Beginning on May 25th, 2018 any company that hasn’t updated their privacy policy during the two-year grace period will be in violation of the law and could face fines as much 4% of the company’s global revenue or €20 million, whichever is higher. The new privacy policy must be transparent and tell the users what will happen with the data that is collected. It should be concise and written clearly, let the user know whether their data will be shared with a 3rd party or used for marketing purposes, explain the use of cookies and their purpose, and clearly state the rights of the individual visiting the site. vpnMentor ran a test of over 2,500 websites in the EU that will need to follow the new GDPR regulations and found that as little as 34% of websites are currently compliant. Most of the websites we checked either had old privacy policies, and in some cases no privacy policy at all, and are in no way ready for the stricter privacy guidelines that take effect next month. Those that fail to meet these new standards, will be subject to the fines mentioned above.
Our Methodology
We targeted websites that use the popular MailChimp service. MailChimp is an E-mail marketing platform that collects users Email addresses in order to send out newsletters, company updates, and general marketing materials. Any website that uses MailChimp or a similar service to collect emails will have to store this data and therefore need a privacy policy that fits in with the GDPR regulations. We collected up to 100 websites in each country that use MailChimp. In some cases, we couldn’t find 100 and used what we could, and the results were pretty surprising. While some countries like Germany seem to be more prepared for the May 25th deadline with a compliance of 67%, others such as Portugal are ill-prepared – only 17% of the websites we checked had a complete GDPR approved privacy policy.
Does the Data Correlate with Sites that are Compliant with the EU Cookie Law?
During the course of our research, we also investigated whether these sites were in compliance with the EU internet cookie regulations that were recently passed into law. The cookie pop-up notifications, or “cookie-pops,” require a pop-up window to appear on any site using cookies to collect information on the websites’ users. Once again, we were surprised as there seemed to be no correlation between the sites that use the cookie-pops and the sites that are GDPR compliant. Germany – a country that topped our list on GDPR compliance – was at the bottom of the cookie-pops test with just 16% of website employing this privacy feature. Our hypothesis was that there would be some kind of correlation in the data between these two studies. Had web owners just used a third party code and inserted it into their website, we’d understand that both GDPR and cookie-pops would be similar. However, since there is little correlation between sites that have the cookie-pops and privacy policy, this shows that business owners are not just copying and pasting a code or text into the site to comply with the regulation, rather they actually carefully look into it and make the necessary updates (this is good news). For some sites, there may be a good reason for not having the cookie-pops enabled on their site, such as they don’t collect cookies. Interestingly in Slovenia, which had the highest percentage of cookie-pops enabled – 64%, only 40% of the sites were GDPR compliant, meaning that at least 60% of the Slovenian sites will be in violation of the new regulation. If your website isn’t GDPR compliant yet, you can go here and copy/paste the GDPR policy into your website to avoid any legal issue you may otherwise encounter.