Unless you’ve been hiding under a rock for the last month, you will have heard of something called GDPR. The irony of getting so many emails due to a law designed to reduce the amount of spam you receive is a good example of the cobra effect. Hopefully it will calm down and won’t have such a lasting effect as the cookie law banners and popups.
It does appear that some companies have used the GDPR consent train as an excuse to reset their mailing lists. I am getting emails again from lists that I’ve previously unsubscribed from, even when I didn’t get a GDPR email from the company. I’m looking at you Cloudflare and tastecard.
The reason GDPR was necessary is that companies didn’t take the previous cookie law (and Do Not Track HTTP headers) seriously. On a previous project, we had a cookie consent opt-in that wouldn’t enable the analytics cookies unless the user agreed, but they could say no and everything still worked. Others just paid it lip-service and had a “you agree if you continue” banner. This won’t fly with GDPR, but I’ve seen many companies try this. You’re also not allowed to offer incentives such as prize draws or gated access.
One of the most comprehensive solutions that I’ve seen recently is GitLab’s cookie consent form.
You can deselect the non-necessary cookies, although it would be better if it were opt-in rather than opt-out.
There is lots of detail here that’s provided automatically by Cookiebot.
Here in the UK, there isn’t too much difference to the previous Data Protection Act, on which GDPR was largely based. Data protection laws have historically been strong in the UK, perhaps necessary because Brits have an unhealthy appetite for surveillance.
The main change is the substantially higher penalties. These alter the economics and make it no-longer cheaper to ignore the regulations and just pay the fines for data breaches. A serious leak of personal data can now be a bankruptcy level mistake, depending on profit margins. Additionally, it’s not just about keeping your users’ data reasonably secure. You are not allowed to share or reuse it for a different purpose than the ones you claimed when you initially collected it, without asking again for consent for the new use.
There is an issue with the UK’s implementation of the GDPR into the new DPA 2018. It doesn’t apply to immigrants. The Open Rights Group are launching a legal challenge to this problem and could use your support. You can even take their GDPR quiz!
There is a rumour that a GDPR declaration will form part of your tax return but we’ll have to wait and see if that happens. In any case, it needs to be taken seriously.
The ICO has some good advice on how to comply, but there is not much to worry about if you were previously behaving ethically and in the spirit and letter of the old UK and EU laws. The ICO spam complaint process is pretty backwards. You need to fill out a form and email it to them at casework@ico.org.uk with the subject “Concern about spam emails”. So there is a small (and somewhat ironic) barrier to entry.
The eagle-eyed will notice that there are some GDPR helpers included in ASP.NET Core 2.1, which can assist you in easily managing consent from users to use their data.
You will also probably want to ditch things such as facebook’s like buttons, which track users around the web. You may also want to reconsider using options such as Google Analytics. There are better alternatives available, including Matomo (formerly known as PIWIK) that you can self-host if you don’t wish to use their cloud service. It even respects DNT HTTP headers.