Is Your Law Firm Website Compliant with GDPR Legislation?June 2018
As of May 2018, the General Data Protection Regulation (GDPR) is officially in effect. While this legislation was passed in the European Union, its impact will be felt around the globe. Whether your business or website serves users in EU countries or not, it is in your best interest to update your site so it is completely GDPR compliant.
GDPR essentially affects the way businesses can use customer data, including for marketing purposes. For instance, businesses can no longer send customers emails out of the blue with no warning or prompting. Instead, customers in countries affected by GDPR must give free, specific, and informed consent that they wish to receive those emails.
As a result, GDPR is pushing companies around the globe to be more transparent about how they store, manage, and use customer data. This new commitment to transparency has led to some notable shifts in website design. This article will cover some of the biggest changes.
Tweaking Your Opt-In Strategies
One of the most important things to change about your website considering GDPR is how you manage the opt-in process. If you have forms or sections on your website that invite users to subscribe to newsletters, you need to give users an active opt-in option. In the past, some sites have used sneaky maneuvers here: the form either starts with the opt-in box checked (therefore requiring users to untick the box to opt out of an email subscription) or asks the user to check a box to opt out. Neither of these options is compliant with GDPR, under which the user must actively check the opt-in box.
Another important change for your opt-in process is that you cannot bundle it with other terms and conditions, disclosures, or consent forms. Your site might have a section where you ask users to create a profile or something similar. Here, you can have sections that ask the user to agree to the terms and conditions and opt in to receive email communications. However, these sections must be separate and clearly labeled.
Finally, try to provide what is called “granular opt-in” if you are planning to use customer data to contact them through several different channels. Many businesses never have to worry about this, as they use customer data primarily to send emails and newsletters. However, if you are planning to contact the user via physical mail, email, telephone, and social media, you should request separate opt-in consent for each of those channels.
Another requirement of GDPR is that you make it easy for customers to withdraw consent (e.g., cancel an email newsletter subscription). The best practice here is to let customers dictate the topics they want to be contacted about through their email. For instance, if you’ve set things up so your subscribers receive emails every time you post a blog on your law firm website, you need to provide an easy way for those subscribers to dictate which subjects or categories they receive info about. They might be interested in matters of family law but not as interested in reading blogs about traffic law. Providing a way for subscribers to tailor their email preferences to suit their interests will reduce the likelihood of permission withdrawals while complying with GDPR.
You should also make it easy for users to dictate how frequently they want to receive emails. Some users might not mind receiving messages daily while others might not want to hear from you more than once a week.
This point is especially true if your website processes online payments. Most law firms won’t have to worry about this factor since legal billing rarely has any link to e-commerce. With that said, if you do accept online payments for any reason, then you need to have a system in place to store sensitive payment information securely and to dispose of it after a reasonable amount of time.
Tracking Cookies, Google Analytics, and More
Not everything tracking your website comes from your website itself. There might be active tracking cookies for third-party lead tracking tools, or you might be using Google Analytics to monitor the performance of your site. Regarding cookies, you should include a notice for users if cookies are being used on your website. As for Google Analytics, the tracking performed by this software has nothing to do with user data, so it isn’t regulated or restricted under GDPR.
Conclusion: Working Toward Compliance
With the internet, every business has a global audience even if most of their customers come from a small geographic radius. Your law firm might serve a local community, but users from any country in the world could find their way onto your site. An informative, well-written blog could be engaging to users from the EU. Even if those individuals are unlikely to convert to paying customers, your site might still track and collect their data, and they might still subscribe to your emails.
To avoid any potential legal issues with this foreign audience, you should do the legwork to make your website GDPR compliant. At Inherent, we are familiar with both the best practices for law firm websites and with the specific requirements for GDPR. We can help you work toward compliance with your law firm site. Contact us today to learn more.