If you do business online, then you have probably heard the term “Data privacy” quite a bit. If you haven’t, then it’s time to get familiar with it. Data privacy is not a new concept by any stretch (see: The Privacy Act of 1974). But it has gained a lot of traction in recent years. The general idea of data privacy is one that is clear to most folks. But the actual finer points of the various data privacy laws is what is causing a fair amount of confusion. And for good reason, particularly in the United States. Because there is no single data privacy law in the US. Thus far, a handful of individual states have passed data privacy laws, each with slight variations. So this post will hopefully help to demystify the current data privacy picture. More importantly, it will help you understand how data privacy laws impact you as a website owner, or visitor.
The Global Aspect of Data Privacy
There is a lot to unpack on the topic of data privacy. One of the most important things to understand for those who own and manage websites is that data privacy laws are global. You must comply with a data privacy law in your state or country, if you meet the criteria. But what many don’t realize is the fact that if your website does business in other countries that have data privacy laws in place, you must also comply with that location’s laws. For instance, if you have an e-commerce site that is based in the US and you have a handful of customers in Europe, you will be subject to the GDPR (General Data Protection Regulation). Considering the fact that anyone in the world can access your website, data privacy is not something that anyone can afford to ignore.
A General Breakdown of Data Privacy Laws
Currently, data privacy laws are in place for Europe (GDPR), Canada (PIPEDA), Brazil (LGPD), Singapore (PDPA), China (PIPL), and India (DPDP). As noted above, there is currently no federal data privacy law in the United States. However, on April 7, 2024, the United States House Committee on Energy and Commerce released the American Privacy Rights Act. This will be a major game changer if it passes. But for now, data privacy laws only exist on the state level. 20 states currently have passed a data privacy law, and 10 other states have introduced legislation but haven’t yet passed it.
Generally speaking, data privacy laws protect consumers and provide them with a measure of control over how websites and businesses collect, use, and share their personal information. And while there are some similarities among the various laws, each has some unique features that certainly complicate the compliance process (from a website owner’s perspective). These are some of the key areas that data privacy laws cover around the world.
Consent
Consent is something that varies quite a bit among the current privacy laws in place in the US and worldwide. Broadly, “consent” gives consumers the ability to allow or refuse the collection and usage of their personal information. From a website perspective, this tends to apply to two key areas:
Information provided by the visitor
A user might give personal information through a contact form, a purchase, or a direct email through the website. Many data privacy laws require a consent option (typically in the form of a checkbox) that informs the user of their personal data that will be collected, and how it will be used.
Cookies
Privacy laws run the gamut on this one, which is the practice of placing cookies on a user’s browser. Almost every website has at least one cookie they place. Some have dozens. Some are necessary for the website to function, some are used for marketing, and others are used for analytics. When a visitor comes to a site, the site automatically places cookies on a user’s browser. Most data privacy laws require websites to give users the option to control which cookies they are willing to accept. This is usually in the form of a banner that appears when a visitor comes to the site. It notifies users of the use of cookies on the site, with buttons to accept or reject cookies. Where the laws tend to differ is whether cookie placement is ‘opt-in’ or ‘opt-out’*. The GDPR, which is perhaps the most restrictive (from a website owner’s perspective) has an opt-in rule. This means that a website cannot place cookies on a user’s browser unless that user specifically indicates they want them (by opting in).
*Important Note: The implications of the opt-in vs. opt-out distinction are significant, particularly in terms of a website’s analytics. If a user does not consent to cookies (aside from those that are necessary), website analytics tools won’t be able to track their activity. Also, an opt-in rule requires explicit consent. This means that if a user does not interact with a cookie banner at all, they are not providing consent. Sites can only place cookies if the user actively agrees to it. So sites that have configured their cookies to be opt-in will likely see a fairly significant drop in traffic due to this change.
Individual Data Rights
The various laws may contain any or all of the provisions listed below. These give users/consumers control of their personal data that organizations collect about them. It is vital for any organization that collects user data for any purpose, to have a system in place (such as a CRM) that effectively manages this data. If you don’t have a CRM to manage your user data, you might quickly find the requests below to be tedious and time-consuming.
- Right to Access: Individuals can request access to the personal data held about them by an organization. From the organization’s standpoint, you must have a clear understanding of what data you are collecting about your visitors and customers. Also, that you have the means to retrieve that data should someone want it.
- Right to Rectification: A visitor/consumer can request corrections to their personal data if it is inaccurate or incomplete.
- Right to Erasure (Right to be Forgotten): Individuals can request deletion of their personal data under certain conditions.
- Right to Restrict Processing: Individuals can request limitations on how their data is used. This one is where a good CRM is particularly useful. If you communicate with your customers/visitors in multiple ways, you will want to have a system that allows you to categorize your types of communication. So if someone opts out of marketing emails, but wants to remain notified about an order status, for example, you will need to have the ability to check or uncheck those various boxes.
- Right to Data Portability: Individuals can request their data be transferred to another service provider in a structured, commonly used format.
- Right to Object: Individuals can object to the processing of their personal data for specific purposes, such as direct marketing.
Data Security and Protection
If you are collecting customer data, it is crucial to have the appropriate measures in place to safeguard it. And this is no small task. Database hacking is pervasive and it seems that no organization is safe from a data breach. Such breaches are so common that Cybercrime Magazine has a daily report of the latest company to have been hacked and/or have their database records compromised. While it may be a tall order to make your database hack-proof, it is necessary to at least put in the appropriate measures to protect it.
In addition to securing your database, privacy laws also require the following:
- Data Minimization – Organizations should attempt to minimize the data they are collecting on any individual. Data privacy aside, you should avoid asking for more data than you need. Visitors are generally uncomfortable with sharing their personal data. Keeping your data requests to a minimum usually results in higher conversion rates on forms.
- Data Anonymization – When possible, data should be anonymized. Organizations can’t anonymize contact data. But you can anonymize data that you’re collecting for analytics information or general usage data. Google Analytics, for example, used to collect the IP address of website visitors. But it didn’t share that information with the website owners. Because of data privacy laws, Google now anonymizes the record before processing the data. It does make it more difficult to provide precise geographic information of website visitors. But the change is a good step in the direction of data privacy for website visitors.
Transparency and Accountability
Most privacy laws require clear, published documentation that states what information an organization collects from its customers and visitors. And what it does with that information.
Some laws require companies to employ a data protection officer. This person ensures that the organization remains in compliance with applicable data privacy laws. This is typically not a requirement of US laws thus far.
Finally, a company may be required to perform regular assessments of the impact of data processing activities on users’ privacy.
Data Breach Notifications
A common thread among privacy laws, both within the US and throughout the world, have stipulations regarding the notification of any data breaches to affected users/customers. An organization must have the means to both identify affected users and contact them in a timely manner.
“Do Not Sell” and Other Requirements
California’s data privacy law (initially the CCPA, then amended and extended to become the CPRA) requires that businesses must provide a “Do not sell my personal information” link on their website and/or app for users to request that their personal information not be sold. The other US state privacy laws have stipulations that give users the right to opt out of the sale of personal information but the actual method in which this option is offered is not as strictly specified as the California law. Other data privacy laws outside of the US don’t tend to feature the “do not sell” requirement.
This list above is far from comprehensive and every state and country’s data privacy law has provisions unique to that specific location. So if you know that your business/website is subject to a specific law, it would really be worth your while to get familiar with all of the requirements in that specific regulation.
Complying with Data Privacy Laws
Admittedly, all of the information above can be overwhelming and may leave you with more questions than answers. Because, depending on where your business is located and what locations (states, countries, etc.) you may or may not be subject to data privacy compliance rules. And then, if you do need to comply, what does that actually mean from an implementation standpoint? Fortunately, there are solutions out there that can take this responsibility off of your plate.
Rather than getting into the weeds of individual data privacy regulations and learning what is and is not required, some of our clients are taking a ‘this-or-that’ approach (‘This’ being GDPR and ‘That’ being CPRA). Let’s explain:
GDPR
The GDPR is among the strictest of the data privacy laws in the world. It provides extensive protections for consumers. This requires substantial changes for website owners. Almost everything mentioned above is included in the GDPR. If you are based in the EU or market to anyone in the EU, you must comply with the GDPR. So you will need to adjust your website to comply with GDPR regulations.
CPRA (California Privacy Rights Act)
The CPRA is generally the strictest of the current US data privacy laws. If your business is US-based, your best bet is to adhere to CPRA regulations. Even if you don’t have customers in California. If you’re in compliance with CPRA, you’ll likely be compliant with other state laws.
Unlike the GDPR that requires everyone who markets to the EU to comply, the CPRA only applies to some businesses. This is true of all US data privacy laws. However, the requirements are not all the same. This further complicates the data privacy picture in the US.
Now you might be thinking, “So now I need to know every detail of the GDPR and CPRA?” Fortunately, you don’t. Well, not really. While there are certainly benefits to understanding the nuances of these data privacy laws yourself, there are services available that can take this obligation off your hands.
Data Privacy Compliance Resources
There are a number of services available that provide solutions for organizations that need to comply with data privacy laws.
- One of the most established and widely used is OneTrust. They’ve been in this realm for many years and offer compliance solutions to fit every need. Every data privacy law, whether it’s in the US or anywhere else in the world, is covered by the OneTrust platform. They are a premium provider and you will pay a premium for their service. But should you choose them, you know you’re in good hands.
- Another great option is TrustArc. Also a premium provider, TrustArc offers excellent solutions at a reasonable cost (for what they provide).
- For smaller companies and individuals, the cost of OneTrust and TrustArc may be prohibitive. Fortunately, there are low cost and even free solutions that may fit your needs. If your website is on WordPress, there are several great options worth checking out. Cookie Notice & Compliance for GDPR/CCPA and CookieYes are two very good choices. But there are many more out there.
These are only a few of dozens of data privacy compliance solutions. It can be somewhat daunting to find the right solution for you and we’d be happy to help you figure out what you need. Feel free to drop us a line and let us know what questions you have.
