Since the European data protection laws officially went into effect this year, a Notice of removal from Google Search is now a much bigger deal than it used to be.
In this article, I’ll explain what to you do if or when you receive a notice about a URL that violates the GDPR and how to cover your bases as more countries and states pass their own consumer privacy laws.
What You’ll Learn:
- About the GDPR
- What does a ‘Notice of Removal’ mean?
- How the notice might impact your site
- Submitting a request for removal from Google search
- Why you should act on your notice for removal
- How European GDPR can enforce compliance
- How to know if your website is GDPR compliant
- Familiarizing yourself with requirements for Google properties
- Why Google Analytics requires JavaScript for cookies
- Website and mailing list requirement
- How to make GDPR compliance a continuous effort
A Bit of Background RE: GDPR & Google Search
In 2014, the Court of Justice of the European Union decided that individuals have the right to request that Google remove URLs containing personal information from the SERPs.
In response, Google has given users the option to submit a request with the information in question.
And–when a URL is officially “delisted,” a Notice of Removal is sent to the webmaster responsible for that page. While this process has been in place for six years,
Deep into quarantine on May 25, 2020, the European Union’s General Data Protection Regulation (GDPR) turned two–marking the end of the law’s grace period for compliance.
As such, those pages containing personal data may be in violation of the GDPR, which means that whether or not an individual objects to their data being publicly available is beside the point.
Now, brands face greater consequences for failing to properly protect user data.
Notice of Removal from Google Search: What Does This Mean?
As mentioned up top, Google responded to GDPR regulations by issuing a notice of removal to websites that failed to make the required changes within that two-year timeframe.
You might have received a notification that looks like this:
Or, you may have gotten the bad news by way of the Google Search Console.
Here’s a copy of the notice we received in regards to one of our clients:
Essentially, receiving a notice of removal means that someone has submitted a Personal Information Removal Request form through Google.
What this form does is, it allows users to ask for personal information that relates to them (or someone acting on their behalf) to ask for that web page to be taken down.
Here are some screenshots for the removal request, which can be found here.
Users are required to provide their country of origin, full legal name, as well as the URL they’d like to have removed and why.
Google will then review that information to determine whether or not any action is required–in other words, they’ll check the request against any existing privacy regulations and remove content that violates those laws.
Do note that this particular form only applies to Google Search. Users looking to request personal data removal from other Google properties can choose from the following options (found here)
How Does a Notice of Removal From Google Search Impact Your Website?
This notification means that a URL is blocked in certain areas because it contains identifying details connected to a resident of a European country.
So, the impact on SEO has more to do with how much of your website traffic comes from EU users and whether that page was a major traffic source.
BUT–even within those parameters, “removal” only applies to a specific situation.
The affected URL will only be removed from search results when someone only searches for the name of the person who submitted that request while using a device located in Europe (note that this applies to domains from any country).
So, if someone enters a query that contains your website and “blocked user” the URL in question will be omitted in the search results.
Crawlers can technically still navigate your site and users in locations without these laws can still access URLs that have been “removed.”
Can Requests for Removal Be Used as a Negative SEO Attack?
While it’s certainly possible, it’s worth noting that requesting removal isn’t a very effective negative SEO tactic. Again, this “removal” only applies to super-specific pages and as a result, likely won’t inflict the level of damage that a bad actor was hoping for.
Additionally, as you can see in the screenshots I posted above, this form asks for a lot of very specific information, making it difficult to falsify these requests at scale.
Do note that Google provides a reinstatement request form that allows users to request a reversal. Now, they also mention that they “can’t guarantee a response to that form,” which means this isn’t a fool-proof method.
Why Should You Care About a Notice of Removal from Google Search?
While blocking a URL for a particular blog post for very specific queries in very specific areas might not seem like a big deal, it points toward a bigger issue–that your site might not meet GDPR compliance.
Again, we’ve passed the May 25, 2020 deadline, and sites with European traffic are legally required to comply with EU privacy laws.
The GDPR may be a European law, but the reality is, compliance matters a TON for businesses all over the world.
Here’s the thing–GDPR applies to any company that does business with European customers.
So, if you have a website–whether it’s an e-commerce shop, a media outlet, or a SaaS product–and you either get traffic from European countries or may get traffic from these countries at some point in the future–you are required to comply with the GDPR regulations.
So, essentially that rule applies to nearly every website–even local business who might attract European tourists.
The other reason this notice matters is, featuring personal information on your website might also mean you’re out of compliance with CCPA requirements, as well as new privacy laws that have been going into effect in a number of US states.
GDPR “Rules”
While there’s a lot more to GDPR compliance, here’s a basic outline of what companies are expected to do to ensure proper data management.
Companies must:
- Be transparent about how you use consumer data
- Grant users access to their personal data
- Allow users to ask you to update outdated or inaccurate information
- Provide the option for users to have personal information deleted
- Give users the ability to suppress or restrict information
- Allow users to transfer their data to another company
- Offer users the option to object to their data being used for certain uses like email marketing or ad personalization
- Grant users the ability to opt out of automated decision-making or profiling
How Can the European Union Enforce GDPR Compliance in Foreign Governments?
Per Article 50 GDPR, EU authorities can take “appropriate steps” to:
- Coordinate international initiatives to ensure effective enforcement of consumer data.
- Provide international mutual assistance for notifying violators, managing complaints, investigating violations, and establishing a secure system of information exchange.
- Work with international stakeholders on global enforcement initiatives.
- Promote the practice, exchange, and documentation of personal data protection legislation–including helping other countries handle cross-border jurisdictional conflicts that make compliance more difficult.
Admittedly, this is all a bit dry, but important nonetheless.
Now that I’ve covered the GDPR basics, let’s look at what you can do to protect your customers and your company.
How Can You Tell Whether Your Website is GDPR Compliant?
The passage of GDPR meant that many companies were forced to think about data protection for the first time. If you were to build a new website/network from scratch, cybersecurity and data protection efforts would be implemented from the get-go.
The problem is, websites that have been operating for years are now having to go back and retroactively make things right. The EU has recognized these challenges and in response, gave companies doing business with European customers a two-year deadline to address these problems.
Keep in mind, a similar law, the California Consumer Privacy Act (CCPA), went into effect on January 1, 2020–which means data protection requirements hit much closer to home for US companies that haven’t thought much about GDPR.
Unlike the GDPR, CCPA didn’t include that two-year grace period.
Instead, websites have 30 days to comply with the new requirements once regulators notify them of a violation. Failure to do so may result in a $7500 fine per customer record–which let’s face it, is going to add up fast.
If you haven’t received a notice (or don’t know how to fix this problem), I’ve included a list of ways you can make sure your site meets the requirements of GDPR, CCPA, and several similar laws coming through the pipeline from more US states.
Note: Here’s the official breakdown from the National Conference of State Legislatures for more info.
Many of these recommendations come directly from the official GDPR website, but I’ve also added some tips from cybersecurity pros that will help you do more than just the bare minimum.
As far as Google Search violations go, it’s important to note that your concerns should extend beyond what appears in the organic SERPs.
You’ll need to think about Google Analytics and social media pixels that collect cookies, obtaining consent before adding users to email lists, and what information you display on any page that may appear in the search results.
Get Familiar with New Requirements Across All Google Properties
Google has issued a compliance update that applies to business users across all of its properties.
One key thing to note here is that Google properties fall into two categories: those where Google is in control of the data and those where Google and the customer are both in control of the data.
Google’s data processing terms apply to the following properties and ensure a level of protection against GDPR and CCPA violations.
- Google Ads Customer Match
- Google Analytics
- Google Tag Manager
- Display & Video 360
- Campaign Manager
- Google Optimize
- Google Data Studio
- Attribution
- Android Enterprise
- G Suite
- Google Cloud Platform
Google properties where the customer acts as an “independent controller of data” include the following:
- Google Ads (applies to some features like Shopping and Hotel Ads, while others like the Customer Match function are processed by Google).
- Google Ad Manager
- Google Customer Reviews
- Google Maps API
- Google Ad Sense
- Google Ad Mob
General Client Checklist for Google Business Users
By no means is this a comprehensive checklist for ensuring compliance, but here are a few things Google recommends thinking about as you take on this high-stakes compliance effort.
- What is your organization doing to ensure control and transparency when it comes to using consumer data? Do you explain what types of data you collect and why you need that information? Do you tell users how you plan on keeping that information safe?
- How will you prove that you meet regulatory compliance standards to regulators and other stakeholders? Do you have the appropriate systems in place for recording user preferences and opt-in consents?
- Have you looked at your partners and vendors to ensure that they’re managing user data according to compliance standards? Do they have documentation or records that prove they’re compliant with regulations?
With all that in mind, here’s a look at what Google is doing to ensure compliance on properties like Google Ads and Google Analytics.
Google Analytics
If you’ve ever set up a Google Analytics account, you know that integrating your website with GA involves dropping a JavaScript tag directly into your site’s backend or using Google Tag Manager.
These tags place 1st-party cookies into the user’s browser which generates a random ClientID.
To keep on using Google Analytics AND remain in compliance with European data protection laws, you’ll need to do the following:
Ask for consent before dropping the Google Analytics cookie.
You’ve probably noticed that just about every website you visit these days asks for your permission to add a cookie to your browser.
You can blame the GDPR for that.
Here’s an example I found on a Temply.io blog post about cookie consent. Notice how they provide a brief explanation
Users who are fine with this can hit “continue” and move on to whatever content they came for.
And another from the Guardian. I like this example because it provides users with really clear information about where they can read more about privacy protections and how they can update their settings.
The Guardian does a nice job explaining how they use cookies and why–another requirement under GDPR law. Cookies improve the experience by allowing website owners to analyze usage and serve up personalized advertisements.
They also make it clear where users can find the site’s cookie and privacy policies and provide an “options” link that explains to readers how they can opt-out of cookies if they change their mind later.
Google Ads
Google has required advertisers to include disclaimers on landing pages linked to ads targeting EU consumers for a while now, but the GDPR deadline brings some additional changes to the platform.
Google now requires publishers to obtain clear consent from users to collect personal information.
This means that you have to both inform the end-user why you need their data and what you’ll be using it for and that you’ll need to keep records of consent.
Additionally, you’ll need to provide users with a clear way to opt-out if they change their minds later on.
In instances where a user doesn’t consent to have their data collected, Google will offer the option to deliver non-personalized ads.
According to cookiechoices.org, a Google-produced site for publisher and advertiser compliance, you might use a message like the example below to obtain consent for using personal data in your advertising strategy.
Website & Mailing List Requirements
Google Ads and Analytics represent some of the channels that connect to your site and handle personal information, but what about your actual website?
Run a Data Audit for EU Personal Data
You might use something like Cookiebot to help you identify GDPR violations.
Cookiebot is a free tool that you can use to check if your website’s use of cookies and online tracking meets GDPR requirements. This tool will let you know what data your website captures and shares with third-parties. It can also be used to scan for CCPA violations.
Update Your Privacy Policy & All Forms You Use
Be sure to review your current privacy policy and make changes, if needed.
Your goal is to explain to users the legal basis for collecting and processing data, how long you retain user records, and what your rights and your users rights are where data is concerned.
You should also make sure that you mention whether consumer data is subject to automated decision-making and how users can opt-out of automated processes, marketing communications, and cookies.
Additionally, you’ll want to make sure that you email your existing subscribers with your updated policy and maintain a record that proves you’ve done this. Here, you’ll need to make sure you get permission from subscribers that allows you to continue marketing to them.
And finally, make sure you add a double opt-in to all forms that you use in your marketing efforts. I discuss opt-ins and the importance of active consent in a recent piece on email marketing best practices.
Ask for Cookie Consent
Again, you’ll want to add a cookie consent update to your website.
While the GDPR isn’t particularly clear on what’s a “functional” cookie or not, you’ll want to cover your bases by informing your audience about your cookie use.
It’s also worth noting that the CCPA states that the data you collect from cookies may count as personal information.
While the CA law doesn’t require websites to include an opt-in consent for cookies, it does require that they disclose what data is collected and how that data is used.
Additionally, another EU regulation on e-privacy is coming soon, plus a long list of new state laws. Long story short: play it safe and use the consent notification.
Develop (and Document) a Data Breach Response Plan
According to the GDPR website, Articles 33 and 34 explain what your responsibilities are in the event of a data breach.
An effective response plan should prepare your organization to deal with a cyberattack.
While your response plan will vary based on the size of your company and the severity of the breach, you’ll need to determine who is responsible for identifying, containing, and recovering from the attack.
You’ll also need to develop an internal communication plan and a strategy for informing customers.
Here’s an example of what might be included in your plan:
Keep in mind, if your company isn’t used to dealing with cybersecurity issues, this process may involve comprehensive and ongoing training—in which case, the challenge lies in changing the culture from the top down.
Make Compliance a Continuous Effort
According to cybersecurity expert, Zoe Rose, no regulation represents a complete solution.
She says GDPR compliance serves as a starting point and that organizations need to make customer security a priority–noting that many organizations are leaning too hard on the “we’re working on it” excuse.
Instead, the focus needs to shift toward identifying the root problem and making meaningful, long-term changes.
Security considerations include a wide range of access points and applications.
Here’s a quick rundown of what you’ll need to think about as you put together a compliance plan to ensure you cover all bases.
- Software updates
- Website security
- Regular backups
- Database protection
- Plug-ins
- Access security
- Form data
Wrapping Up
Compliance is an ongoing effort that applies to your entire digital footprint.
While these changes may seem daunting, failing to comply with regulations could land you in some pretty serious trouble.
As you can see, a Notice of Removal is something of a canary in the coal mine when it comes to data protection rules like the GDPR, CCPA, and more.
While some of these recommendations–like cookie disclosure aren’t required now, you’re better off laying a solid foundation for how to deal with new rules coming through the pipeline.
These new privacy laws represent a new era of the internet. We’ve had nearly 30 years of relative freedom–and now have this chance to learn from our mistakes.
Ultimately, these regulations, combined with Google’s ever-changing algorithms may initially be hard on websites, but long-term, the internet may get the clean-up it deserves.