No matter where in the world you are located, chances are that you see privacy policies all over the place. In the past, privacy policies were a large corporation issue. The little guys really didn't need to concern themselves with it - at least that's what we thought.
It almost feels strange not to have one on your website. They are also showing in places like contact forms, signups, notifications and even just in the footer of a website.
There are 2 reasons why we are seeing privacy policies on website.
First, privacy laws from around the world state that policies are required most websites and not having one can lead to privacy-related fines, and in some cases, lawsuits.
PII is any piece of information that could be used to identify an individual. PII commonly collected by websites include:
- Email Addresses
- Phone and Cell Numbers
- IP Addresses
- Physical or Mailing Addresses
- Many websites commonly collect PII with:
- Contact Forms
- Email Newsletter or lead generation sign up forms
- Account creation forms
- Purchase and Checkout forms
- Website Analytics like Google Analytics
- California Online Privacy and Protection Act of 2003 (CalOPPA);
- California Consumer Privacy Act (CCPA);
- Delaware Online Privacy and Protection Act (DOPPA);
- Nevada Revised Statutes Chapter 603A;
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act (UK DPA 2018);
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- Australia Privacy Act 1988;
- Colorado Privacy Act (effective in 2023);
- Virginia Consumer Data Protection Act (VCDPA – effective in 2023);
- Quebec Bill 64 (effective in 2023);
- Utah Consumer Privacy Act (effective in 2023); and
- Connecticut SB6 (effective in 2023).
These laws are unique in the respect that they protect the visitors to your website and not your business. This can apply to businesses that do not function or are located in the state or country where the laws are passed.
This means, your business could be located in Winnipeg, Manitoba in Canada - but if you are reaching visitors in California, the CalOPPA applies to you if you collect information from California residents.
Nevada's laws for privacy applies to any business that has customers in Nevada, also regardless of where your business is actually stationed.
When you are figuring out what privacy laws pertain to you, you should ask yourself these questions:
- Where do I do business?
- Where are my customers living?
- Who am I marketing my products or services to?
- Who am I tracking online through cookies or other various types of analytics?
Consumers Prefer Companies Who Take Privacy Seriously
These studies show the importance of privacy to customers online:
- 7 in 10 Canadians refuse to provide PII to a company over privacy concerns – Office of the Privacy Commissioner of Canada;
- 40% of consumers are concerned about what happens to their PII when shopping online – Empathy.co;
- 93% of Americans would switch to a company that prioritizes privacy – Axios;
- 83% of US voters want Congress to focus on privacy in 2021 – Morning Consult;
- 67% of Americans say that there should be tougher penalties, such as high fines, for companies that do not protect the privacy of consumers – Consumer Reports.
Caring about your visitor’s privacy and showing that by having a policy in place can give you an advantage over your competition. Now that potential customers are starting to make their buying decisions based on privacy, you can actually increase your business by demonstrating that you can about their online safety and privacy as much as your visitors do.
It's no longer enough to just state that their information will not be sold or shared.
Click here for more information on how to properly set up your Privacy Policies, and how they can be automatically updated with every new law that is brought in.
I can help to make sure you have the best policies set up for your requirements, and that you never need to research privacy laws to make sure you are always compliant.
This acronym has been floating around for a little while now, and it brings with it a lot of confusion and worry.
The fact that you can have up to 20Million Euros in fines is enough to make you faint!
I have taken some time to do some research and I have to say that every piece of information I find has been overwhelming and confusing, not to mention dry. The original is very very long.
Want to cut to the chase? Click here for the information in a Nut Shell
I am not a lawyer and this is not legal advice, but this is how I understand it and translate the information. If you want to take a stab at reading the actual bill that was voted in during 2016, then you will be reading through legalese that is 11 chapters and 99 articles long. Feel free to check it out here if you want all of the information. https://gdpr-info.eu/
For me, I don’t have the time, nor the attention span, to go through all of that – which would end up just making my eyes water and my head spin.
Here are the facts that everyone agrees to:
- If you collect or keep any personal data (even just a name) of someone in the UE, your business falls under the GDPR and you must comply to all 9 chapters of their regulations.
- If you keep information on them for memberships, learning platforms, shopping carts, analytics, etc., then you need to be sure that you have that information all spelled out in your privacy policies and agreements.
- SSL Certificates are no longer a ‘good idea’, they are a must. If you are having anything to do with information from others – you must have this in place to protect the transmission of the information - even if it's just a contact form.
- A checkbox must be present on contact forms, comment boxes in your blog, or any other forms (surveys, quizzes, etc.) stating specifically that they give you permission to take and store that information. Even if the contact us form does not keep the information – your email program does.
- Right to be forgotten. This means that anyone from the EU can ask that they be completely forgotten from your system as if they never existed in it. So if you are asked to do this – you need to make sure that every instance of any personal information has been completely removed from your databases. Your email lists, your memberships, your courses etc. There seems to be some confusion among professionals on how far that goes. After all – some information is required for accounting and tax purposes and business reports. So how this will all pan out is anyone’s guess.
- Make sure all personal information is properly protected. This is a no-brainer for any business regardless if you are working with people in the EU. All your data should be protected. Your site should be protected as well. If your site is not updated regularly, backed up and protected from hacking, then you should seriously consider this.
- If data is lost or stolen or accessed without permission – the authorities MUST be notified within 72 hours along with your clients or contacts in your lists whose information was accessed.
- Right to access. This means that if they come to you requesting the information that you have on them – you have to give them EVERYTHING you have collected. If you have information on your website, or in your email list, or your accounting platform – you need to be able to give them everything you have in an easily readable format.
Additional information that I have read:
Please Audit My Site for GDPR Compliance
- Some people feel that compliance is not a huge deal – and that it can be accomplished very easily. But there are also others on the other side questioning some of the compliance issues and some companies who are just dropping marketing and selling to people in the EU whose business is not stationed there.
- There seems to be some confusion regarding the data management when people ask to have them completely removed and the fines involved.
- You need to be able to adequately explain why you have the information you do. If you require all the information you have because they are taking a course with you – you need to be able to explain why you need each part.
Do you need to worry about it?
Here are a few reasons you may want to look in to this further and work to change your website and data practices:
- Do you have a WordPress community site that collects personal information for each user profile?
- Do you have a shop that has customers sign up for accounts to purchase anything from your site?
- Do you have a site where you ask people to sign up for your newsletter? Or do you have a free offering that people sign up for in exchange for their email to market to?
- Do you have analytic software on your website?
- Do you have comments turned on for your blog posts or your pages on your website?
- Do you have an existing email list (or more) that may have contacts that you market to?
If you have people from the EU visiting and interacting with you on your site - or with you, you will want to do something about complying.
How they will police it – I have no idea. That is a lot of companies in a lot of countries that could not be complying, but personally, I wouldn't want to take the chance.
These are recommendations for getting compliant:
I don't want to worry about this, please check it out for me.
- Review your processes and workflow regarding any data you collect.
- Update all of your legal documents to cover every single aspect of data collection and what it’s used for. If you don't have any privacy policies in place - now is the time to do it.
- Make sure your data is portable if it’s needed.
- Install an SSL Certificate for your website.
- Check your website, themes, plugins, services and API’s and see what data they collect and store. (contact form plugins, comment plugins, marketing plugins like Mail Chimp and AWeber, Analytics, Tracking, Remarketing, eCommerce solutions, payment processors, community plugins (BuddyPress, LearnDash etc.), and third party API’s. They are stating that even Google Fonts may need to be considered and documented.)
- It is recommended to even appoint one person who is responsible for your data compliance and data protection.
- Put in place a process for notifying the correct authorities should your data ever be breached or compromised. You have a 72 hour window to give notice to the authorities and to the people whose data was compromised.
- Don't fall for the 'One-Size-Fits-All' WordPress plugins that state they will make you 100% compliant. They most likely don't know what they are talking about. Each website is different and has different requirements. No one plugin will be able to cover all areas for all websites.
- Add in disclaimers regarding cookies and what they are used for on your website and what information is stored or used.
- Contact everyone in your lists and have them express consent to have marketing sent to them.
- Hire a lawyer – A lawyer can provide you with legal advice specifically tailored to your situation – providing they know everything regarding this new regulation.
What am I doing about the GDPR?
In all reality – a tighter reign on data is a very good thing. I find for me specifically that I will choose to implement most, if not all, of these items. However, for the small amount of business I currently do in the EU, I will not actively market or sell to people in the European Union.
With the confusion regarding the right to be forgotten, I don’t want to get caught up in loopholes while the EU figures out the fine tuning, or the lawyers finish understanding the entire document of regulations.
So I will be implementing items on this website to discourage signups and block my cart from purchases from Europe, for the time being. May sound a little extreme, but it is just not financially feasible for me since 99% of my clientele is in North America. I am not the only company that is doing this.
I have heard that Connect.Microsoft.com actually shut down because they were not GDPR compliant. If Microsoft can’t or won’t figure this out – how are solopreneurs and entrepreneurs supposed to get all their ducks in a row and be safe from a penalty? Later Microsoft changed the reason to it was retired in favor of new tools.
I will update our privacy policies, and remove old contacts from my databases that I no longer need, and I will update the way I add people to my lists.
All of this havoc can be a good thing as we, as a community online, we all move to a more secure environment of data protection. This may be extreme and feel a bit binding, but overall with the breaches I have seen over the last couple of years – it was definitely due.
We don’t know when North America will follow suit, so complying to some degree and adapting some of the things listed here could be a very good thing to do.
In A Nut Shell
- New regulations for dealing with the EU.
- If you collect ANY data from people in the EU you must be compliant to protect yourself and your business from up to a 20 Million Euro fine and possible jail time.
- Data means any personal data collected in an email list, membership site, online community, training portal etc.
- You can only use the data for exactly what you had them sign up for. If they sign up for a free download, you can only use that information for the free download. If you want to use it for your newsletter you must add a consent check box they need to check to show active confirmation that they are giving consent to have their information use exactly how you state.
- If you use a contact form, you must also have a check box allowing the submitter to agree to have their information sent and possibly stored in your business.
- Decided if you want to do business with people in the European Union or not.
- If you choose not to – put in place measures to keep people from the EU from signing up for any of your materials or purchasing your products.
- If you choose to continue to market and/or do business with people in the EU then get compliant to protect yourself. This plugin will assist you WP GDPR Compliance
- Install an SSL Certificate on your site
- Scan your site to see what elements on your site are collecting data and what type. You can use this program WP Security Audit Log or ask us to scan and give you a report of what programs are accessing.
- Make sure your data is portable. If someone asks to have all the data you have on them, you need to be able to supply it.
- Have procedures in place to delete people from your entire business should they ask to ‘be forgotten’
- Appoint someone to be your Data Protection Office (DPO) if you deal with a lot of data.
- Delete all old data
- Set up information on cookies that are used on your site and why.
- Add checkboxes providing explicit consent for any forms on your site (survey, contact form, comment form, etc.)
- Consult an attorney
Are you already GDPR compliant? The team over at Mailjet created a handy GDPR quiz. I also recommend checking out The GDPR Checklist.
Would you like some help with getting compliant? Click the button below. I can lend a hand. I am offering a site audit to check all known areas that are needed for compliance and provide a report, checklist, and recommended changes.