Privacy Policies – do you need one? And what should be in it?
- what personal information you collect
- why you collect it
- how you store it
- what you do with that personal information
- whether you sell that information to anyone
- your business name and contact information
- whether you comply when a browser is set to “Do Not Track”
Do you know what data you are collecting?
At this point, I bet I know what you’re thinking:
“I’m only vaguely aware of what data my site is collecting, and where it’s going, and how it’s stored. How on earth am I supposed to write this thing?”
Am I right? You are not alone.
Many of us are fuzzy, confused, or clueless about what and how much data our websites gather. If we’ve installed third party plugins on our sites for opt in forms, for visitor tracking, or form software for surveys or contact forms, we are probably gathering and storing more data than we realize.
How to find out what your site is doing and where the data is going.
First, make a list of what data you are collecting on your website.
Do you have a contact form? Where does the form content go? Is it retained in the database on your website? Or if you use an external service like Wufoo forms or Survey Monkey, is the contact’s data stored there? How long do you keep it? What do you do with it? Is it secure?
Do you have opt in forms for downloads or lead magnets on your site? If so, what information are you collecting exactly? Where does the person’s email address and personal information go? Where is it stored?
Do you sell things on your site, via WooCommerce, a membership plugin or service, or some other kind of e-commerce plugin or extension? What information do you retain there? Probably at least a minimum of a user’s name, billing and shipping info, order history, and payment preferences.
Do you send data to a CRM, like Hubspot, Zoho, Infusionsoft, or MailChimp? What information is stored there? What do you do with it?
Cookiebot will send you a free report of what cookies are on your website and will try to identify what they are used for.
Make yourself a list or spreadsheet of what data you collect, where it’s stored, and what you do with it. Find out what cookies your website deploys.
If reported and marked for non-compliance, a business owner must make amendments and comply with CalOPPA within thirty days or else face potential consequences. Although CalOPPA does not have an enforcement mechanism or provisions, its enforcement falls under the scope of Californias Unfair Competition Law. Under this law, the California AGs office can file suit.
If you have website visitors or customers from the European Union, you need to follow the GDPR (more on the GDPR below).
Tim Cook, CEO of Apple, is advocating for federal privacy laws in the U.S.:
“That’s why I and others are calling on the U.S. Congress to pass comprehensive federal privacy legislation—a landmark package of reforms that protect and empower the consumer.”
What about the California privacy law? What is it? Do you need to comply?
The California Consumer Privacy Act is a bill that was signed into law in California in 2018 and will go into effect on January 1, 2020.
The purpose of the bill is to give California citizens knowledge and control of the information that is collected and sold about them to large corporations. It’s purpose is to cover three main areas:
- To give citizens the right to know what data is collected and sold about them, including the categories of data collected and the categories of companies that their data is sold too. Citizens will have the right to request what information is collected about them, twice a year, free of charge.
- To give citizens the option to say no to having their data stored and sold, without fear of reprisal from the company.
- To give the citizens the right to sue if their data is breached and the company was negligent in safeguarding their personal data.
How do you comply with the California Consumer Privacy Act?
The new law only applies to for-profit companies that do business in California which either:
- (A) has annual gross revenues in excess of $50,000,000
- (B) annually sells, alone or in combination, the personal information of 100,000 or more consumers or devices
- (C) derives 50 percent or more of its annual revenues from selling consumers’ personal information
Any person or business that intentionally violates this Act may be liable for a civil penalty of up to $7,500 for each violation.
So although many small businesses and nonprofits are not directly affected by this Act, it is worth noting that these regulations and laws are being considered across the country and are a harbinger of what is to come everywhere.
What is the GDPR, and why should you care?
GDPR is the European Union’s General Data Protection Regulation, which went into effect on May 25, 2018. You need to be compliant with the GDPR if you store the data of any European Union citizen on your website.
If an infringement of a customers’ information occurs on a US website or a breach of security is not reported correctly, organizations could risk steep financial and legal penalties. If you don’t do anything to comply, you’re looking at potential fines of up to 4% of annual global revenue or 20 million euros ($23,714,240 U.S. dollars), whichever is greater.
The purpose of the GDPR is to give EU citizens more control over their personal data. The goal is to provide transparency in how a person’s personal data is stored and used online. For more information on the GDPR, read this article from Cookiebot.com.
As an example, you probably have cookies on your site. Common uses of cookies for small companies are:
- for google analytics to track visitors
- to track if a person has already opted in to your lead magnet, so you don’t keep popping up an opt in box after they’ve already signed up
- to track what’s in a shopping cart
(Don’t know what a cookie is? Read this Wikipedia article on cookies.)
If you are using cookies, and most small business people are, in order to be compliant with the GDPR, you have to refrain from using most cookies until a site visitor agrees to them. You have to provide a way for visitors to opt out of cookies.
If you have a lead magnet on your site with an opt in form that collects an email address, you can’t just add that email to your newsletter list when they sign up for your lead magnet. To be GDPR compliant, you need to have a checkbox asking them specifically to opt in for the newsletter.
The idea is to pass the power to the consumer about when and how their personal information, including how they use your website, is used.
You can’t assume consent.
Do you need to have a ‘Cookies policy’ opt in on your website?
If you are trying to be compliant with the GDPR, then you need to follow their Cookie law, and ask permission before letting your website place cookies in a user’s browser. This is how cookiebot.com suggests cookie compliance with EU laws and the GDPR:
“The main things to keep in mind as a website owner, are these:
- You must reveal all cookies and trackers operating on your website to the user, in plain language, so that he or she can make an informed choice of consent or revoking of consent.
- You must withhold all cookies and trackers on your website (besides those strictly necessary for the functioning of your website), until you have received clear and explicit user consent on each type of cookie and tracker.
- The consent must be freely given, and never e.g. as a condition for using a service.
- You are responsible for users’ data on your website. It is up to you to protect it from third-party harvest. Know which third-party trackers your website might harbor, e.g. via video plugins and social media implementations.”
You need a plan to find and remove data.
Another issue site owners need to think about both to be in compliance with the GDPR and the California Privacy Act, is to know where the data on your website users is stored, how to access it if they request it, and how to delete it if they request it.
WordPress, for instance, has incorporated tools into the CMS to allow you to export all information a website has stored on a particular user, and to delete that user’s information as well.
Although you may not have visitors to your website from the EU, you may want to consider becoming compliant with the GDPR anyway, as the GDPR provides good guidelines on data privacy and security that we all should be following in the interest of our users.
The U.S. lags way behind Europe in privacy laws, but they are coming, and many believe the GDPR is a good model to follow.
Sooner or later it’s likely the US will catch up on the federal level in the online privacy law department and pass something similar. In fact, it may be sooner according to iapp.org.
It is a good practice for all of us to consider:
- What information we collect from people who visit our websites and social media accounts
- How it is stored
- How we can delete it if requested
- How we can access it if requested by a client or site visitor
- Whether we effectively explain what we collect and why
- Whether we provide a way for a person to notify us that they want to opt out of having us store their information
But it must be done. And we should all be starting to think this through. We are expecting big companies like Facebook and Google to step up to the plate and get a better grip on our personal information and privacy.
As small business owners, let’s make sure we do the same for our customers, clients, and site users.
Photo by ev
Do you need help with your website?
I offer help with site design, redesign, web maintenance, and digital marketing.
Get in touch and let’s find out how Sparkem Studio can help you.