At this point, I bet I know what you’re thinking:
“I’m only vaguely aware of what data my site is collecting, and where it’s going, and how it’s stored. How on earth am I supposed to write this thing?”
Am I right? You are not alone.
Many of us are fuzzy, confused, or clueless about what and how much data our websites gather. If we’ve installed third party plugins on our sites for opt in forms, for visitor tracking, or form software for surveys or contact forms, we are probably gathering and storing more data than we realize.
First, make a list of what data you are collecting on your website.
Do you have a contact form? Where does the form content go? Is it retained in the database on your website? Or if you use an external service like Wufoo forms or Survey Monkey, is the contact’s data stored there? How long do you keep it? What do you do with it? Is it secure?
Do you have opt in forms for downloads or lead magnets on your site? If so, what information are you collecting exactly? Where does the person’s email address and personal information go? Where is it stored?
Do you sell things on your site, via WooCommerce, a membership plugin or service, or some other kind of e-commerce plugin or extension? What information do you retain there? Probably at least a minimum of a user’s name, billing and shipping info, order history, and payment preferences.
Do you send data to a CRM, like Hubspot, Zoho, Infusionsoft, or MailChimp? What information is stored there? What do you do with it?
Cookiebot will send you a free report of what cookies are on your website and will try to identify what they are used for.
Make yourself a list or spreadsheet of what data you collect, where it’s stored, and what you do with it. Find out what cookies your website deploys.
If reported and marked for non-compliance, a business owner must make amendments and comply with CalOPPA within thirty days or else face potential consequences. Although CalOPPA does not have an enforcement mechanism or provisions, its enforcement falls under the scope of Californias Unfair Competition Law. Under this law, the California AGs office can file suit.
If you have website visitors or customers from the European Union, you need to follow the GDPR (more on the GDPR below).
Tim Cook, CEO of Apple, is advocating for federal privacy laws in the U.S.:
“That’s why I and others are calling on the U.S. Congress to pass comprehensive federal privacy legislation—a landmark package of reforms that protect and empower the consumer.”
The California Consumer Privacy Act is a bill that was signed into law in California in 2018 and will go into effect on January 1, 2020.
The purpose of the bill is to give California citizens knowledge and control of the information that is collected and sold about them to large corporations. It’s purpose is to cover three main areas:
The new law only applies to for-profit companies that do business in California which either:
Any person or business that intentionally violates this Act may be liable for a civil penalty of up to $7,500 for each violation.
So although many small businesses and nonprofits are not directly affected by this Act, it is worth noting that these regulations and laws are being considered across the country and are a harbinger of what is to come everywhere.
GDPR is the European Union’s General Data Protection Regulation, which went into effect on May 25, 2018. You need to be compliant with the GDPR if you store the data of any European Union citizen on your website.
If an infringement of a customers’ information occurs on a US website or a breach of security is not reported correctly, organizations could risk steep financial and legal penalties. If you don’t do anything to comply, you’re looking at potential fines of up to 4% of annual global revenue or 20 million euros ($23,714,240 U.S. dollars), whichever is greater.
The purpose of the GDPR is to give EU citizens more control over their personal data. The goal is to provide transparency in how a person’s personal data is stored and used online. For more information on the GDPR, read this article from Cookiebot.com.
As an example, you probably have cookies on your site. Common uses of cookies for small companies are:
(Don’t know what a cookie is? Read this Wikipedia article on cookies.)
If you are using cookies, and most small business people are, in order to be compliant with the GDPR, you have to refrain from using most cookies until a site visitor agrees to them. You have to provide a way for visitors to opt out of cookies.
If you have a lead magnet on your site with an opt in form that collects an email address, you can’t just add that email to your newsletter list when they sign up for your lead magnet. To be GDPR compliant, you need to have a checkbox asking them specifically to opt in for the newsletter.
The idea is to pass the power to the consumer about when and how their personal information, including how they use your website, is used.
You can’t assume consent.
If you are trying to be compliant with the GDPR, then you need to follow their Cookie law, and ask permission before letting your website place cookies in a user’s browser. This is how cookiebot.com suggests cookie compliance with EU laws and the GDPR:
“The main things to keep in mind as a website owner, are these:
- You must reveal all cookies and trackers operating on your website to the user, in plain language, so that he or she can make an informed choice of consent or revoking of consent.
- You must withhold all cookies and trackers on your website (besides those strictly necessary for the functioning of your website), until you have received clear and explicit user consent on each type of cookie and tracker.
- The consent must be freely given, and never e.g. as a condition for using a service.
- You are responsible for users’ data on your website. It is up to you to protect it from third-party harvest. Know which third-party trackers your website might harbor, e.g. via video plugins and social media implementations.”
Another issue site owners need to think about both to be in compliance with the GDPR and the California Privacy Act, is to know where the data on your website users is stored, how to access it if they request it, and how to delete it if they request it.
WordPress, for instance, has incorporated tools into the CMS to allow you to export all information a website has stored on a particular user, and to delete that user’s information as well.
Although you may not have visitors to your website from the EU, you may want to consider becoming compliant with the GDPR anyway, as the GDPR provides good guidelines on data privacy and security that we all should be following in the interest of our users.
The U.S. lags way behind Europe in privacy laws, but they are coming, and many believe the GDPR is a good model to follow.
Sooner or later it’s likely the US will catch up on the federal level in the online privacy law department and pass something similar. In fact, it may be sooner according to iapp.org.
It is a good practice for all of us to consider:
But it must be done. And we should all be starting to think this through. We are expecting big companies like Facebook and Google to step up to the plate and get a better grip on our personal information and privacy.
As small business owners, let’s make sure we do the same for our customers, clients, and site users.
Photo by ev
I offer help with site design, redesign, web maintenance, and digital marketing.
Get in touch and let’s find out how Sparkem Studio can help you.