No matter where in the world you are located, chances are that you see privacy policies all over the place. In the past, privacy policies were a large corporation issue. The little guys really didn't need to concern themselves with it - at least that's what we thought.
You'll notice more and more websites have links to their privacy policies and you're probably wondering - do I need a Privacy Policy?
It almost feels strange not to have one on your website. They are also showing in places like contact forms, signups, notifications and even just in the footer of a website.
There are 2 reasons why we are seeing privacy policies on website.
First, privacy laws from around the world state that policies are required most websites and not having one can lead to privacy-related fines, and in some cases, lawsuits.
Secondly, people who shop online are becoming very concerned about sharing their information with companies. Not having a Privacy Policy will make them feel even more leery of visiting your site or giving you their information. This can cause you to lose sales.
I will break down for you the reasons why a Privacy Policy is a good practice for your business, and why so many companies have one.
What Is A Website Privacy Policy?
A Privacy Policy is a digital 'document' or declaration on a website that informs your visitors of a your company’s privacy practices. This includes how they collect information from their visitors, how that information is used, and how and if they disclose Personally Identifiable Information (PII).
PII is any piece of information that could be used to identify an individual. PII commonly collected by websites include:
- Name
- Email Addresses
- Phone and Cell Numbers
- IP Addresses
- Physical or Mailing Addresses
- Many websites commonly collect PII with:
- Contact Forms
- Email Newsletter or lead generation sign up forms
- Account creation forms
- Purchase and Checkout forms
- Website Analytics like Google Analytics
PII is protected by many privacy laws worldwide that require some websites to have a Privacy Policy that specifies what information the site takes, and what is done with it.
Why do companies set up a Privacy Policy? Legal Requirement
One of the main reasons that a company would set up a Privacy Policy is because it is a legal requirement to have one.
Here is a list of laws that require websites to have a Privacy Policy – and they can burden you with major fines if you don’t have any in place:
- California Online Privacy and Protection Act of 2003 (CalOPPA);
- California Consumer Privacy Act (CCPA);
- Delaware Online Privacy and Protection Act (DOPPA);
- Nevada Revised Statutes Chapter 603A;
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act (UK DPA 2018);
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- Australia Privacy Act 1988;
- Colorado Privacy Act (effective in 2023);
- Virginia Consumer Data Protection Act (VCDPA – effective in 2023);
- Quebec Bill 64 (effective in 2023);
- Utah Consumer Privacy Act (effective in 2023); and
- Connecticut SB6 (effective in 2023).
These laws are unique in the respect that they protect the visitors to your website and not your business. This can apply to businesses that do not function or are located in the state or country where the laws are passed.
This means, your business could be located in Winnipeg, Manitoba in Canada - but if you are reaching visitors in California, the CalOPPA applies to you if you collect information from California residents.
Nevada's laws for privacy applies to any business that has customers in Nevada, also regardless of where your business is actually stationed.
When you are figuring out what privacy laws pertain to you, you should ask yourself these questions:
- Where do I do business?
- Where are my customers living?
- Who am I marketing my products or services to?
- Who am I tracking online through cookies or other various types of analytics?
If any of the privacy laws apply to your business, then you are required by law to have a Privacy Policy that discloses what information is collected, why, and what it's used for.
Most companies choose to have a Privacy Policy and follow these laws since not complying can be very expensive. Fines can be anywhere from $2,500 to 20,000,000 or more per violation. This means that each visitor to your website whose privacy you 'infringe' on is a violation. Fines can add up extremely quickly, even if your website has only a few visitors per month.
With dozens of proposed bills on privacy in the USA and countries like Canada and Australia proposing reviews and updates to their laws, the Privacy Policy requirement is only going to get more strict and won't be going away.
With some of the bills proposing a private right of action where consumers would be given permission to sue a business directly for collecting their personal information without a proper policy, it is becoming extremely important to make sure that your website not only has a privacy policy, but that you have an effective and efficient way to keep your policy up-to-date with all the changing laws.
Consumers Prefer Companies Who Take Privacy Seriously
Another answer to the question of why businesses have a Privacy Policy is because customers expect a business to actually have one. Even though this is a more recent trend, over the past few years, customers are more worried about sharing their information online and are actively choosing to stop doing business with some specific companies because of privacy concerns.
These studies show the importance of privacy to customers online:
- 7 in 10 Canadians refuse to provide PII to a company over privacy concerns – Office of the Privacy Commissioner of Canada;
- 40% of consumers are concerned about what happens to their PII when shopping online – Empathy.co;
- 93% of Americans would switch to a company that prioritizes privacy – Axios;
- 83% of US voters want Congress to focus on privacy in 2021 – Morning Consult;
- 67% of Americans say that there should be tougher penalties, such as high fines, for companies that do not protect the privacy of consumers – Consumer Reports.
This information shows 2 important issues as to why your business should have a clear, detailed Privacy Policy.
Caring about your visitor’s privacy and showing that by having a policy in place can give you an advantage over your competition. Now that potential customers are starting to make their buying decisions based on privacy, you can actually increase your business by demonstrating that you can about their online safety and privacy as much as your visitors do.
It's no longer enough to just state that their information will not be sold or shared.
As consumers start pressuring their governments to make and pass privacy laws, the Privacy Policy requirement is going to increase in the future. Having something in place now can future-proof your business - and making sure they stay updated no matter what laws are passed is crucial.
Click here for more information on how to properly set up your Privacy Policies, and how they can be automatically updated with every new law that is brought in.
I can help to make sure you have the best policies set up for your requirements, and that you never need to research privacy laws to make sure you are always compliant.
GDPR
This acronym has been floating around for a little while now, and it brings with it a lot of confusion and worry.
The fact that you can have up to 20Million Euros in fines is enough to make you faint!
I have taken some time to do some research and I have to say that every piece of information I find has been overwhelming and confusing, not to mention dry. The original is very very long.
Want to cut to the chase? Click here for the information in a Nut Shell
I am not a lawyer and this is not legal advice, but this is how I understand it and translate the information. If you want to take a stab at reading the actual bill that was voted in during 2016, then you will be reading through legalese that is 11 chapters and 99 articles long. Feel free to check it out here if you want all of the information. https://gdpr-info.eu/
For me, I don’t have the time, nor the attention span, to go through all of that – which would end up just making my eyes water and my head spin.
Here are the facts that everyone agrees to:
- If you collect or keep any personal data (even just a name) of someone in the UE, your business falls under the GDPR and you must comply to all 9 chapters of their regulations.
- There are strict guidelines to consent given to put anyone from the EU on your email list, in your database and your membership, or learning areas. They must give explicit consent to have their information taken and kept. Data can only be used for the reason given at the time of collection and is securely deleted after it’s no longer needed. If they signed up for a download – their information can only be used to send the download. From what I have seen you can not even follow up with them to check in on how they are doing with that freebie unless they have provided the appropriate consent. The only way around this is to include a box specificly giving express permission for you to email them about other information or offers. A little by-line and/or information in the privacy policy does not suffice anymore.
- If you keep information on them for memberships, learning platforms, shopping carts, analytics, etc., then you need to be sure that you have that information all spelled out in your privacy policies and agreements.
- SSL Certificates are no longer a ‘good idea’, they are a must. If you are having anything to do with information from others – you must have this in place to protect the transmission of the information - even if it's just a contact form.
- A checkbox must be present on contact forms, comment boxes in your blog, or any other forms (surveys, quizzes, etc.) stating specifically that they give you permission to take and store that information. Even if the contact us form does not keep the information – your email program does.
- Right to be forgotten. This means that anyone from the EU can ask that they be completely forgotten from your system as if they never existed in it. So if you are asked to do this – you need to make sure that every instance of any personal information has been completely removed from your databases. Your email lists, your memberships, your courses etc. There seems to be some confusion among professionals on how far that goes. After all – some information is required for accounting and tax purposes and business reports. So how this will all pan out is anyone’s guess.
- Make sure all personal information is properly protected. This is a no-brainer for any business regardless if you are working with people in the EU. All your data should be protected. Your site should be protected as well. If your site is not updated regularly, backed up and protected from hacking, then you should seriously consider this.
- If data is lost or stolen or accessed without permission – the authorities MUST be notified within 72 hours along with your clients or contacts in your lists whose information was accessed.
- Right to access. This means that if they come to you requesting the information that you have on them – you have to give them EVERYTHING you have collected. If you have information on your website, or in your email list, or your accounting platform – you need to be able to give them everything you have in an easily readable format.
Additional information that I have read:
- Some people feel that compliance is not a huge deal – and that it can be accomplished very easily. But there are also others on the other side questioning some of the compliance issues and some companies who are just dropping marketing and selling to people in the EU whose business is not stationed there.
- There seems to be some confusion regarding the data management when people ask to have them completely removed and the fines involved.
- You need to be able to adequately explain why you have the information you do. If you require all the information you have because they are taking a course with you – you need to be able to explain why you need each part.
Please Audit My Site for GDPR ComplianceDo you need to worry about it?
Here are a few reasons you may want to look in to this further and work to change your website and data practices:
- Do you have a WordPress community site that collects personal information for each user profile?
- Do you have a shop that has customers sign up for accounts to purchase anything from your site?
- Do you have a site where you ask people to sign up for your newsletter? Or do you have a free offering that people sign up for in exchange for their email to market to?
- Do you have analytic software on your website?
- Do you have comments turned on for your blog posts or your pages on your website?
- Do you have an existing email list (or more) that may have contacts that you market to?
If you have people from the EU visiting and interacting with you on your site - or with you, you will want to do something about complying.
How they will police it – I have no idea. That is a lot of companies in a lot of countries that could not be complying, but personally, I wouldn't want to take the chance.
These are recommendations for getting compliant:
- Review your processes and workflow regarding any data you collect.
- Update all of your legal documents to cover every single aspect of data collection and what it’s used for. If you don't have any privacy policies in place - now is the time to do it.
- Make sure your data is portable if it’s needed.
- Install an SSL Certificate for your website.
- Check your website, themes, plugins, services and API’s and see what data they collect and store. (contact form plugins, comment plugins, marketing plugins like Mail Chimp and AWeber, Analytics, Tracking, Remarketing, eCommerce solutions, payment processors, community plugins (BuddyPress, LearnDash etc.), and third party API’s. They are stating that even Google Fonts may need to be considered and documented.)
- It is recommended to even appoint one person who is responsible for your data compliance and data protection.
- Put in place a process for notifying the correct authorities should your data ever be breached or compromised. You have a 72 hour window to give notice to the authorities and to the people whose data was compromised.
- Don't fall for the 'One-Size-Fits-All' WordPress plugins that state they will make you 100% compliant. They most likely don't know what they are talking about. Each website is different and has different requirements. No one plugin will be able to cover all areas for all websites.
- Add in disclaimers regarding cookies and what they are used for on your website and what information is stored or used.
- Contact everyone in your lists and have them express consent to have marketing sent to them.
- Hire a lawyer – A lawyer can provide you with legal advice specifically tailored to your situation – providing they know everything regarding this new regulation.
I don't want to worry about this, please check it out for me.What am I doing about the GDPR?
In all reality – a tighter reign on data is a very good thing. I find for me specifically that I will choose to implement most, if not all, of these items. However, for the small amount of business I currently do in the EU, I will not actively market or sell to people in the European Union.
With the confusion regarding the right to be forgotten, I don’t want to get caught up in loopholes while the EU figures out the fine tuning, or the lawyers finish understanding the entire document of regulations.
So I will be implementing items on this website to discourage signups and block my cart from purchases from Europe, for the time being. May sound a little extreme, but it is just not financially feasible for me since 99% of my clientele is in North America. I am not the only company that is doing this.
I have heard that Connect.Microsoft.com actually shut down because they were not GDPR compliant. If Microsoft can’t or won’t figure this out – how are solopreneurs and entrepreneurs supposed to get all their ducks in a row and be safe from a penalty? Later Microsoft changed the reason to it was retired in favor of new tools.
I will update our privacy policies, and remove old contacts from my databases that I no longer need, and I will update the way I add people to my lists.
All of this havoc can be a good thing as we, as a community online, we all move to a more secure environment of data protection. This may be extreme and feel a bit binding, but overall with the breaches I have seen over the last couple of years – it was definitely due.
We don’t know when North America will follow suit, so complying to some degree and adapting some of the things listed here could be a very good thing to do.
In A Nut Shell
- New regulations for dealing with the EU.
- If you collect ANY data from people in the EU you must be compliant to protect yourself and your business from up to a 20 Million Euro fine and possible jail time.
- Data means any personal data collected in an email list, membership site, online community, training portal etc.
- You can only use the data for exactly what you had them sign up for. If they sign up for a free download, you can only use that information for the free download. If you want to use it for your newsletter you must add a consent check box they need to check to show active confirmation that they are giving consent to have their information use exactly how you state.
- If you use a contact form, you must also have a check box allowing the submitter to agree to have their information sent and possibly stored in your business.
- Decided if you want to do business with people in the European Union or not.
- If you choose not to – put in place measures to keep people from the EU from signing up for any of your materials or purchasing your products.
- If you choose to continue to market and/or do business with people in the EU then get compliant to protect yourself. This plugin will assist you WP GDPR Compliance
- Install an SSL Certificate on your site
- Scan your site to see what elements on your site are collecting data and what type. You can use this program WP Security Audit Log or ask us to scan and give you a report of what programs are accessing.
- Update all of your privacy policies and terms of use to include everything you site uses and how it is used and why
- Make sure your data is portable. If someone asks to have all the data you have on them, you need to be able to supply it.
- Have procedures in place to delete people from your entire business should they ask to ‘be forgotten’
- Appoint someone to be your Data Protection Office (DPO) if you deal with a lot of data.
- Delete all old data
- Set up information on cookies that are used on your site and why.
- Add checkboxes providing explicit consent for any forms on your site (survey, contact form, comment form, etc.)
- Consult an attorney
Are you already GDPR compliant? The team over at Mailjet created a handy GDPR quiz. I also recommend checking out The GDPR Checklist.
Would you like some help with getting compliant? Click the button below. I can lend a hand. I am offering a site audit to check all known areas that are needed for compliance and provide a report, checklist, and recommended changes.