But the job isn’t done without it.
If you operate in or collect data from customers who are residents of the European Union, your business is subject to the General Data Protection Regulation (GDPR). The GDPR, passed in 2016 and enacted in 2018, strictly regulates how companies collect, use, and share personally identifiable information collected from customers online.
If your company only operates and sells to customers in the United States, data privacy law gets more complicated. Other than the Children’s Online Privacy Protection Rule (COPPA), which governs the online collection of data from minors under the age of 13, the US does not have a federal data privacy law.
Instead, states are driving the privacy conversation for people living in the US. California, always happy to set trends for the country, passed the California Online Privacy Protection Act (CalOPPA) requiring websites and online services to post privacy policies almost 20 years ago in 2004. Since then, others including Delaware and Nevada, have followed suit.
In addition to individual state statutes, it’s important to be mindful of Section 5 of the Federal Trade Commission Act. If you’re gathering user information and you use it for a purpose you didn’t disclose to the site visitor, you’d be in violation of the Act’s prohibition on deceptive marketing practices.
California was also the first state to follow the EU when they passed the GDPR-lookalike California Privacy Protection Act (CPPA) in 2018. Since then, California has passed a second consumer privacy law that closed CCPA loopholes, and Nevada, Virginia, and Colorado have also approved comprehensive privacy legislation.
The United Nations named online privacy a fundamental human right in 2019, and at least 30 states currently have privacy bills proposed, in committee, or being studied by a task force. Legislative bodies aren’t the only groups focusing on protecting consumer privacy. Thanks to years of serious advocacy by consumer rights organizations, transparent privacy practices have also become a standard best practice for many industries.
Major companies like Apple, Google, Mozilla, Microsoft, Monday.com, Indeed, Netflix, and Fitbit have implemented privacy practices that extend beyond legal requirements for user data protection.
- The types of information you’re collecting (names, addresses, phone numbers, email addresses, geolocation, etc.)
- Your reasons for collecting this information
- How the information is being collected (cookies, logs, surveys, forms, registrations, etc.)
- Who will have access to the information (vendors, marketing teams, partners, random people you plan on selling it to, etc.)
- Who you will share the information to (this can include third parties, legal requirements, a sale of the company, bankruptcy,)
- What type of digital identifiers or cookies may be on the site and the type of digital advertising or analytics the company engages in
- What choices and individual rights users have
- What safeguards will be used to protect data (access limitations, cybersecurity programs, etc.)
- Other items may include if the company follows Do Not Track or Global Privacy Control, and International Transfer of Data
- Contact methods if users have concerns
- Complete a data inventory
A data inventory is required for GDPR compliance, but even if it isn’t mandated for your business, it’s definitely a best practice.
As a bonus, mapping your data also shows where your data is vulnerable to exposure, allowing you to strengthen your security measures and reduce your risk.
- Keep it simple
- Links/instructions for opting out or opting in
Depending on which privacy laws your company is subject to, you may have to allow consumers to opt-in (the most privacy-friendly option!) or opt-out (a good option) of having their data collected, processed, shared, or sold. Most data privacy laws also give consumers the right to correct or delete certain categories of sensitive personal information from corporate databases.
We’re masters with a privacy paintbrush
Give us a call to set up your consultation today.