Unfortunately there is no simple step-by-step guide that fits all businesses. Your sites and apps are the first and sometimes the only thing your users see, so it is probably your most important asset that also reflects how you run your business. For example, examining your site is the easiest step anyone can take to evaluate your firm’s general compliance with the data and privacy protection laws. In fact, in their recent complaints against 7 advertising and data broker companies, Privacy International did just that: examined privacy notices and marketing product descriptions on the sites of those companies, added the facts collected via data subject access requests and ended up with enough information for a pretty elaborate complaint reports.
But if we are to give you some input based on our experience, it would be this:
1. Take a close look at your sites and apps.
Understand which advertising partners you work with, what other resources you have connected, why they are on your app or site and what they do. You are likely to make some interesting discoveries if you do that check, we promise.
You will most probably need help of your web and app developers at this point: they will be your best friends in this compliance journey, so be sure that you have somebody who understands how apps and sites work by your side.
2. Talk to somebody who understands the applicable ePrivacy law and how it works with the GDPR. Or become that person yourself.
Sorry, but this part is hard to avoid: you need to know how the ePrivacy is implemented in your users’ countries, how it interacts with the GDPR and what to watch out for. If you do not have a lawyer, you might want to consider the ePrivacy directive itself as your baseline and build your compliance strategy on top of it. More specifically, you can start by checking article 5 of the ePrivacy directive (it’s very short).
3. Look for the right compliance tools.
Now that you understand the specifics of your situation and have at least a draft compliance plan, you can decide how to implement it.
For example, if you have a lot of advertising on your site or app, you will probably want to use the IAB’s Transparency and Consent Framework. Next, you might want to build a consent management tool yourself or chose one of the existing solutions out there. Obviously, we recommend to check out our Faktor’s Privacy Manager CMP!
4. Get your web and app developers involved as early on as possible, but keep an overview of the general picture.
You need to be prepared to spend some time on your site and app compliance, especially if you have never examined them before. So take this activity seriously, have a dedicated web/app developer ready and guide them when needed to make sure that they do not miss the bigger (legal) picture.
Introduce the developer to the process at the stage of the tool selection, invite them to participate in sales calls and ask questions. After all, they are the ones who will be dealing with whatever you select and they are the ones likely to understand how the implementation will go.
5. Implement the tools and keep them updated.
Putting the CMP on your site/app is not going to make you compliant on its own. Think of how you are going to stick to your compliance plan and keep the CMP updated and who is going to make sure that CMP is taken into consideration whenever you roll out changes on your site/app or add new third-party resources. If you work with the TCF, who will keep an eye on the changes within the Framework itself? Be sure to run periodic checks to ensure that no third party resources are being loaded without user’s consent or at least without informing them (where the ePrivacy consent exemption applies).
All in all, compliance is an ongoing process and not a click of a button activity. No tool can make your site or app compliant if you do not have clarity on why you need that tool and how to use it. Our most successful clients have their dedicated project team ready to deal with all compliance topics. Be prepared to ask a lot of questions and work on the most important part of the compliance process: a plan and an idea of how to execute it. We are always here for you to share information or give advice, but by now you have probably come to the realisation that whoever sells miracles is not telling you the whole truth and that compliance is a journey and not a destination, at least at the stage we are in now.