For many businesses, GDPR (General Data Protection Regulation) loomed like an impending storm cloud and even with the deadline past, many companies are still unsure about how compliant they need to be and (more importantly) actually are.
GDPR is the European data protection legislation that strengthens individuals’ privacy and their rights to the personal data companies collect, utilize, and share. Regardless of where your company is located, if you have data from EU individuals coming to your website then you need to be complying with GDPR legislation. The deadline for becoming GDPR-compliant was May 25, 2018.
The amount of information available online regarding how GDPR affects B2B businesses is a bit overwhelming. With that in mind, in this post we’re focusing on a GDPR topic that is near and dear to Leadfeeder’s heart: What you need to understand about your website visitor identification and tracking tools in a post-GDPR world.
While many businesses have viewed GDPR with the same excitement most people extend towards surgical procedures, savvy companies are treating GDPR as an opportunity to build trust with prospects and customers.
Stuff the lawyers make us say:The information in this post has been sourced from official GDPR legislation, third-party research, and Leadfeeder’s own employees who are CIPP/E and CIPM trained and certified. You should consult directly with a lawyer for GDPR legal advice related to your unique business situation. We are not lawyers; this post is meant to be informational but nothing in this post should be taken as legal advice or used in lieu of independent legal advice.
Before we dive in, let’s do a quick review of the basics (if you’re well-versed on the basics and don’t need a refresher, feel free to skip ahead to the “Understanding the intersection of website visitor tracking and GDPR compliance” section)…
Quick review of website visitor tracking and visitor identification.
Only 2 percent of the total traffic to your website leave their contact information. For the other 98 percent, website visitor identification and tracking tools allow you to identify anonymous companies visiting your B2B website and see the path and pages they view and click on.
The knowledge you gain from those tools helps your marketing and sales teams identify hot leads visiting your site even before they’ve self-identified, as well as see which marketing campaigns are the most effective, streamline lead qualification processes, and increase B2B lead generation (just to name a few).
Now for the big question: “How does GDPR affect my company’s ability to identify and track website visitors?”
Understanding the intersection of website visitor tracking and GDPR compliance.
The entire GDPR document is massive, so our goal is to break down the legalese into language we can all understand and focus on the aspects important to this specific sphere of website analytics and visitor identification.
Personal data, personal privacy, and consent are all integral concepts for understanding GDPR and compliance.
Personal data and privacy
There are more than 600 mentions of personal data in the full GDPR legislation document. For the purposes of this post, we’re going to focus on personal data as it relates to identifying and tracking companies that visit your B2B website.
Article 4.1 of the GDPR outlines numerous identifiers that are considered aspects of personal data, including:
Website visitor identification tools such as Leadfeeder identify the companies visiting your B2B website, so the GDPR concern about singling out individuals is negated.
Key to GDPR compliance: GDPR focuses on personal privacy. Tools like Leadfeeder identify companies visiting your website and track business-related data, not individual information. GDPR speaks to personal data related to individuals, not businesses visiting your site.
Article 6.1 of the GDPR outlines six lawful grounds for processing data, and of those, two are the most relevant to B2B businesses utilizing website visitor tracking and identification. Personal data can be lawfully processed when:
According to the UK’s Information Commissioner’s Office (ICO), “The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity, or to grow your business.”
When a company visits your website, one could conclude they’re expressing a legitimate interest in your product or service. Identifying those companies via a third-party tool such as Leadfeeder falls under the umbrella of legitimate interest.
Outside of personal data, the other important element of GDPR compliance is the area regarding identifying and tracking site visitors and consent.
Consent via contact forms is another important area of GDPR, particularly for B2B companies:
“You will need to start using a clear and explicit opt-in on all your forms whether it’s an ebook download, a webinar registration or, yes, a contact us, if you plan to contact the person completing the form with any additional marketing information,” writes Evelyn Wolf, Co-Founder of Business Brew.
The key is “additional marketing information.” For example, there is a reasonable expectation that if a website visitor fills out the contact form on your website with a question, they will then receive a communication from someone on your team addressing the question. However, you can’t automatically enter their email into a drip marketing campaign for prospects without their explicit consent.
You can see how we include a clear consent opt-in on the Leadfeeder webinar registration forms:
Many CRM and survey platforms are including GDPR features to help companies easily create GDPR-compliant forms. For instance, Leadfeeder integration partner MailChimp has created “GDPR-friendly forms [which] include checkboxes for opt-in consent, and editable sections that explain how and why you are using data.”
Where does website analytics and visitor tracking fall in regards to consent? Most modern businesses use Google Analytics for their basic site analytics, so we’ll start there:
Google Analytics and GDPR
Another question we hear frequently at Leadfeeder: “If I use Google Analytics are my B2B website analytics automatically GDPR-compliant?”
First, it’s important to understand that sending any personally identifiable information (PII) to Google Analytics was already against their Terms of Service, long before GDPR came into the picture so that isn’t a change for your business.
Google has put out a variety of resources regarding their GDPR compliance as it relates to specific products. In short, if you use Google Analytics you don’t need to obtain explicit consent from visitors.
When you use Google Analytics on your B2B website, Google Analytics is considered the ‘data processor’ and your company is the ‘data controller.’ In terms of GDPR compliance, the data processor processes data on behalf of another organization.
Why does that matter?
Under GDPR, data controllers are more liable and responsible for conducting data privacy assessments, maintaining documentation related to compliance, and more.
Image Courtesy of AdobeStock
Beyond Google Analytics: Identifying companies visiting your website
Google Analytics is a great start for tracking your basic website analytics.
Third-party tools that further enrich your Google Analytics data by helping you identify the businesses visiting your website and the content they view when on your site are usually “data processors,” as it relates to GDPR. For example, Leadfeeder serves as a data processor for most data, including data from Leadfeeder customers’ Google Analytics, CRM, email marketing integrations and any data they input directly into Leadfeeder.
We’ve established that Google Analytics is GDPR-compliant and it is important to ensure the additional tool you use to identify companies visiting your site and track where they go on your site is also GDPR-compliant.
When selecting your website visitor identification and tracking solution be sure and ask for specifics about how they’re GDPR-compliant. For example, have they taken the extra step to have employees obtain CIPP/E and CIPM training and certification? Those world-recognized certifications recognize Data Protection Officers who have passed extensive tests, well beyond what most companies do when they’re stating GDPR compliance.
Good to Know:
The GDPR legislation does not provide a checklist from which companies can confirm compliance, so businesses themselves must figure out the steps they need to take to remain within the confines of the new laws. Currently the CIPP/E and CIPM trainings and certifications are the only world-recognized GDPR-related certifications. Future developments will likely entail Codes of Conduct and additional certifications. Leadfeeder is following those potential developments closely and we’ll be sure to share more about them on the Leadfeeder blog.
Is the way Leadfeeder identifies the businesses visiting your website GDPR-compliant?
Yep! The way Leadfeeder processes business-related data was compliant with previous data protection regulations and remains so under the GDPR legislation.
Leadfeeder takes publicly available information using our Leadfeeder Tracker script along with your Google Analytics data and presents the enriched information in a convenient dashboard that is easily digestible for your marketing and sales teams. Leadfeeder goes a step further and includes contact information for various employees of the companies visiting your website. The additional information remains GDPR-compliant while giving you the benefit of being able to focus on your hottest leads, optimize marketing campaigns, be more efficient in lead qualification, and empower sales teams to close more deals.
Taking steps for GDPR compliance with your own company, and ensuring the tools in your marketing and sales stack are compliant, is important for businesses across all industries. Doing so helps build trust with your customers. Go a step further and gain a competitive advantage by using Leadfeeder and Google Analytics to identify companies visiting your B2B website and see the information they’re most interested in. As long as the website visitor identification and tracking tool you’re using is also GDPR-compliant, you can rest easy knowing the business-related data being processed by the tool is also compliant.
Get more from your web analytics.
t’s time to turn your website traffic data into something more meaningful. Website visitor analytics enable you to identify and qualify the companies visiting your website, even when they don’t fill out a form.Show me how