Gotta collect ‘em all
Do you really need all these cookies? Clearly, this is an extreme example because free-to-read ‘journalism’ needs ads to support its business model and you’re probably in a whole different situation with your corporate website. But still, carefully consider how much data you actually need to provide the best experience to the user.
You don’t need someone’s name to send him a newsletter, just his e-mail address - so why bother asking? Sure, you want to build out your CRM database, but there are better ways, e.g. follow-up e-mails where the user can opt-in to provide further information. Also, sign-up rates tend to be higher, the fewer field a form has - another reason to reduce it to the minimum.
I get it. Humans are collectors by nature, thus we have a natural tendency to ask for more data than we immediately need. Better safe than sorry - maybe we will need it at some point in the future.
Well, the GDPR states that you need one of these 6 legal justifications
to collect data: Consent, Contract, Legal Obligation, Vital interests, Public task or legitimate interests. Most companies still rely on the latter, the legitimate interest, and argue that collecting personal data and using e.g. cookies enhances the user experience by offering a more personalized experience. But it’s a very weak argument and in many cases, I’m sure it wouldn’t hold up.
So, start your project by re-thinking how much personal data you really need to collect. And remember there are two ways users provide data: voluntary by filling out forms and passively by automated data collection through tracking scripts etc.
Also, get your privacy officer involved as soon as possible. Often times I see clients contacting their privacy officer after going live with a project. That’s way too late. He should be involved from the beginning and lay the groundwork to build upon.