Website Compliance for Higher Education in the U.S. under the GDPR
Welcome to the second HMBR series of FAQs developed to inform colleges and universities in the United States about how various activities may bring them under the jurisdiction of European Union (EU) data protection authorities. This series focuses on website compliance and should be read in conjunction with our first installment.
How might GDPR affect a college or university website?
Given the GDPR’s broad definition of personal data and expansive territorial scope (covered here: GDPR and Higher Education in the US: An Overview), in general, U.S. colleges and universities that have websites that collect personal data from individuals in the EU are subject to the GDPR.
We don’t collect contact information from individuals via our website, so can we forget about GDPR?
No. The GDPR broadly defines personal data as “any information relating to an identified or identifiable person.” Websites may collect such identifying information in a number of ways, including:
- IP Address and Location: as soon as you navigate to a website, you start reporting an IP address. Websites collect IP addresses to identify your device on its network, which in turn can be used to identify your approximate location.
- Browser Information: when interacting with a website, your browser provides information about your operating system, the type of browser you use (Safari, Firefox, Internet Explorer, etc.), any browser plug-ins you may have, and information about your hardware such as whether you’re using a laptop, tablet, or phone.
- Browsing History: also known as “cookies,” these small files record your browsing activity on a website and any authentication information you may enter, where they are then stored on your computer and later accessed by websites to pre-authenticate your log-in credentials, auto-fill your preferences, or tailor advertisements marketed to you across multiple websites. This method of personal data collection explicitly implicates the GDPR because it is considered “profiling.”
- User Input Fields: any personal information you provide to a website when creating a profile, running a search, or clicking on links is collected and stored on a company’s server.
If your website collects any of these types of personal data, it will implicate the GDPR.
Our website does all or most of these things, what is our best first step?
A college or university’s website is not in compliance with the GDPR if it collects personal data and fails to obtain a user’s valid consent, or if it lacks a legitimate basis to collect personal data. Legitimate bases include fulfilling a contract, protecting the rights or safety of another individual, or fulfilling a valid court order, among other reasons, and are not likely to apply in this context. That leaves us with consent.
For consent to be valid under GDPR, it must be specific to the actual personal data being processed, affirmative, and unambiguous. For example, a user’s activity on a website does not constitute consent, or does a user’s continued use of the site after consent has been prompted and not received.
Anything else we should do?
- Why the college or university is processing their personal data – such reasons might include recruitment, admissions, or financial aid purposes.
- What types of personal data is processed – this might include contact information, academic records, or health records, to name a few.
- Where and for how long the personal data is being stored, and for how long the personal data will be stored – this may range from the end of an admissions cycle, the end of a semester, or until the student graduates.
Colleges and universities should consider the purposes for which they are collecting personal data and decide what type of personal data is absolutely necessary for achieving that purpose. Any personal data collected or processed should be limited to the necessary minimum; the more personal data a college or university stores, the greater its risk of liability.
Anything else to consider?
Colleges or universities may want to work with a data audit team to identify noncompliance issues on their website. Some particular problem spots for data protection that are common among college and university websites are:
- Online Contact Forms – institutions will want to explain what the input fields will be used for and provide an avenue for users to request a copy of their personal data, exercise their right to be forgotten, or check their personal data for accuracy
- Cookies and form plug-ins – institutions should obtain clear consent prior to tracking personal data on users’ browsers
- Third-party vendors (such as Blackboard, Symplicity, or TWEN) – institutions will want to provide users with a clear and comprehensive list of all vendors and information on how their personal data is collected by each third-party, while also ensuring that each third-party vendor is in compliance with GDPR. This topic will be addressed in a subsequent set of FAQs.
In reviewing your college or university’s website for GDPR compliance, it is important to think about a user’s earliest interaction with your website and the ways in which your institution can limit the data it seeks and stores to only what is necessary. It is also important to consider how you can let users know what is happening to their data and how they have a choice in the matter.
Should you have any questions or concerns about the topics discussed in this article, please feel free to contact HMBR.