General Data Protection Regulation (GDPR) Compliance—Privacy Matters!

What is General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)? And do I need to care about them? You do. Read on to see why.

As we all know (or at the very least suspect), whenever we sign up for something online, whether we just use an email address or whether we hand over more specific data like a phone number or home address, there’s a good chance that that information is going to get passed around to more than just the organization we just offered it up to. 

Without the proper safeguards in place, you could be liable for some level of penalty, from a simple warning all the way up to a 20 million euro fine.

I don’t like it. You don’t like it. Nobody likes it. As an American citizen, I’ve come to accept it as a matter of course these days. Whenever I need to sign up for something that requires that information, I grudgingly hand over as little of my info as I possibly have to, almost always using an email reserved just for junk mail and spam. 

Cue the General Data Protection Regulation law…

The General Data Protection Regulation law is legislation that was drafted and enacted in the European Union (enforceable as of May 25, 2018), and has been adopted in almost identical form in several other non-EU countries, including Turkey, Japan, Chile, Mauritius, South Korea, South Africa, Brazil, Argentina, and others. Even England, no longer a member of the EU, adopted the law in an identical state. 

At its most basic, the General Data Protection Regulation law is an attempt to properly provide consumer data privacy and protection from corporations and other entities. Law enforcement, national security, and personal or household activities are treated as exemptions but any other entity must comply. 

California opted to do essentially the same thing with their California Consumer Privacy Act, made effective January 1, 2020. The law attempts to ensure that consumers may:

1. Know exactly what personal data is being collected.
2. Know whether their personal data is sold or disclosed and to whom.
3. Deny the sale of personal data.
4. Access their own personal data.
5. Request a business to delete any personal information about themselves.
6. Not be discriminated against for exercising their personal data privacy rights.

What makes it so tricky and so interesting is that it actually doesn’t matter where you live. What matters is where anyone who is visiting your website lives.

Yeah but…I don’t live in the EU or California, so why should I care?

What makes it so tricky and so interesting is that it actually doesn’t matter where you live. What matters is where anyone who is visiting your website lives. That’s right. If someone in Denmark just happens to find your site, without the proper safeguards in place, you could be liable for some level of penalty, from a simple warning all the way up to a 20 million euro fine.

Now before you give up your dream of owning your own small business for fear of incurring a massive fine, know that even though the law has been in place for a couple of years, there has been little enforcement thus far, and what enforcement there is has been focused on enterprise level offenders. 

But more enforcement is coming, and we all need to work toward compliance. And that’s a very good thing! We all want our data protected and private, do we not? One part of the General Data Protection Regulation law is the ability (and the right) for an individual to make a company not only turn over all of your stored data to you, but to also delete it. And that includes not just the data that they collected from an individual, but all of that data that the company has ever shared with third parties or anyone else. How lovely would that be? 

How to stay compliant

When creating your website, there are a number of ways to make sure you are adhering to the General Data Privacy Regulation. Though this is not an exhaustive list, what follows is a good start to compliance. It’s best, of course, to run all of your efforts by a lawyer who specializes in compliance, though this should get you well on the road to success. 

Create a comprehensive privacy policy for your clients

One major tenet of the General Data Privacy Regulation act is transparency. You should not hide any of your intent with respect to the consumer’s data. It should be abundantly clear that it is possible (or more accurately, extremely likely) that their data will be used in some way other than they initially intended. 

This is often laid out in the fine print that we all so often scroll past and click yes on without really reading. Within this privacy policy you should explain how you will collect, store, use and manage their data, and it should be communicated in a clear and easy to understand way. 

Additionally, you need to comply with your website visitors’ requests to receive a copy of any of their data that is processed on your site, and this too should be written clearly into your privacy policy.

Data transfers and data storage

The servers your website is hosted on can store data in any number of different countries. It is important that you know where these are and that you are adhering to the regulations they abide by. If you do not know, you need to ask and find out from your host. 

Virtualcopia’s hosting is entirely within the US and within GDPR and CCPA compliance. 

Cookies

Cookies are identifying tags that attach themselves to your browser and browsing session every time you visit a website. The little note that pops up asking whether you want to accept or reject cookies is called a cookie banner. 

This is one more requirement of the General Data Privacy Regulation act—you need to get affirmative consent from the visitor before any cookie tracking can commence.

Cookies are not all bad. Many are considered “essential,” and are related to security, anti-fraud, and other site functionality reasons. However, there are a whole host of other cookies that can come in the case of third-party applications or site plug-ins, and again you need to give the visitors the option of accepting or declining these. 

Some countries are more hard-core than others. For example, France’s policy states that it needs to be as easy to decline all cookies as it is to accept. If a majority of your visitors are from France, you would be wise to put a “decline all” banner prominently on your site.  

Data processing

Cookie banners cover a lot of ground, but when it comes to processing data, explicit forms asking for consent are recommended. You can never be too careful when it comes to transparency and affirmative consent. If you’ll be gathering and processing data from your site visitors, make sure you are rigorous in both. 

Email marketing campaigns

This one seems somewhat obvious, but you absolutely need to get consent from visitors before involving them in email marketing. We’re all pretty used to seeing the check boxes opting into (or out of) emails, though a lot of sites have the opt-in boxes pre-checked to yes. It’s best to leave that up to the visitor to be sure the consent is voluntary. 

A good practice is to have a disclaimer next to your subscribe button, letting your visitors that by clicking the “Subscribe” button they are opting in to your email marketing. 

Ensuring GDPR compliance from third-party apps

This one can get really tricky. Knowing the ins and outs of third-party applications can take a fair amount of research, while still leaving the onus of compliance on you. Anything from scheduling apps to Google analytics to even something as simple as using Google fonts can open your site to non-compliance. 

This can be somewhat mitigated by a well-designed and thorough cookie banner, though if at all possible it’s best to utilize general data protection regulation compliant apps whenever you can.  

Ability to delete visitor’s data

Once again, GDPR states that you need to have the ability to delete visitors’ data. Virtualcopia’s site templates give you that option, but remember that third-party apps can take information that you would then be responsible for deleting. It sounds crazy, but it’s true. Which is why it is so very important to vet all third-party apps and receive explicit affirmative consent as much as possible. 

After so many years of seeing giant corporations helping themselves at the trough of capitalism, it’s heartening to see that there still can be protections put in place for society’s individuals.

Score one for the little guy

After so many years of seeing giant corporations helping themselves at the trough of capitalism, it’s heartening to see that there still can be protections put in place for society’s individuals. 

It’s easy to think of the General Data Protection Regulation law as a cumbersome and oppressive pile of red tape, making it harder for you to just run your business as a largely online service provider, but in the long run this helps us all. 

It has taken data protection and privacy regulation a long time to catch up to the speed of internet commerce, but it is finally starting to gain ground, and this is a most welcome development.