English Español Deutsch Français Italiano Português (Brasil) Русский 中文 日本語

GDPR, CCPA, ePrivacy - Which data laws are next and how the new privacy landscape will affect marketers

  • Answers to some questions that weren't covered during the webinar

  • Transcript

    Answers to some questions that weren't covered during the webinar

    Q: How should we think about GDPR and all other things mentioned on the first slide if we are a legal tech start-up for direct-to-consumer app?

    A: In general, any company dealing with the public should carefully consider their own compliance – more so if you're in the legal space. The first step should always be determining your laws of reference – this will help you to determine whether or not something like the GDPR or the CCPA (or both!) apply to you. When thinking about a law like the GDPR, I would say some key principles to keep in mind are data minimalization and transparency. You can read up on how to determine your law of reference here, read here for an overview on compliance for app developers or read this medium post on GDPR compliance for startups.

    Q: Does a small business in the US have to worry if their business and customers are from the US, however, some might still come from Europe, how would it matter?

    A: EU laws like the GDPR apply whenever you process the personal data of EU based persons – even ip addresses can be considered personal data. These laws apply whether you’re based in the EU or not, and the consequences of non-compliance are pretty serious. If your business, products or services do not actually apply to EU-based persons, then your best bet would be to block traffic coming from the EU to avoid accidentally processing EU data. However, do note, that some similar legal protections (via the CCPA) may apply to Californian consumers – which would hold you responsible whether or not your business is based in California. The consequences of non-compliance for these are also pretty serious so it’s definitely something you should be aware of and consider. You can read more about the CCPA here.

    Q: If our EU traffic is under 5% (barely 1-2%), do we still have to worry about the GDPR, etc?

    A: Yes, the GDPR protections apply to all EU-based persons. The percentage of the traffic is irrelevant in this regard.

    Q: How much of this applies if your website is only collecting Google Analytics data that do not include personal data?

    A: The data that Google Analytics collects are likely still considered to be personal data under the GDPR in most cases, so will still need to comply. Furthermore, several European countries, including the UK, have clearly stated that consent is required before running even analytical cookies. In fact, if you use third-party services on your site, you might be processing personal data and not even aware of it. Here’s one way you can analyze your site to see whether or not it might be running cookie scripts and similar technologies, that you’re not aware of.

    Q: What are the general standard guidelines to include for a website?

    A: 1) Figure out your laws of reference.

    2) Consider your points of data collection to understand the various disclosures you may need to make, or where you may need to ask for consent, etc.

    3) Implement by either using the right tools or consulting with a lawyer. Here’s an overview of the various laws to consider or basic websites, and when you actually need to consider these laws.

    Q: Using a Google Ads cookie for California users is a "sale" of data? So CCPA applies to anyone using this cookie regardless of size or total number of individuals' PII collected annually?

    A: The CCPA definition of a sale is very very broad, and in general includes sharing personal info in anyway that benefits you, whether monetarily or not. So, yes, a Google Ads cookie will likely fall into this definition.The CCPA applies in any of the following 3 scenarios:

    • Less common scenario - You have an annual gross revenue of over 25M; OR

    • More common scenario - You make more than half of your revenue through activities that would be considered "selling" consumer info under the CCPA Definition; OR

    • Common scenario - You buy, receive in some way, sell (CCPA definition), or even share the personal info of at least 50K consumers per year, for commercial purposes.

    Q: Do the GDPR regulations in Europe also apply for B2B Business?

    A: Yes. The GDPR applies wherever you are processing personal data. This means if you can identify an individual either directly or indirectly, the GDPR will apply. Personal data include anything that makes someone identifiable, including (but not limited to) names, phone numbers, IP addresses, and personal email addresses.

    Q: Do we need to implement a contact form for users to opt out of their data in California?

    A: You can choose how to implement this. While something like IAB’s US Privacy Framework can facilitate a one-click opt-out in regards to ads, if you’re sharing their personal info with other third parties (that are not a part of the ad network), you may need to manually inform those third-parties that the user has opted out. In these cases, a contact form could be a good solution, however, do keep in mind that there are strict rules over how long you have to fulfil the user’s request.

    Q: At the online conferences where the organizer obtains GDPR consent, does that consent extend to sponsors who receive the email list?

    A: Only if the organizer explicitly informed the attendees of this fact and allowed them to provide opt-in, granular consent that is specific to the various sponsors’ purpose for collecting the data.



    Jason: Hello, everyone. We hope everybody is excited to join us here on another edition of SEMrush Live. My name is Jason with Hennessy Digital. And it's hard to believe that it's been two years, more than two years now since GDPR has been introduced as a whole new reality in the world of marketing, specifically digital marketing. 

    And so I'm happy to introduce two of the experts here. We have Abby Clement. She's the head of content at iubenda. She's an experienced web professional with over nine years in the IT marketing and communication field across multiple countries. She lives and works in Milan, Italy. Very nice.

    I also have Andrea John Angelo. He's the founder and CEO of Iubenda and his company has helped over 70,000 clients in 100 different countries with legal compliance solutions, particularly in the field of privacy and e-commerce law. Welcome, appreciate you joining.

    Andrea: Hello, everyone. Thank you. 

    Jason: We're going to be going through a presentation. Abby has been nice enough to put together her thoughts and we're going to be going over that. And there's a lot of stuff to cover. And then what we'll do is we'll save about 15 minutes for some FAQs at the end. 

    Abby: All right, so I'm going to just start sharing. Just a little bit about Iubenda, Jason already touched on it, but we're in the data compliance business. We kind of help companies from small to large, we're talking to freelancers, to enterprise companies with complying with international data law in an easy way using our software solutions and our legal text, which is written by our team of international lawyers. 

    We're going to try and touch on the existing privacy laws with the biggest impact, specifically from the point of view and how it might actually affect you and interact with you as someone in marketing or publishing. 

    GDPR Overview

    First of all the general data protection regulation, the GDPR. At its most basic, this law... specifies how and when personal data should be lawfully processed. The idea with this regulation was to give more power back to users. 

    Now, personal data under the GDPR are really broad. It refers to any data that relate to an identified or identifiable person, so a living person. This can include pieces of information that when it's collected together, can lead to the identification of a person. 

    This means that even fragmented data or pseudo-anonymized data can be considered personal data. It includes things like IP address and stuff like that that when you mix it and match it, let's say you're using various products that belong to a suite, right, you might be tracking location, you might be tracking IP address, different with different products within this suite. If this information when it's collected together can somehow identify a person, it's also considered personal data.

    Andrea: And even cookies, if they are used for identifying, are considered related to personal data according to the GDPR.

    Abby: Under the GDPR, personal data can only be processed if there is at least one legal basis for doing so, which many people might already be aware of. But something that gets lost because people think of the GDPR just immediately think of consent, which arguably is really important. But there are six legal bases for processing personal data. 

    Andrea: Just to nail what we mean by legal basis is basically, so what does justify you to process that personal data? Okay, so what does justify you to use that email for sending an email campaign, email marketing campaign? This is what the legal basis is. 

    Abby: The first one is the one that we all know, which is consent, which is where the user has given consent for one or more specific purposes. And this specific purpose is just to highlight that the concept does need to be specific to a particular thing. 

    You want to avoid kind of doing this blanket consent to every single thing that I want to do with your data. They need to be informed of specifically what you're going to be doing with it and give consent for that specific thing. 

    Andrea: Yeah, so I may have given consent to receiving emails, for instance, but not to being called, okay? Or I may have given consent to receive emails from you but not from other partners about other products, okay? 

    Abby: Then the next one is contractual requirements. And I'm going to just kind of blaze through these. Contractual requirements is where the processing is needed for the performance of a contract where the user is a participant. This is sort of like the fulfillment of a contract. Someone has paid for something, you need to process the personal data in order to fulfill that, this kind of thing.

    The next one is legal obligation, and with these, I'm just going to go a little bit faster because they tend to not apply as much. This is where the processing is necessary for fulfilling a legal obligation. We have vital interest where the processing is necessary for protecting the vital interests of the user or another person. 

    Andrea: And for legal obligation, again, for the e-commerce use case, when you made an invoice, you're processing personal data based on a legal obligation, which is to issue an invoice and also, in some countries, you have to store the invoice for multiple years. 

    Even if the user requests you to delete their personal data, you still are obligated to keep the invoices, which contain personal data like name and address, for a number of years. And you don't need consent for that because you have a legal obligation to hold on those personal data. 

    Abby: The next one is public interest and this is where the processing is necessary for performing a task carried out in the interest of the public, and that's typically under official authority, whether it's government or whatever given to you. 

    And then there is legitimate interest, which is where the processing is necessary for the legitimate interests of the data controller, which is you, or a third party. However, with this one there's a caveat. Legitimate interest, the user does have the right to object. If the rights of the user or the interest or freedoms of the user overrides your interest, then it can't apply. 

    Now consent is a lot more simple, which is why it's relied on so often. But if you're going with one of, let's say the more exotic bases, it's something that you definitely want to discuss with a lawyer because you can land yourself in a lot of hot water if you're using a base that doesn't actually legitimately apply to your situation. 

    With that said, there will always be data processing activities where consent is the safest, best, or only option. With consent, the cons are pretty obvious if you're relying on that to process data than if you don't have the consent of the user, then you can't process. However, the pros of something like consent is that let's say you might be getting more qualified leads, people are aware of what you're going to be processing their data for. They're agreeing to it, they're informed.

    You're also creating an air of transparency and increasing trust in that way with your users, which is also good for your brand or your marketing efforts, to look on the positive side of things. 

    Andrea: Yeah, one thing that I would like to add is to remember that the GDPR applies to you in two cases, one if you're a European company. If you're based in the EU, you have to apply GDPR everywhere in the world, even outside of the EU, okay?

    If you're U.S. or from another country where the GDPR, so outside of the European Union, your obligation is to apply the GDPR to European users, okay? That's important to know. The fact that, as a European company, you also have to apply the GDPR outside of the EU is not that well known and it's easily missed as a bit of information. 

    Abby: Yeah, that's a really good point. Just to even break it down, if you're an EU based company, you have to apply the GDPR not just to EU based users. You have an obligation to apply GDPR protections across the board to all of your users unless you have a separate U.S. based company. 

    Jason: I got to imagine that there's a lot of people that have been implementing this incorrectly and still implement it incorrectly. And I think later I'm curious to know what are some of the consequences, which you probably cover a little bit later once you get through the presentation. 

    The ePrivacy Directive

    Abby: Next up is the ePrivacy or the cookie law, which is a little less famous than the GDPR but it's incredibly relevant, especially if you are a publisher or just for general marketing activity, especially content marketing. It's been in effect since 2002 and it was created to put guidelines in place for electronic privacy including email marketing and cookie usage. 

    Since the GDPR came live in 2018, they're supposed to be working together so it complements the GDPR and the ePrivacy or the cookie law still applies today. It's been in the works for quite some time to have an ePrivacy regulation. But that's not live yet and we're going to talk a little bit about the difference between the ePrivacy directive and the ePrivacy regulation. 

    Unlike the GDPR, the ePrivacy right now is a directive. And directives set certain agreed-upon goals and guidelines in place with all of the member states of the European Union being free to decide how to make these directives into a national law. Whereas the GDPR was one law that everybody implements the same way. 

    Because of that, you have some variations, some slight variations. For example, some EU member states are still allowing YouTube to collect consent via scrolling. While others say no, it has to be an explicit click on an "Agree" button or something like that. 

    Andrea: Or for instance, in the U.K. you have to put an explicit "Reject" button on your cookie notice and right now it's the only country basically that forces you to do that. And tracking these differences can be quite a headache. But basically every single authority in Europe has been putting out their own guidelines on how to apply this law. 

    Abby: Just to make this simple, generally, most of the member states are moving towards this GDPR-inspired interpretation of the ePrivacy directive, very clearly explicit consent-based, clear buttons, no real pressure towards granting or rejecting consent or whatever. They're generally moving in that direction.

    If you want to be safe, as usual, maybe implementing the strictest standards is probably the best way to go. And when I say "implementing" just in case we lost some people along the way, first of all, cookies, just to recap, are these little pieces of code and scripts or whatever that can get installed by various services on your site or whatever into the user's browser. 

    If you're using things like analytics or various other programs you might have running on your site, maybe you have Facebook authentication for people to log in to your site or to like or share. A lot of these programs use cookies and they install little tracking scripts into the browser of users. 

    Because this is, again, seen as personal data, consent comes into play and specifically under the ePrivacy directive itself, it does rely on consent primarily as the justification for tracking users, for processing their personal data. 

    You do need to inform users and that's usually done by a notice on the site or a banner that the site runs cookies. I'm sure that some of you have seen it, especially if you're based in the EU. And then the user then has to click "I agree" or something like that for the cookies to be run on the site. 

    As it says on the bottom here, if you do business in the EU regardless of if you're based in the EU or not, the laws are going to affect you and you need to have this sort of thing in place. You have to get the user's informed consent, "informed" meaning the banner should tell them a little bit about what's going on, that there are cookies being run on this site. And it should also link to a cookie notice that gives them more information, detailed information, and specific information. 

    Before you run cookies, you have to block them until you get consent from the user. If you're not blocking the cookies from running before you get that consent, you're already on compliance and you're already processing user data without their consent and that can land you in a whole bunch of trouble legally but also, and this is particularly interesting to this industry, is that there are now industry standards. 

    Andrea: What these rules are basically is that you need to block Google Analytics and your ads until you've acquired consent, okay? Google Analytics needs not to start until the user has had a chance to make a choice which could be a positive choice. 

    It could also be a negative choice, say, "Okay, no, I don't want to be tracked." Google Analytics will basically never track them at all, okay? This means that you need to put a system in place that stops the scripts from executing and only releases them if and when a positive consent has been acquired.

    If you are displaying ads on your site, there are some frameworks to help you and the most important one is for GDPR/ePrivacy is the IAB transparency and consent framework which you put in place and basically makes your ad serving better because it will make sure that the consent information is passed to the ad vendors and basically will make you export better your ad impressions in Europe especially.

    Abby: Some ad vendors will limit your reach within Europe and so on if you don't have this framework in place because they are also companies that need to comply with the law. If you're not passing consent, you're not indicating to them that you actually got consent from your users to show these ads. In some cases, they will just default to non-personalized ads or not even show ads.

    Jason: What you guys are saying is by implementing this incorrectly could be reducing the revenue that you potentially would be making too. 

    Abby: Literally it can largely increase your revenues. We had a recent case, we were tagged on Twitter by Snopes where they found that some various activities that contributed but they found that their ad revenues was improved by something like 70% just by doing some optimizations in this regard and making sure that you're doing everything to make the most out of your average in that way. 

    Now we're going to jump over to some of the U.S. based laws. We've got three to look at here. The CCPA, CalOPPA, and the CAN-SPAM Act, which many people might already be aware of, that last one. 

    The Federal CAN-SPAM Act

    The Federal CAN-SPAM Act is a U.S. standard for the regulation of spam email. It stands for controlling the assault of non solicited pornography and marketing, CAN-SPAM, and it sets the rules for commercial email and commercial messages. 

    All U.S. businesses that send commercial emails or employ third-party services to send emails on their behalf are subject to comply. And while you do not need consent prior to adding users located in the U.S. to your mailing list or sending them commercial messages, you do need to provide them with a clear means of opting out of further contact. 

    There are also quite a lot of requirements with the CAN-SPAM. You need to clearly identify yourself. You can't give things like misleading header information. I don't want to go too much into detail. We do have a lot of guides available on this and we are halfway into the time. 

    But it is something to keep in mind, specifically that this is something that is allowed in the U.S. It does not apply to EU users. Even if you're based in the U.S. you can apply the CAN-SPAM Act to your U.S. users but to EU users, you do need to get opt-in consent. Doing something like purchasing mailing lists can be quite dangerous in this regard because you don't know, especially if you don't know where those emails are based.

    Andrea: Yeah, so basically right now, Europe and U.S. when it comes to emails are two different worlds where in Europe, you need to get consent for sending me an email, specifically on the topic that you're sending me an email for or from the company that you're sending me the email from. In the U.S. anyone can send any email to anyone. 

    It means that in the EU, it's harder to actually get to send an email but when you have consent, it's more valuable and inboxes tend to be a little less crowded and conversion rates tend to be a little better. In the U.S. you don't have all these requirements so it's much easier to get to send an email to someone. But then everyone is doing that so it's harder to get attention with emails.

    Abby: One common violation of these rules with the CAN-SPAM is a complicated opt-out process. The CAN-SPAM is quite generous but it does have rules and the opt-out mechanism that you provide to the recipients of your emails, it cannot be super tiny, faded, or disguised. And it needs to be free. It can't be behind a login process. They must be to be able to see it clearly and know what it does and opt-out.

    Andrea: And remember to put a physical address, which is also a requirement. You need to have in the footer of your emails, if you want to comply with the CAN-SPAM Act, you need to have a physical address and unsubscribe link. 

    CCPA and CalOPPA

    Abby: We're going to jump ahead and look at the CCPA and CalOPPA. Now California's most well-known privacy laws are some of the most robust in the United States. Privacy laws in the U.S. tend to be more on the state to state level. 

    CalOPPA requires commercial websites and services to have a privacy policy and this is a very basic overview of what it is. There's a lot more that goes into it but in the interest of time, the document must clearly state what information is collected, who it's shared with, also things like the purposes, why you're processing the information. You should disclose how you respond to "Do not track" signals from web browsers and you must include the effective date of your privacy policy.

    And as I hinted at, there's a lot more that goes into the basic requirements of a privacy policy. Again, something that we can link to in the chat a little bit later because we do have some guides on this. But we don't want to spend too much time. 

    But the general idea is you need to have a valid privacy policy that informs the user of how you're using their personal data and why, who you're sharing it with, and any rights they might have, any ability to opt-out of things, and stuff like that. 

    Andrea: I think it's worth mentioning that there are services like ours but not only ours that just give you this basic compliance. If you have basic compliance needs, you can get all you need for free. It might work checking it out and maybe it's not. I mean it's less bad than you thought it was. 

    Abby: The California Consumer Protection Act, the CCPA. Now the CCPA grants additional rights to users that previously didn't really have, such as the right to be informed, the right to access information you've collected about them, and then I see here perhaps most relevant in marketing is the right to opt-out. 

    But I wanted to give a quick look at the rights that the consumer has under the CCPA. One is the right to be informed and that has to do with how and why you're collecting their personal data, the categories of personal data that you're collecting and sharing, the purpose, and how they can object to the selling of their data. 

    Then there's the right to access, that's the right to access information that you've collected about them. Then the right to portability, which is related to the right to access, which is their right to be able to get that information in a format that they can share with another company or keep or whatever. 

    Then there's the right to be deleted, the right to opt-out, the right to opt-in, and the right to not be discriminated against. And that last one just means that they have the right to request these things without you discriminating against them, right? 

    Andrea: And for the record, these rights are quite similar to the rights that you have to give according to the GDPR. They overlap quite a bit.

    Abby: The right to opt-out under the CCPA, it's an important one that's given to California users, the right to opt-out of any processing that can be considered a sale of their data. ‘Sale’ doesn't have the usual meaning under the CCPA. It just basically means sharing the personal data for any profit, whether that profit is money or not. 

    Just sharing their personal data and a third party, whether it's through analytics or whatever, for ads or whatever, that's considered a sale under the CCPA and therefore, they have the right to opt-out. 

    Consequences of Non-Compliance

    Abby: We're looking at the consequences of noncompliance. For the GDPR, we find that 20 million or 4% of the annual worldwide revenue. And then you have sanctions like official reprimands as well as periodic data protection audits and liability damages. 

    Now those audits, it sounds like not much but it can really suck. Let's say you have an entire database of personal data that was collected in a way that's deemed invalid or non-compliant and there is a data audit, there exists a possibility that you can lose that entire database. 

    Andrea: Yeah, and this could be for your e-commerce. This could be your mailing list. You may lose your entire mailing list, which is even worse than the fine. 

    Jason: Sure. 

    Andrea: It may really cripple your business. So watch out. 

    Abby: Really, really nasty fines have been handed out. And also towards U.S. companies so it's not simply a case of it's only the EU companies, like Google got fined something like $56 million. The Marriott got fined $123 million.

    But also, it's worth noting that it's not only big companies that are getting fines. You have the Spanish Data Protection Authority handed out $80,000 fine to Orange. Much smaller companies are also getting fines. I'm just looking at some of them. Quite a few companies have gotten fines. 

    It's not just that they're only giving it to big companies to make an example. But if someone complains that you've been handling the data in the wrong way, they look into it and you can get slapped with a fine. 

    The CCPA has a lot of fines. They seem a lot smaller but with the CCPA, the fines apply per individual violation and per customer.

    Andrea: If they did wrong on a thousand users, you have to do a multiplication of those amounts. 

    Abby: All of these laws, the violations, they allow the users to bring lawsuits against you. Aside from the fine, you might also get sued. 

    Similarly for CalOPPA, the FTC can bring enforcement action against you and the government can bring suit. 

    5 Ways for Marketers to Comply with Privacy Regulations

    Just going really quickly to the practical ways that you can comply as a marketer because that was a lot and very abstract. We're just going to look at five really quickly. One is to have clear and easy email opt-outs for both E.U. and U.S. based users. 

    And we do want to remember that with EU based users, they do need to opt-in. But even after they've opted in, you do need to give them a clear way of opting out. You want to have clear, visible, easy options to opt-out for the communications in your marketing email. 

    And you want to be sure to set up an email management system. Set it up so that the user can opt-out without needing to log in. That covers you there for CAN-SPAM and also for the opting out requirement of the new law.

    Secondly, you want to make sure you're getting opt-in consent for your EU based users. You want to make sure that your opt-in mechanism informs the user clearly and correctly of your intentions. Plan to use pre-ticked checkboxes or combined different purposes. And you want to make it clear to the user that they're consenting to your newsletter or whatever it is, is completely optional. 

    What you don't want to do is you don't want to group something like your terms and conditions and then your contact permission together and then you just have them provide consent, one blanket consent for everything. I know a lot of people do that and that is completely wrong and it can make you end up with a nasty fine. 

    Andrea: And again, totally fine in the U.S. but in the E.U. no. 

    Abby: In the E.U. you can't do that. In the E.U., you do need to have separate checkboxes, even if it is on the same form, you do need to have a separate one for the terms and conditions and then the contact permission and you do need to state that it's optional and have a separate one for each one of the purposes. 

    You want to make sure that you have all the disclosures and you clearly identify yourself. Have a valid privacy policy, make sure that your endorsements are not misleading and fully disclosed, inform users when you're given an incentive, this one's pretty well known. You also want to clearly identify yourself and your business with accurate, up to date contact information. We didn't super get into this but the GDPR makes this a specific requirement. You must be unequivocally identifiable. 

    Lastly here... is to have a consent management platform in place on your website and this sort of goes into what we were talking about before if you have E.U. based users as well as California based users, you have cookies in use on your site. Not having a cookie consent management solution on your website could mean that you're violating user rights and that you're losing a lot of ad revenue that you could be accessing otherwise. And you want to make sure that it allows you to do all the stuff we mentioned before, inform users, block cookies, all of that stuff. 

    And then also, you want to make sure that it supports the U.S. privacy framework. And both, but if you have U.S. based users, you want to make sure definitely supports that.  That brings us more or less to the end. 

    Jason: Nice job, Abby, Andrea, I appreciate your insights here. We're going to take a couple questions here. And there might even be a part two to this possibly, we'll see, right? 

    Abby: I just wanted to say really quickly before we get into that, just keep in mind that in terms of the future, this is where everything is going. All this complicated legal stuff, it's all going there with India, Brazil, Japan, even Dubai all coming on with privacy laws. 

    Do Google Analytics Data Apply to Personal Data Laws?

    Jason: Jeff asked, "How much of this applies if your website is only collecting Google Analytics data, which do not include any personal data?"

    Andrea: It does include them because even a cookie is personal data. It's enough to have something that makes the user identifiable and Google Analytics is exactly that...you are collecting personal data and you're subject to everything that we said. 

    In Europe, you need to block it and then have a cookie banner. In California, you need to allow users to opt-out from sale and then you have to have a privacy policy that tells that you're using Google Analytics. 

    Abby: Remember even something like IP address is considered personal data. And remember any aggregate data can be paired with other pieces of data to identify the user, then it is personal data as well. It's a very, very broad definition and, yes, analytics does fall under that as Andrea said. 

    Are Cookie Walls Allowed?

    Jason: On Top Digital Marketing asks, "So you mentioned that we can't force someone to consent. Is restricting access to the site until receiving consent a valid way to implement that?" You don't want to do that because you restrict revenue. 

    Andrea: That's called a cookie wall and the European Data Protection Board just a month or so ago just said explicitly that that's not allowed. Either you completely block traffic from a country or location, which you can, but cannot subject the entrance to a wall that says, "Okay, if you want to enter, I have to track you. Otherwise, you cannot enter." Either you block everyone or you cannot block just the ones that don't accept cookies. 

    Abby: But you can, just to add one quick clarification here because sometimes people mix up terms and conditions and privacy policies and all this other stuff. If it is that you're trying to have people agree to your terms and conditions, just something different and can't be used to override the law, right? That's something completely different that deals with your own rules for how your site can be used. 

    In general, you can't do it, as Andrea said. But I know that some of the cases you might be thinking of might be something like the Washington Post does this thing or some of these publications where in order to get to their site, you have to disable adblockers and allow cookies to run and stuff like that. 

    There are some cases that are towing the line where if your service is a paid service, you're saying, "Okay, only paid members can access it, but if you want to access it for free, then we need to run ads." That's something you should really discuss with a lawyer. Some websites, U.S. websites have been doing it but it's kind of tricky.

    Testing for Compliance

    Jason: All right. One more question and then I'm going to ask you guys to give some information on how people can get in touch with you because I'm sure there's more questions. So is there a way to test for compliance like GDPR? Are there any tools or how do you test for this?

    Andrea: Yeah, I mean we're actually working on something like that. Plus on our site, you can also get your site scanned already. Otherwise, you can still go to a lawyer and make sure that they give you an assessment. Yeah, but again, reading and this webinar already gives you a few tips. 

    Jason: Yeah, it almost sounds like the financial impact is greater if you ignore this than if you just comply. 

    Andrea: Yeah, yeah, exactly. You need to know what to do and it's tedious, annoying, but it's not the end of the world.

    Abby: Yeah, I mean it's a little bit of a pain in the butt but to not do it is way worse and it actually affects your pocket. I saw really quickly here that someone asked if their EU traffic is under 5%, if they still have to worry about it and yes. If you have users from these regions, you do have to comply. It doesn't matter if it's a small percentage. 

    Jason: All right, Abby, Andrea, thank you so much for your expertise, for your time. I learned a lot. I'm sure everybody else on the webinar learned a lot and maybe there will be a version two of this webinar with other questions that we didn't get to. 

    Andrea: You can visit our site iubenda.com or just tweet at Iubenda or I guess just tweet at SEMrush and then we can be tagged.

All levels