* Disclaimer – (see, already getting on with the legal stuff!) I am not a lawyer and this is not explicit legal advice. I am also only covering the necessary information for the United States.
Some examples are:
- Web Forms – Contact forms, Donation forms, Registration forms, Surveys, etc. Anywhere a user enters in personal identifying information.
- Chat boxes – Even if you allow interaction as a guest, data is still collected.
- Ecommerce – This goes without saying, and you also need a Terms and Conditions Policy – we’ll talk about that later.
- Web Application Firewalls (WAF) – WAF’s collect IP information to identify potential hackers.
Chances are that you are doing some or all of the above. You put your website up so you could communicate with others, and they could communicate with you, right?
Stating the basic collection of data and how seems simple enough, and it usually is. Until a new law is passed. Here’s the rub for many of us, we don’t do business in just one area, and our websites are accessible in multiple locations. That means we need to comply with all applicable laws where the website visitor may reside.
California Consumer Privacy Act (CCPA)
Internationally the EU made some waves in the web professional community with GDPR in 2018. This was one of the first laws requiring full disclosure of data use collection, and the ability for the end user to delete that information from a company’s collection. This only affected websites that specifically served EU residents.
At One Dog Solutions, we didn’t worry too much about the EU privacy laws at the time, because we didn’t do any business outside of the United States. The latest domestic privacy laws are what prompted us to write this article.
Fast forward a couple years and we have California’s privacy law that went into effect January 1st, 2021. Much like GDPR, the CCPA gives consumers more control over the data businesses collect about them. Some of the new rights to California residents include:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Businesses are required to display their handling of consumers’ personal data.
This law applies to for-profit businesses that meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
The CCPA isn’t the only privacy law that a website needs to comply with. I used that as an example of the most encompassing new law that has gone into effect.
The Children’s Online Privacy Protection Rule (COPPA) that was passed in 1998 is another large encompassing privacy law for website visitors under the age of 13. COPPA isn’t the only other law. The FTC and your local governments have a number of rules that need to be followed and will prosecute if you are out of compliance.
Many companies have stated that they are going to abide by the CCPA standard, even for non-California residents. Not just the government, but the market is starting to speak on how they will implement these practices, including Microsoft.
When the laws change, you will need to update your policy with your lawyer again. This is not a bad route to take if you’re a large company.
Another option is to use a service like Termageddon to keep your policy updated. They keep up to date on the appropriate laws and have a questionnaire that you complete to help generate a policy that matches with your data collection practices.
That’s my opinion and I’m sticking to it. It’s not a difficult thing to do, but is something that needs to be done. A simple link to your policy in the footer of your website is generally enough of a CYA, but you need a policy and you need to display it.
We make auto updating legal policies available to all of our Web Care clients. If there is a change in the law, it will be automatically reflected in your policy, so that you don’t have to do a thing.
We even have Terms & Conditions policies for e-commerce clients, but that’s a topic for another day!
If you have any questions about privacy policies or web stuff in general, send us a message. We’re always happy to help.