Analytics to understand your website traffic, or social media to promote your business? You’re collecting information that could be used to identify your customers, so a Privacy Policy needs to be posted on your website.

In general, a Privacy Policy will include what information is collected and why, along with details on how data is stored, transferred and/or shared with others. Some also include policies about the use of cookies to collect data, but for GDPR compliance, it needs to be an entirely separate policy.

2) A Cookies Policy

You’re required to post a separate Cookies Policy on your website. Adding a “cookies clause” to your Privacy Policy isn’t enough to be GDPR compliant. You’ll need to cover the following points in your Cookies Policy:

  • State that your website currently uses cookies.
  • Define website cookies.
  • Mention the types of cookies you use, including those used by your third parties.
  • Explain how your site uses the cookies.
  • Give users instructions to manage their cookie settings.

Policy Examples:
New York Times
Survey Monkey

3) A Banner or Popup Notification

One of the most important aspects of GDPR requirements is to let your site’s visitors know that your website uses cookies. While your Privacy Policy or Cookies Policy states this, it’s important that you also actively inform your visitors that your site uses cookies.

One way to do this is by adding a banner or pop-up notification to your website so that first-time visitors are notified of your cookie usage and are given a link to your complete Cookies Policy.

An example:


We use cookies to provide the services and features offered on our website, and to improve our user experience. Cookies are small files or other pieces of data which are downloaded or stored on your computer or other device, that can be tied to information about your use of our website (including certain third party services and features offered as part of our website).

By clicking ”I Accept” you agree to such use of cookies, unless you later decide to disable them
Please note that if you delete or disable our cookies you may experience interruptions or limited functionality in certain areas of the website.

Learn more about cookies (link)
I Accept
How to delete cookies (link)

Here are a couple other Cookie Notice examples:

4) Consent for Using Cookies

To be GDPR compliant, consent must be granted by your website visitor before a cookie can be placed on their device. Most companies choose to add a simple checkbox or a button to their cookies notice (banner or pop-up notification) that prompts users to click it in order to give their consent to the browser cookies.

4) Consent for Using Cookies

To be GDPR compliant, consent must be granted by your website visitor before a cookie can be placed on their device. Most companies choose to add a simple checkbox or a button to their cookies notice (banner or pop-up notification) that prompts users to click it in order to give their consent to the browser cookies.

5) An Easy Opt-Out Method

Providing an opt-out method is just as important as acquiring the user’s consent for your cookies. However, unlike obtaining the user’s consent, you don’t have to give the visitor an option to opt-out of your use of cookies from your cookie notice.

Instead, you can add a clause to the end of your Cookies Policy that explains how to opt-out of cookies using their browser setting, or simply provide links to browser websites that educate your visitor on how to manage cookies on their devices.

The New York Times is a great example of how to give your site visitors the power to manage their own browser cookie options.

The Future of Internet Privacy in the United States

Mark Your Calendar: The California Consumer Privacy Act Takes Effect on January 1, 2020

Data breaches in the U.S. are making headlines on a regular basis these days. So while there currently exists no single law that regulates internet privacy here stateside, there are signs it is in the works. In the meantime, a patchwork of state laws are addressing consumer data privacy issues. Leading the way is the California Consumer Privacy Act of 2018 or CCPA, which goes into effect in 2020.

The CCPA will apply to you if you are a for-profit company that collects information on California residents (or has it collected on your behalf) and you meet one of the following criteria:

  • Gross revenues over $25 million (adjusted for inflation);
  • Buy, receive for commercial purposes, sell or share the personal data of 50,000 or more consumers, households or devices; or
  • Receive 50% or more of your annual revenue from selling the personal information of consumers.

It’s important to understand that the criteria are broad, and exceptions apply. And while the law applies beginning January 1, 2020, it will likely be several months before enforcement is in full effect. Let us know if you’re concerned that this will apply to your website, and we can dig in well ahead of time to be sure you’re ready in time for the New Year. Keep checking back as we’ll have follow-up information ready to go in the coming weeks that will detail a few proactive steps you can take to achieve CCPA compliance. In the meantime, achieving GDPR compliance is a solid initial step.

A Stellar Conclusion

We’ve dropped a lot of detailed information on you but the bottom line is this: Cookies are delicious and GDPR sounds scary, but with a few simple steps your website can be on the right side of regulations and consumer privacy protections.

If you’re ready to get compliant, Stellaractive can help. Drop us a line today.

*Important Note: The Stellaractive team has many talents, but we are not lawyers. The information provided here does not guarantee GDPR or CCPA compliance and should not replace actual legal advice. Please consult a lawyer to be sure your website is in full compliance.

Need a little support elevating your brand? Contact Stellaractive for your website and marketing needs!

Stellaractive is a strategy-driven creative agency in Portland, Oregon. We help companies elevate their brand through websites, print, branding, and digital marketing solutions that connect, engage, inform, and inspire. We’ve been helping clients across the U.S. build their online presence for more than 15 years, and we can help you, too. Request a quote or call us at 503-384-2413 today!