GDPR: Lessons for Compliant Web Development

W3b promises innovative design and greater flexibility for your online presence. But as with any web development toolkit, responsible project management means understanding legal frameworks like GDPR. We’ve seen firsthand how GDPR can impact website and e-commerce projects – from common mistakes to court-clarified requirements. Join me as I share lessons learned to help make your W3b projects both cutting-edge and compliant.

The right to deletion

One of the most well-known rights GDPR provides is the right to be deleted. In the world of WordPress, WooCommerce, and W3b development, this means that upon request, you must delete data relating to a user. However, this right doesn’t always provide a clean break. Let’s dive into common scenarios and how they might be impacted:

  • Abandoned Carts: A user might reasonably expect this to be deleted upon request. Best Practice: While anonymized abandoned cart data can be valuable, respect user rights. Offer deletion as an option, and be transparent about your handling of this data.

  • Newsletter Subscriptions: This one’s straightforward. Deletion requests should include removal from your email system. Best Practice: Ensure any third-party tools are GDPR-compliant, and allow users to manage subscriptions directly.

  • Adding Products to Favorites: This depends on how it’s implemented. Best Practice: Be clear in your Privacy Policy about how this is stored. Provide easy ways for users to delete favorites data, even if not a full account deletion.

  • Google Analytics: IP addresses are personal data. Best Practice: Use cookie consent tools, enable IP anonymization in Google Analytics, and provide a clear link to your Privacy Policy.

  • Purchase of the Product, Delivery Information, and Address of the Customer: You likely HAVE to retain some purchase information for tax purposes, but the user can have identifying data removed. Best Practice: Structure your data to allow for partial deletion upon request.

Key Takeaway

The right to deletion is a pillar of GDPR, but its practical implementation in e-commerce requires thoughtful planning. Balancing a user’s right to privacy with your business needs and legal requirements is an ongoing challenge that responsible developers must continuously address.

Cookie Law: What It Is and Why It Matters

Think of cookies (not the yummy kind!) as little files websites put on your computer. They help remember things like your login for the next visit or what’s in your shopping cart. But, some cookies can track you across the web, building a profile of your interests. That’s why we have the Cookie Law.

  • It’s NOT Just GDPR: GDPR is a big part of it, but the Cookie Law exists separately to give users control over these little tracking files.

  • Sarah’s Example: Sarah’s Sweet Treats needs to be upfront about her website using ANY cookies beyond basic functionality. Even Google Analytics cookies require consent.

Cookie Consent: The User’s Choice

The Cookie Law isn’t about stopping the use of cookies entirely. It’s about giving users a say in what their browser allows. Here’s the key idea:

  • No Surprises: You have to ask BEFORE dropping cookies that aren’t strictly essential for the site to work (like the shopping cart example).
  • Clarity: No confusing language. Explain in plain terms what the cookies do and who they share data with.
  • Real Choice: They need to be able to say YES or NO easily. No making it harder to reject cookies.

Bad Example for Sarah:

Sarah has a cookie consent popup, but the only button is “Got it!”. This DOESN’T count as real consent.

Good Example:

Sarah adds a “Manage Preferences” button. This lets users see exactly what cookies are used and opt-in only to the ones they’re comfortable with.

Consent Banners: Not Just a Pop-up

Those pop-up boxes asking about cookies? That’s a consent banner in its most basic form. But a valid consent banner has to do the following:

  • Informative: Clearly lists what cookies (or categories of cookies) are involved. Don’t just say “We use cookies” – be specific!
  • Options: “Accept All” and “Reject All” buttons should be equally visible. Even better, allow them to turn specific types of cookies on or off.
  • No Tricks: No pre-ticked boxes or making rejection harder to find than acceptance. The choice needs to be genuinely in the user’s hands.

Sarah’s Example

Sarah initially had very general wording on her banner, just mentioning “cookies to improve your experience”. This is too vague. She needs to list “Google Analytics” for example, and explain that it’s for tracking browsing habits.

Withdrawing Consent: It’s Their Right

Think of it like this: Just because someone initially said “yes” to cookies doesn’t mean they can’t change their mind later. Here’s what GDPR requires:

  • Easy Access: They shouldn’t have to email you or dig through complicated settings – there should be a clear way to revisit their cookie choices.
  • Change of Heart: Even if someone initially accepted all cookies, they should be able to switch things off if they wish.
  • Updates Matter: If you add new ways to track users, their old consent is no longer valid. You’ll need to notify them of the changes and get fresh consent.

Sarah’s Example

A good practice for Sarah would be adding a “Cookie Settings” link in her website’s footer. That way, anyone can manage their preferences at any time.

Not Everything Needs Consent: Know the Limits

While getting user permission is a cornerstone of GDPR, there are times when you DON’T need to ask for consent. Here’s the gist:

  • Essentials Only: If a cookie is absolutely necessary for the site to function, it’s exempt. Think keeping track of a logged-in user or the items in their shopping cart.
  • Legal Matters: If you HAVE to process data for tax purposes, fraud prevention, or other legal obligations, consent isn’t the deciding factor.
  • No Surprises: It’s best practice to still inform users about these essential cookies, even if consent isn’t required. Transparency builds trust!

Sarah’s Example

  • Sarah’s payment processor might use a cookie to help prevent fraud – this falls under the ‘legitimate interest’ part of GDPR and doesn’t require consent.
  • Her shopping cart system MUST use cookies to store items. This is exempt, but she should mention it in her Privacy Policy.

Invalid Banners Are Worse Than None: Estonian Consequences

Getting cookie consent and other GDPR areas wrong isn’t just an abstract idea. Estonian law has real penalties for non-compliance. Here’s what you need to know:

  • No Excuses: Ignorance of the law isn’t a defense. Even small businesses like Sarah’s Sweet Treats are expected to take GDPR seriously.
  • Fines: The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) can issue substantial fines for violations. The amounts depend on the severity of the breach.
  • Beyond Fines: Reputational damage can be severe. Users may lose trust in brands that don’t seem to respect their data privacy.

Sarah’s Example

If Sarah had only a vague cookie banner, someone could report her to the Data Protection Inspectorate. Even if she escapes a fine, the negative attention could harm her bakery’s reputation.

Important Notes:

  • I’m not a legal expert: This is to create awareness, not substitute for professional legal advice specific to your or your clients’ situations.
  • Things Change: Laws and enforcement can evolve. Encourage readers to stay up-to-date via the official Estonian Data Protection Inspectorate website for the latest information.

Follow the Estonian privacy laws here:

  • Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): (Estonian)

Author Bio Pavlo Lukash is the founder of W3b, a web development company specializing in innovative WordPress and WooCommerce solutions. He’s passionate about empowering businesses with both cutting-edge technology and a robust understanding of data privacy principles.

What’s up, I’m Pavlo Lukash. I’m a web developer, growth hacker and entrepreneur living in Tallinn, Estonia. I am a fan of entrepreneurship, web development, and technology. I’m also interested in travelling and sailing. Since 2006 I was building websites and created online presence for abt. 2500 companies worldwide. I am running my own Digital Marketing and Web Development company serving EU, USA and Estonia with HQ in Tallinn. How may I help you? -> Consultancy for your company with aim to grow your presence online -> Build a website or e-commerce 2x times better than your competitors have -> Automate digital sales and build sales funnels to grow engagement with your good company -> Fix your current digital issues and SEO