Personal data is processed on the homepage, product pages and other websites – in every case at least the IP address of the user. For this reason, data protection law must be observed in addition to, e.g. telemedia law. Sometimes this is not so easy.
Some of the most common errors in the operation of a web presence are:
- Google Analytics without consent (or other tracking tools without consent)
If you want to track users’ online behaviour, you must obtain their consent in advance. This can be done i.e., using so-called “cookie banners”.
- Google web fonts are dynamically integrated
If you use special fonts, this font files should always be located on your own web server. Otherwise, Google will inevitably receive the IP address of the users, which is illegal without the prior consent of them. This has already led to warnings in Germany.
- Data protection notice is incomplete
All data processing on the website must be disclosed to users, i.e. named in the data protection notice (privacy statement). This applies in particular to third-party services used. In addition, the purposes of all cookies must be explained. Really – of all cookies, and that can be quite a few.
- YouTube videos are embedded directly
It is better to display a placeholder first. Only after a user confirms that they want to see the video and is willing to have their data transferred to the video platform in the USA, content from YouTube may be loaded and displayed. Alternative: You host the video yourself; then no consent needs to be obtained.
- Google Maps are directly integrated
The same applies here: a placeholder should be displayed first. Data may only be loaded from Google servers after the user has given their consent.
- Contact forms have too many mandatory fields
You may ask users for anything in forms. However, the mandatory fields to be filled in must be kept to a minimum. Only if a request cannot otherwise be processed, a mandatory field is allowed. So sometimes the only remaining mandatory field may be the email address.
- Internet presences on social media do not contain their own privacy policy
You and the platform operator (e.g. Facebook, Instagram, LinkedIn) are considered joint controllers. Therefore, you must also provide a separate privacy policy for each presence on social networks – involve your data protection officer for this purpose.
Attention: Whether the use of Facebook fan pages is permissible as a whole is currently being examined. The data protection supervisory authority has prohibited the German Federal Press Office from using it (February 2023). Courts are expected to rule on this, but it may take some time.
What can be done better?
You can easily prevent many mistakes by observing the following:
- Keep track of everything that may be relevant to data protection in connection with the internet presence. For example, keep a list: Which cookies are used and for which purposes? Which third-party services are used? Pay particular attention to plug-ins and add-ons. If you work with a web design agency, they too can provide the information.
- Is consent really obtained from site visitors for all cookies and third-party services that are not absolutely necessary for the operation of the website?
- The privacy notice must mention all third-party services and purposes of cookies on the site. Note that the statement must be adapted after changes.
- Involve your data protection officer, at least when changes occur or if you have questions. Of course, this applies to all data protection topics.
Summary:
It is important to have an overview of what data is processed on your own websites and how. Only then can it be configured in a way that complies with data protection regulations. The data protection officers are happy to advise if they are consulted – preferably before any changes are implemented.