PECR is a UK law which sits alongside GDPR (the EU’s rules about how personal data is gathered/held). [Very basically] both say that you have to have consent or a VERY GOOD reason for gathering and holding data about a person, or data that can be used to track someone.

In their new cookie guidance, the ICO says “your users must take a clear and positive action to consent to non-essential cookies” and that now includes cookies used for things like Analytics and stats cookies (like the ones used by Google Analytics). [The new guidelines cover ALL kinds of cookies, but in this post I’m only talking about analytics cookies as they are the ones which are mostly affected for my clients…]

Many of my clients use Google Analytics – so things will need to change/be updated on their sites to make them PECR compliant!

So below is the info I’ve sent to my clients about this (although edited a bit to make it web friendly!).

After the email contents, I’ll explain some more about PECR/GDPR compliant ways of getting website Analytics and visitor numbers, etc.

What was in my Email…

Hi,

This email is long and might seem complicated but it’s really not too bad…

At the moment, you use Google Analytics to get stats (the number of visitors, etc.) on [your] site.

Moving forward, using Google Analytics for stats will become more tricky. The ICO (Information Commissioners Office – the bit of the UK govt that deals with online privacy, etc.) has recently changed their cookie guidance for analytics/stats related cookies.

It now says that ANY cookies that aren’t vital to the functioning of the site, including anonymised analytics/stats cookies, will need permission to be set. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/

(In the past as long as you had a good Privacy/Cookie Policy on your site, explaining what cookies you used; and where possible any analytics/stats cookies were ‘anonymised’ (so individual IP addresses weren’t tracked), then it was ok to use analytics cookies like that.)

This means that to continue using Google Analytics (or cookie based analytics/stats) your site will need to have a pop-up where people have to click to allow analytics/stats cookies BEFORE any stats will be taken! It would look like the one on the ICO’s site on the link above.

Now I hate all those types on banners and I’m sure you do too! So with my clients, I’m working on getting non cookies based and privacy/GDPR/PECR friendly analytics/stats on to sites.

For my Clients who use WordPress:

For your site, I think the best option will be use a analytics/stats plugin on the site itself. This would give you most of the information which Google Analytics can; certainly information about the number of visits and more popular pages, etc. (And no cookie is used as it gets data directly from the hosting server and that counts as ‘vital’. And ad-blockers generally don’t affect the results either.)

If you’d like just ‘simple’ stats like the basic number of visits, top pages and where people came from, there are simple plugins like Statify or Koko Analytics that can do this (I now use Koko Analytics – you do have to turn a cookie off in its settings but it works very nicely).

If you’d like more detailed information, then a more complex plugin [WP Statistics] can be used on the site…

With plugin stats, it’s a good idea to keep a max of 6 months worth of stats (3 months is better) because they are stored in the database on the site and having too much information in there can slow things down…

For my Clients with ‘static’ sites (but could also apply to WordPress sites…):

For your site, I think the best option will be to use some analytics/stats produced by the hosting server. As part of your hosting package, the server generates stats using a service called AWStats. It’s not as ‘pretty’ as Google Analytics but for ‘simple’ stats like the basic number of visits, top pages and where people came from, it can do the job nicely.

However, all that cookie talk won’t affect the ‘Google Search Console’ (another Google service which helps Google know about your site) as that information comes direct from Google search information. And it might be that the information for that is really more useful that the site stats…

And to make sure that Google will index the site correctly, I also really need access to your ‘Google Search Console’ account. I think this is on a Google account you control.

You can add me as a ‘verified owner’ on your Google Search Console, so I can check things/make any changes without having you log into your account. How to do so is explained here: https://support.google.com/webmasters/answer/7687615?hl=en My Google account email to add is [retracted for privacy!!!!!].

I hope that all make sense – any questions please ask. If you’d like me to go ahead and take off Google Analytics and add in the stats plugin/show you how to use AWStats, I can do that. I’ll also update your privacy policy to make sure it’s also correct with the new situation.

Phew…

I hope your brain doesn’t hurt after all that!

Best wishes,

James

PECR/GDPR Compliant Analytics…

Below are some different options for analytics/stats. I know I’m not covering everything, I’m giving you an idea of some of the options out there!

So, to confirm what I’m using for (most of my clients):

For WordPress Sites…

These are the plugins I’m using/suggesting:

For ‘simple’ analytics there’s Statify – https://wordpress.org/plugins/statify/ and Koko Analytics – https://wordpress.org/plugins/koko-analytics/

For more detailed analytics there’s WP Statistics – https://wordpress.org/plugins/wp-statistics/

(There are other WordPress Analytics Plugins, but for my client’s needs, these ones work the best!)

For ANY Sites…

Analytics/stats tools that come with hosting packages.

Pretty much any hosting company that uses cPanel (the most common control panel used on web hosting) comes with AWStats – https://awstats.sourceforge.io already installed (in fact it’s probably already getting analytics/stats for you and you don’t even know!).

Another common ‘included’ option on hosting is Webalizer – http://www.webalizer.org. I’m not a fan of Webalizer as it’s really not pretty to use and can be somewhat confusing to read as well!

Some hosting companies don’t use cPanel and they might well have some form of their own analytics/stats tools available – I suggest you ask your web host!

‘Replacements’ for Google Analytics.

Below are some ‘replacements’ for Google Analytics (i.e. scripts that you add to your site and then you get visitor stats) which I’m aware of (but haven’t used). And again, I’m sure there are more out there – if there’s a good one that I’m missing, please leave a comment!

Fathom is an analytics tools that comes in two versions. A free/open source version which you can host yourself on your hosting server or their ‘Pro’ version, where they host it all. The Pro version costs from $14 a month (or $140 a year). The Pro version is PECR compliant, but at the moment the free/open source version isn’t (but they hope it will be by the end of 2019!).

Matomo is a free/open source analytics program which you can can install on your web host to collect site stats (it can often be installed via ‘one click’ services on many hosts). There are some steps you have to take to make Matomo GDPR compliant and, as out of the box Matomo uses cookies, it’s also a good idea to turn off cookies within Matomo to make it PECR compliant as well.

But what if I still want/need to use Google Analytics..?

That’s a good question – and it applies to a couple of my clients as well! As we saw above, the ICO says “your users must take a clear and positive action to consent to non-essential cookies”; so that’s what needs to be done!

The solution used on the ICO’s own site (as that site uses Google Analytics!) is called ‘Cookie Control’ – https://www.civicuk.com/cookie-control. It’s a script which helps to control(!) what other code (which sets the cookies) is loaded and when (i.e. when you’ve got consent from someone). If you’re a WordPress user, there’s also a plugin to help install it.

Another plugin which can do a similar thing is Complianz and I’ve used this for a couple of clients.

Another option for Google Analytics is the Minimal Analytics plugin. This loads the ‘bar minimum’ of code for Google Analytics and there’s no cookie involved! But other ‘tracking’ things might still be in place…

So that’s a round up of the new UK cookie advice and what you might need to do about it! Please leave a comment if you’ve got questions or can suggest some other good analytics solutions which are GDPR/PECR/privacy friendly…

The post The Updated UK Cookie Law Info I’ve Sent to my Clients first appeared on JPC-DESIGN.

If you’ve got a site or blog (even if you’re not in the EU), then it’s probably affected and you WILL NEED to do something!

So below is the info I’ve sent to my clients about GDPR.

If you’d like any professional help with getting your site GDPR compliant, I can help. Contact me.

Hi,

You might well have heard about the new EU Data Privacy rules — GDPR (General Data Protection Regulation) which come into effect on 25th May this year (two days after my birthday — nice!).

With GDPR comes new responsibilities for organisations and businesses in the way in which data in obtained and held.

You might well be sorting out some GDPR items already, if so, great!

As one of my clients, I want to help make the web side of things as easy for you as possible in regard to GDPR. However, there is a limit to how much I can help you!

What I Cannot Do…

I CANNOT be your ‘one stop shop’ for GDPR questions (and answers). I’m just a web developer, I’m not a data privacy or legal expert!

I CANNOT help you/your organisation ‘get ready’ for GDPR as you know what data you deal with and how you deal with it — I don’t (well I might know a bit but not much!).

What I Can Do…

I CAN give you some links to look through, which should be able to help you:

You can find out more about GDPR from the Information Commissioners Office (the UK Government Dept dealing with GDPR):
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Info for small businesses
https://www.simplybusiness.co.uk/knowledge/articles/2017/11/what-is-gdpr-for-small-business/

Info for charities
https://www.charitydigitalnews.co.uk/2018/03/22/gdpr-is-your-charity-ready/

Info for churches (although it’s also useful for many charities and businesses)
https://www.baptist.org.uk/Groups/302154/Data_Protection_and.aspx
http://www.parishresources.org.uk/gdpr/

I CAN supply you with some basic documents and templates with might help you to think about GDPR and what you need to do for the web side of it.

I’ve put these together at: https://mega.nz/folder/XwtX2TaB#Np-zd42tpKOhaw_ybbg1lw

They include:

• A basic ‘audit’ template (Word);
• A basic ‘audit’ template (Excel) — this includes some of my very basic info!; 
• A basic ‘checklist’ (Word);
• A basic ‘privacy notice’ document (Word).

But, again, I CANNOT give you any specific legal advice. For full info, please see the ICO’s site or contact a professional legal advisor.

I CAN help with adding GDPR info to your site.

The main thing impact of GDPR on your website, following your own audits, will be putting the relevant information from the Privacy Policy/Notice on the site. The contents will be depend on what data your site collects, etc. but it might well be similar to the example document in the link above.

Any contact forms will need a clear link to this Privacy Policy/Notice (best either just above or below the Send/Submit button) — I CAN help with this.

Some example text for this would be:

This form collects your name, email and phone to help us answer your questions. Read our Privacy Policy [linked] for how we deal with this information.

It’s also a good idea to have a link to the Privacy Policy/Notice near any buttons for:

Blog Comments (with these, it would also be sensible to explicitly state that users should not put personal information into the comment and have a tick to make sure people understand thing);

Some example text for this would be:

By using this form you agree with the storage and handling of your data by this website. View our Privacy Policy [linked]. Please do not express personal data or contact details in blog comments, as these are displayed publicly on the site.

If you use WordPress (the self hosted version) and are happy installing plugins, then this plugin make it easy to add the extra tick box to comments:
https://wordpress.org/plugins/wp-gdpr-compliance/

***

Sign ups for email lists (these will also need an extra ‘consent’ tick box);

***

‘Buy’ buttons if you are selling anything.

I CAN help with these!

If, on any forms, there is also the option to sign up to a mailing lists, this needs be to UNTICKED by default — I CAN help with this.

If you have an email newsletter, then you will also need to send out an email so people can confirm that they still want to receive the newsletter. MailChimp and MailerLite both have tools to help with this:
https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms
https://help.mailerlite.com/article/show/59543-gdpr-tools

With GDPR, as a record of consent is needed for things like being added to mailing list, it won’t be practical to have a ‘paper sign up sheet’ or equivalent (where people sign a bit of paper and then you manually add them to the mailing list at a later date) as you cannot ‘prove/record’ digitally that they have given consent (unless you have them sign a paper form and then you store the form.). A better option would be to have a sign up form on something like a tablet that you can ask people to complete. In this way their digital consent can easily be tracked.

***

If you also need a simple way of storing things like passwords, website logins or anything else, then I use 1password.com (it’s pay for but is great) and for a free option (or cheaper pay for) BitWarden is also an excellent option.

Phew… I know it can seem a lot to take on board.

Please read through all the links and things. When you’ve got a Privacy Policy/Notice ready, or know what needs to go in it, please get back in touch with me and we can then make any changes on your site.

Best wishes,

James

The post The GDPR Info I’ve Sent to my Clients first appeared on JPC-DESIGN.