GDPR and Your Church's Website: What You Need to Know

If you are responsible for managing your church’s website, odds are you’ve had some concern about the new European Union privacy laws, most commonly referenced as GDPR, or General Data Protection Regulation. At Membership Vision, we’ve answered many questions from churches using the MV platform to host their websites as well as questions from churches using other website solutions.

Here are some of the most commonly asked questions, as well as a handy checklist at the end of this post to help you make sure your church’s website is in compliance with GDPR. Keep in mind that practices around data security vary tremendously and that we do not intend this as legal advice.

Our church is in America. Do we need to worry about GDPR? Does a European law apply to us?

This is a great question! The law applies to anyone collecting data from any EU citizen while that person is in an EU country. The heart of the regulation -- concern and consideration for an individual’s privacy and rights -- is something with which we should concern ourselves because it’s becoming increasingly important to everyone.

Two distinct areas of concern are:

• Email distribution lists
• Websites

The Episcopal Diocese of Olympia did a nice job outlining these concerns in a white paper they released on this subject.

Email Distribution Lists

If you have people on your email list who may reside in Europe, you must extract and create a separate distribution list of those email addresses and get clear consent to continue sending email updates to them before adding them back to your regular email distribution lists. Read more about how to handle this in the Episcopal Diocese of Olympia's white paper on page 4.

Websites

Many of the suggested solutions I’ve seen feel like they would make surfing the web an unpleasant experience. Where do I begin? What changes must be made to my church’s website?

While some of the solutions suggested seem onerous and likely to create a poor website experience, it’s important to remember that your main focus needs to be on functions in which you gather personally identifying information. When you do this, it is important to get affirmative, informed consent. Many businesses have a lot more to juggle with this, but the way you are handling data (hopefully!) is a little more straightforward.

How to Get Affirmative, Informed Consent

We recommend having forms which prompt a user to affirmatively check a box consenting to share the information they are entering in accordance with your privacy policy before being allowed to submit the form. This consent box should initially be unchecked, and it should give the user access to your privacy policy without forcing them to abandon the form or lose entered data -- for example, the privacy policy page reference in the form could open in another tab.

Your privacy policy statement should:

• Explain your cookies policy, including whether or not you anonymize IP addresses in Google Analytics.
• Include information about third parties your website uses and links to the relevant third-party privacy policies. This might include Google Analytics, Mailchimp, Payment processors, membership systems, social media companies and any other services you use.
• (Optional, but recommended) - Include a link to instructions for how to disable cookie tracking in browsers after explaining the reasons cookies are used. See our Membership Vision Privacy Policy as an example.

Following these guidelines, you offer clear language requesting consent when you are collecting information from users, and you tell them clearly what you will do with the information you collect.

I’m a little confused about cookies. I’m not sure if we use them, but we use Google Analytics and other services which do. What should we do as far as a cookies notification?

Remember the goal: protecting the privacy of individuals. Are you using cookies in a sophisticated manner to tailor information specifically to a single user, for ad tracking or remarketing campaigns? Are you using tracking pixels? If so, then you will definitely want to be more proactive with your notification of cookie usage -- it is a person’s right to know they are being tracked in this way. Otherwise, if your usage of cookies is not utilizing personally identifying data, a well-stated cookie policy in your privacy settings with links to the policies of services you use, like Google Analytics, should be sufficient.

There are some concerns around Google Analytics using IP addresses to track users. One solution is to anonymize IP addresses. You may have a slightly less detailed picture of exact geographic location of visits to your site, but these analytics aren’t necessarily accurate to begin with.

Our Wordpress site uses so many plugins. I don't know what they are doing with all of the data. What should I do?

This situation is both common and somewhat difficult to deal with. You may have social share plugins which contain a tracking pixel and not even know it -- so even your cookie policy wouldn't cover this sort of privacy tracking breach. Know that the GDPR puts responsibility on the website owners themselves to take care of their EU visitors, so a thorough review of your plugins and services you use may be in order. One of the advantages of the proprietary Membership Vision platform is that we protect our clients from privacy issues such as these, and also against potential security loopholes and conflicts that various plugins can introduce.

Google and Facebook are already being sued for billions of dollars. What's going on?

The bottom line is simply this: if you have someone’s private information, such as their name, address, phone number and the like, and they are an EU resident and they are accessing your site from an EU country, they have the right to know how you are using their personally-identifying information, and they have the right to ask you to destroy that information. This applies to the online activities we’ve mentioned, and it also applies to information you may store in your office, even on paper. If an EU citizen asks to be forgotten, and you have no legal basis for keeping their private information, then delete that information whether it is stored in contact forms, information in Mailchimp or Constant Contact, or a ledger in your office.

What is Membership Vision doing for its clients?

People all over the world are becoming increasingly concerned about privacy and the protection of their personal data. The GDPR is only the beginning in what will most likely be an evolving series of data regulations. At Membership Vision, we ensured that all of our client websites were compliant with GDPR when the regulation took effect. We continue to monitor the regulatory landscape and adapt our sites accordingly, giving our clients tools to help them treat each online visitor with honor and care.

In preparation for GDPR, each of our church client websites was modified to include:

• An updated privacy policy expressly stating the purpose of collecting any personally identifiable information.
  
• Anonymized IPs in Google Analytics tracking code.
  
• Forms requiring affirmative consent for sharing of personal information prior to submission, done in a non-intrusive way.

Cookies are not used to track any personally identifying information; however, we will be rolling out a cookie opt-in policy with certain features, such as language selection.

GDPR Website Compliance Checklist

• Set up your forms to require affirmative consent (opt-in, not opt-out) before a user submits personal information.
• Verify that you are not partnering with any agents who may be misusing data you collect.
• Anonymize IPs in your Google Tracking code by adding one of the two pieces of code:
  • { 'anonymize_ip': true }
    
    • use the above in the case of using gtag.js
  • ga('set', 'anonymizeIp', true);
    
    • use the above if you are using ga tags
• Update your website privacy policy with clear, direct language.
• Follow the Episcopal Diocese of Olympia recommendations for mailing list management on page 4 of their white paper.
  

Remember that the spirit of the GDPR regulation and much of the conversation about privacy and data protection has to do with respecting the rights and dignity of all people. Unfortunately, much of what we are accustomed to related to online privacy is neither respectful nor honorable. But there is a single point that -- if we really follow it -- will serve as a great guiding principle:

• Love thy neighbor as thyself.

We will continue to update our efforts in this area as we move forward.

-M

Merrill Whatley, President
Membership Vision

What can we create together? Contact Membership Vision to learn more!

Our goal at Membership Vision is to help churches and other faith communities to tell their stories in the digital space. Each church, irrespective of size, has a living and active story to tell, and technology provides an opportunity to share that story in a way that is welcoming and engaging. We ease the burden of keeping communications current, by leveraging content, and harnessing the many ways that members of our communities connect with each other, both inside and outside of the church walls. We aim to remove technological hurdles and allow churches to communicate online in an effective and sustainable way. Contact us at connect@membershipvision.org or call (805) 626-0143 to talk about the ways we can help your church build a digital presence.

Like what you're reading? Follow and share our Digital Ministry blog on Facebook and on Twitter!

Learn More

* First Name:

* Last Name:

* Email:

Your Current Website:

Message:

I consent to sharing the above information in accordance with the privacy policy.

Submit

Thanks for your interest! Your submission has been received and we will be reviewing it shortly.