Why is privacy important?
Imagine visiting your friend’s parents’ house. While there, you wash your hands with lilac-scented soap and even sniff your fingers because they smell so good. Unbeknownst to you, the homeowner has been watching your every move through cameras. The next day, when you’re back home, a delivery driver shows up at your door with a box of lilac soap, and clips of you sniffing your fingers are part of a soap company’s product development meeting. Feeling a little uneasy, right? You’d want to know what else was recorded that evening, who else saw it, and whether there’s more footage you’re unaware of. Maybe they even put a “bug” in your hoodie without you knowing…
Visiting a company’s website isn’t just about clicking around. Every move a visitor makes—from the moment they arrive—is trackable by the website owner. While this “tracking” is usually harmless, the main requirement of GDPR is that visitors must be informed about what data is being collected, why it’s being collected, and who else this data is shared with. Consent is key, which is why a privacy policy is often called a consent policy.
Where did it all start?
GDPR entered the public’s vocabulary in 2016 when the EU adopted the General Data Protection Regulation. It outlines rules governing the protection of individuals’ personal data and the free movement of such data. In essence, it sets requirements for website operators to follow. If these requirements are not met, violators can face financial penalties.
To a website owner, the topic of privacy policies might seem like a tedious, overcomplicated task. However, it’s actually designed to protect all of us. It provides privacy and rights for visitors while ensuring that the company handles personal data responsibly. It’s also a crucial part of sustainable and ethical business practices, helping avoid legal troubles and reputational damage. Ultimately, by respecting privacy, you’re honoring your customers and maintaining your brand’s trustworthiness.
How to make your website GDPR-compliant
To ensure your website processes visitors’ personal data legally, follow these important steps:
1. Have a proper privacy policy on your website
What exactly is a privacy policy? It’s a document that outlines how your company collects, uses, and stores data on its website. It’s typically accessible via a link in the footer of the website.
A privacy policy should be written in clear language and should include:
- What data is being collected—names, emails, location, IP address, etc.
- How the data is used—for example, for marketing, providing services, etc.
- Who the data is shared with—for example, is it shared with third parties like Meta?
- How and for how long the data is stored, and whether it’s securely stored.
- Whether cookies or other tracking technologies are used.
You can find Nobel Digital’s privacy policy in the footer of our website under “Privacy” (see Image 1). The privacy policy document may also include a more detailed explanation of the cookie policy, outlining how visitors are tracked using cookies. We’ll cover cookies and their levels in more detail below.
2. Request consent for data collection as soon as a visitor arrives
Most people are familiar with the consent window that covers part of the screen when they visit a website. Many of us quickly click “Accept all” to close the window and continue browsing. However, this banner or pop-up is crucial for GDPR compliance. It’s the visitor’s first encounter and notification that data is being collected. As mentioned earlier, the most important aspect of GDPR is that users have the freedom to control what data is collected about them.
When someone visits Nobel Digital’s website for the first time, a privacy settings window appears, giving them the option to review the privacy policy (see Image 2).
By clicking “More Information,” visitors can choose what data they are willing to share with Nobel Digital and what they are not (see Image 3). Visitors can also manually select which cookies they consent to. Stay tuned—we’ll dive into cookies shortly.
3. Ensure visitors can modify their consent later
Once a visitor has made their selection, for instance, by clicking “Accept all,” they should still have the option to change their preferences later. For this, the consent window or icon should be easy to locate. On Nobel Digital’s website, there’s a gear icon that opens the privacy settings window with a single click (see Image 4).
4. Keep your privacy policy up to date
While drafting a privacy policy might feel like a one-time task, it’s important to review it periodically. If your website undergoes significant changes or adds new features—like integrating Facebook Pixel, Google Analytics, or LinkedIn Pixel—these must be added to your privacy settings. Transparency is the goal, so updating your privacy policy should be part of your website’s regular maintenance. It only takes one complaint to the Data Protection Inspectorate to face potential fines.
What’s the difference between a cookie policy and a privacy policy?
A cookie policy explains how your website uses cookies that are stored on visitors’ devices. Cookies are small text files saved on the visitor’s device (mobile, tablet, computer). These files contain data that helps recognize visitors, track their activity, and improve the overall user experience (for example, remembering login data).
A cookie policy can be a separate document, but at Nobel Digital, the privacy and cookie policy are combined. In this case, the document should include a section explaining what types of cookies are used and for what purposes (e.g., statistics, remembering user preferences). At Nobel Digital, all cookies are listed in the privacy settings window, and each visitor can manually choose which cookies they consent to.
What’s the difference between different types of cookies?
Cookies are generally categorized into first-party and third-party cookies. Understanding this is important when designing privacy settings.
First-party cookies are created and managed by the website owner. They are typically used to improve website functionality and user experience (for example, remembering items in a shopping cart). At Nobel Digital, we categorize these as functional cookies.
Third-party cookies are created and managed by someone other than the website owner, often used for marketing or analytics, like Google Analytics or Facebook Pixel. We categorize these as marketing cookies.
In Nobel Digital’s privacy settings, we also specify “required cookies,” which are essential for the website to function (see Image 5).
Will anyone really notice my website’s privacy policy?
It’s a common misconception that the Data Protection Inspectorate only deals with large companies. In reality, any company that does not comply with GDPR can be held accountable, regardless of size. According to an article published in Postimees on May 7th, fines resulting from GDPR violations have amounted to nearly 3 billion euros in the past five years. In the first quarter of 2023 alone, fines totaled nearly 400 million euros. Data protection expert Andres Ojaver points out that most violations occur in commerce, media, telecommunications, financial services, and healthcare, but also in the public sector.
In an interview with Geenius magazine, Data Protection Inspectorate legal advisor Liisa Ojangu explained that this relatively new legal field needs to set examples. In other words, enforcing GDPR compliance is necessary, and the best way to do that is through strict oversight and penalties. So don’t assume that no one will notice your website’s lack of a proper privacy policy.
Does your website have a compliant privacy policy? We can conduct a quick audit and let you know what can be improved. If necessary, we can set up a privacy policy that complies with all regulations and aligns with your company’s branding. Get in touch!
Author: Mari-Helena Toompere
Digital Marketing Project Manager
