What Do GDPR Changes Mean for Higher Ed Marketers?

By now, you’ve heard the rumblings ahead of the May 25, 2018, arrival of the GDPR. That is, the General Data Protection Regulation, a law adopted in 2016 to address data protection and privacy for individuals in the European Union. It aims to protect personal data and give individuals more control over how their data is used.

In our digitally connected world, this law has global reach. Of course, EU citizens visit websites all over the globe, including those of United States-based higher education institutions. The GDPR becomes enforceable on May 25, 2018 — hence the recent flurry of activity around and discussion about the regulation.

Have you received notices from Google and other companies regarding changes to their data controls and privacy settings? There are a few things higher education marketers must pay attention to.

Disclaimer: mStoner isn’t a law firm, and our suggestions don’t constitute legal advice. However, with or without the GDPR, now is a good time to address the basics of data collection and privacy.

What Does the GDPR Mean for My College or University’s Website?

The full story of how the GDPR changes higher education websites is still being written. The rest of 2018 will be interesting as we observe what sorts of issues arise and to what extent enforcement takes place.

To be sure, U.S.-based .edu websites have a smaller audience of EU citizens relative to all affected organizations and businesses. The data collected on most higher education sites prior to an application submission is limited, and mostly anonymous.

For those reasons, the overall impact on colleges and universities is comparatively smaller than on e‑commerce sites selling widgets in the EU. However, virtually all of higher education uses tools such as Google Analytics to collect data on the web, and the use of these tools and techniques requires consideration of the GDPR.

Take these four steps to beef up your GDPR understanding and engage in the ongoing discussion about data privacy:

1. Update and Link to Your Privacy Policy

Revising your website privacy policy is a great place to start; this is a fundamental way to communicate data policies. One of the main goals of the GDPR is to make privacy policies easier for site visitors to understand.

The policies should be straightforward and clearly answer the following key questions:

1. What information does your site collect, and how is it collected? (for example, cookies, Google Analytics, pixels, etc)
2. What will your organization do with the information collected?
3. How long will your organization keep the information?
4. How can the user opt out of data collection?
5. Who should a user contact to change/update/request deletion of their info?
6. How will users be notified of any data breach?
7. When was the policy last updated?
8. Does your site fall under the Children’s Online Privacy Protection Act (COPPA)? If so, include the required information. If you are unsure if this applies to your organization, refer to the FTC guidelines.

Finally, make sure you have a link to your privacy policy in the footer of your site to ensure that it is easily accessible from every page. View mStoner’s privacy policy as an example.

2. Check Google Analytics Data Retention Control Settings

Google recently emailed Google Analytics users about their forthcoming data retention controls. These new settings allow you to specify at what point Google no longer retains individual user data for reports. This means reports using custom dimensions or segments that rely on specific details from user data would no longer contain data for users who haven’t visited your site since the expiration date. By default, Google Analytics will start to automatically remove individual user data older than 26 months. You can change this setting to a shorter or longer period, or choose to never delete the data. The setting is done at the Google Analytics property level.

At first, this change sounds drastic. Keep in mind that aggregate Google Analytics data, which fuels standard reports, will not be affected. You will still have aggregate data in your reports, even if the individual user data is removed. Also, visitors who continue to visit your site will be retained; it’s only the visitors who haven’t been to your site in more than 26 months (with the default setting) who won’t be retained. Ultimately, advanced reporting and segmentation are the possible areas of impact.

Moving forward, Google is giving organizations control over data retention and the ability to set policies for user data. All Google Analytics administrators should review their properties and select a setting. The status quo is to change the data retention setting to never expire, but be aware that from a GDPR standpoint it may be problematic to justify keeping data forever. Practically speaking, allowing this data to expire will have a limited effect on most analytics reporting for higher education websites.

3. Consider When to Obtain Consent to Track

A key aspect of the GDPR is getting consent from website visitors to track them on websites and use or process the data collected. Two current examples employed by many sites include:

1. A message box that displays information about cookies and other technology to track visitors. These messages typically ask the visitor to agree before proceeding.
2. A checkbox on a form acknowledging user data will be stored, or a checkbox allowing users to opt in to receive future emails.

Exactly what “consent” means in various settings is subject to debate, and I’m not in a position to unravel all the use cases here. Two key questions to consider, for starters:

• Are you tracking any information by default on your college or university website that requires consent? If data is going to third parties or allows visitors to be tracked across websites other than your own, this could be an issue. Now is a good time to remove unnecessary tracking code from your site. For tracking that you retain, each data processor should have details on GDPR compliance and what it means for you.
• What consent is required when visitors submit information to you via web forms? Having a privacy policy in concert with data collection is a start, along with statements or checkboxes on the forms to disclose how information visitors submit is stored and used.

Be intentional about the use of Google Analytics and other tracking mechanisms. Avoid placing tracking code that shares data with other entities without understanding their data policies and if consent is required. When collecting data via forms, disclose how data is used.

4. Avoid or Obtain Consent for Third-Party Tracking

Third-party tracking, in which data from a tracking service might be shared with a third party without the knowledge of the visitor, is another focus of the GDPR. This affects Google Analytics Advertising features, which includes collection of data to drive the demographics and interests reports in Google Analytics. This is an example of a feature that shares user data from Google Analytics with third parties. The GDPR regulation indicates this type of tracking requires visitor consent. Analytics expert Brian Clifton offers details into how this works.

If you aren’t really using data from Advertising features, considering turning this off in your Google Analytics account. If you use the data, you need to consider how you obtain consent from your visitors. This also applies to other services that may embed tracking code as part of their service, resulting in a third-party tracking situation such at the Disqus example in Clifton’s blog post above.

This is an important area to watch as data processors such as Google adjust their tools and policies to comply with the GDPR.

Take Initial Steps and Follow the Conversation

Across the web, organizations that handle data are grappling with the changes brought by the GDPR. Late-breaking features and changes to tools such as Google Analytics are happening now and will affect nearly everyone, so expect the discussion to continue in the coming months.

Higher education isn’t at the leading edge of these changes, but they are important to understand and address. Start with your privacy policy. Then use that as a jumping-off point to further the discussion at your institution about data privacy and the best next steps to ensure good stewardship of your visitor data.