What is GDPR?
GDPR is ‘General Data Protection Regulation’
GDPR is implemented in the EU and UK and requires that visitors from these regions should, by default, not be tracked unless they provide explicit consent (opt-in).
US websites must also comply with this regulation if they have visitors from the EU and UK. Most of our California based B2B tech clients have 5-30% of their traffic coming from Europe.
It is now the site owner’s responsibility to explicitly collect consent from EU and UK visitors before tracking their behavior.
All website owners need to be aware of the details as there is potential legal liability you might be exposed to regarding the way you track user data from European visitors.
Google has reacted to GDPR by updating their data processing terms to place the responsibility of informing and obtaining valid consent from European residents wholly onto the site owners. This includes websites outside of Europe, if they receive traffic from European residents. So, even if a site is using Google Analytics, it’s the website owners responsibility to comply with GDPR. (See below for more info).
GDPR requires explicit consent: This means the default state for a user needs to be that they haven’t consented, so they are not tracked by default.
What are the risks?
Since GDPR took effect (2018), there have been at least 865 administrative fines issued, totalling over 1.5 billion dollars (1.4 billion Euros). However, not all breaches end in a fine; the ICO (Information Commissioner’s Office) can take a range of other actions, including:
- Issuing warnings and reprimands
- Imposing a temporary or permanent ban on data processing
- Ordering the rectification, restriction or erasure of data
- Suspending data transfers to third countries
How to Implement GDPR:
There are two implementation models:
Global Explicit Consent: This means every visitor to the site is by default not tracked until they consent.
Get Explicit Consent Only for EU and UK visitors: Only visitors from the EU and UK have cookies turned off by default and need to opt-in. Users from the rest of the world have cookies turn on by default and they can opt-out.
At No Diamonds we have helped many of our clients implement legally compliant cookie policies. Please reach out to us if you’d like a no-obligation chat:
2018 – GDPR was implemented in the EU and European Economic Area.
“Its primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.” 
“It also addresses the transfer of personal data outside the EU and EEA areas” 
2020 – Max Schrems, an Austrian lawyer and privacy advocate initiated the legal process that ultimately led to the invalidation of both the Safe Harbor Framework (2015) and the Privacy Shield Framework (2020). 
These are US-EU data sharing frameworks.
January 2022 – The Austrian Data Protection Authority ruled that Google Analytics was illegal because data was sent to US servers and it’s a US company subject to US Intelligence laws.
March 2022 – The Biden Administration announced an “agreement in principle” on US-EU data transfers, to replace previous frameworks. 
October 2022 – President Biden signed an Executive order around the Trans-atlantic data privacy framework, which still needs to be ratified by the EU.