Data Privacy Laws – How To NOT Get Sued

Why Is Data Privacy Important?

Privacy has become a complicated subject in recent years. For most of human history, people didn’t even question whether they had the right to privacy in their own homes. The idea that an organization might try to track people’s behavior during their personal time was so outlandish that it was the subject of dystopian novels like 1984. 

With the rise of the internet companies acquired (nay, conjured) the tools to monitor what users do on just about any website they visit. As a result, most people today expect their activities to be tracked in one way or another.

Still, government regulators in many locations consider data privacy a core right for their constituents. As a result, these regulators have implemented data privacy laws to protect that right.

So, why is data privacy so important?

1. First, people have the right to know when their data is being used, by whom, and why.
2. Second, data privacy helps protect people from falling victim to digital crime. Even companies that track data for valid reasons can still get hacked and have sensitive information stolen. Sobering thought.

Data privacy laws ensure that businesses like yours aren’t collecting too much data — especially without consent — and putting their customers at risk if there’s a data breach.

What Data Privacy Laws Impact Your Website?

There are several data privacy laws to be aware of and most depend on where you're located and where your targeted website users are located.

If you target California residents, two primary data privacy laws apply to your business: the CCPA and the CPRA, which works as an addendum to the CCPA. These are California laws that closely regulate how any company with a website that services Californians can track and use personal information.

Here’s what they mean for you.

California Consumer Privacy Act (CCPA)

The CCPA is the strictest data privacy law in the US and went into effect on January 1, 2020.

Any website that targets California residents needs to follow the CCPA’s requirements on topics like:

• Collection of personal information: The CCPA limits the collection of personal data such as names, addresses, contact details, passwords, age, income, political affiliations, geolocation data, accounts and passwords, biometrics, communications, and even browsing history. You need to get user permission to collect any of this info and give them an easy way to opt out of that collection.
• Privacy policies: You need to post a clear and easy-to-read privacy notice explaining what data you collect and how you use it.
• Cookies: You must allow users to turn off any cookies your website uses outside of basic essential cookies.

California Privacy Rights Act (CPRA)

The CPRA is an expanded and improved version of the CCPA. This law won’t actually be enforced until July 1, 2023. However, the bill states that it will retroactively apply to personal data collected as of January 1, 2022.

That means you need to start paying attention to its requirements today.

The CPRA will apply to businesses that meet any of the following criteria:

• Earn more than $25 million gross revenues annually
• Interact with the personal information of more than 100,000 California residents
• Make more than 50% of your revenue from selling or sharing private information

The law will also expand protected and sensitive information to include union membership and religious and philosophical beliefs.

You’ll need to offer users all the same information about your use of this data and give them ways to opt out of data collection or face significant penalties.

Other Data Privacy Laws

• GDPR: US companies must also comply with European Union’s GDPR if they target EU visitors.
• UK GDPR: The UK has implemented a very similar law to the GDPR. Any company with UK visitors must comply with the UK GDPR.
• Germany’s Federal Data Protection Act 2017 (BDSG): Countries within the EU can have their own strict privacy laws. Companies looking for German visitors must also comply with the BDSG.
• Virginia's Consumer Data Protection Act (CDPA): Any company targeting Virginian customers must comply with the state’s CDPA.

What’s the Risk of Not Complying?

Complying with data privacy laws on your own is a lot of work. So, what if you just didn’t?

The idea of just skipping out on all the effort of complying with data privacy laws might be tempting, but it’s not worth it. You will face serious consequences if you choose to ignore the rules and collect user data willy-nilly, including:

Class Action Lawsuits

I’ve seen a lot of weird things while building 300+ websites over the past 15 years.

One of the biggest trends I’ve seen regarding data privacy is the rise of law firms looking for people not in compliance. Local and national firms are actively scouring the web to find websites that don’t comply with the CCPA to add the site owners to class-action lawsuits!

This trend isn’t restricted to privacy disclosures either.

Law firms are also looking for sites that aren’t ADA-compliant, hoping to make their class-action lawsuits larger and earn a bigger payday. (ADA Compliance is another story and the topic of its own article.)

If your site doesn’t follow state and federal laws, you’re at risk of a lawyer sniffing you out specifically to sue you.

Major Fines

Whether or not your site is added to a class-action lawsuit, you’re still at legal risk of fines and penalties.

For example, the CCPA has strict fines for sites that don’t follow its rules — including a $2500 fine for every unintentional violation.

But what you need to realize is that a violation is a single user who used your site without receiving the appropriate privacy policy, cookie disclosure, or opt-out options. That means that if you have a thousand visitors when you’re not in compliance, you’re immediately liable for fines of $2,500,000.

Furthermore, if you’re found to purposefully violate the law, that fine triples to $7,500 per violation or $7,500,000 for a thousand users.

How Do I Handle Data Privacy Compliance?

So, it's clear that data privacy compliance is crucial for keeping your website up and running and avoiding legal action.

But how are you supposed to manage all of that? Chances are you don't have a closet full of high-powered attorneys at your disposal. Or do you?

Thankfully, you don't have to do it on your own. I have processes and partnerships in place that make it easy to keep your site compliant with the data privacy laws that matter.

My Partnership With Termly

I’ve partnered with Termly — an all-in-one compliance solution for data privacy laws — to ensure my clients are covered. They have everything I need to help sites like yours follow the law to the letter — such as privacy policy generation, cookie management solutions, and automatic compliance with the CCPA, CPRA, GDPR, and other laws.

When you work with me and PXLPOD Web Strategy to develop, host or maintain your site, we endeavor to ensure that your site makes the most of Termly’s excellent data privacy solutions. In fact, some of our Managed WordPress Hosting packages even include this service in the price!

Here's how Termly makes it easy to comply with data privacy laws:

• Fast and Easy Policy Generation: Termly's privacy policy generator is the best tool I've found for creating an accessible and thorough privacy notice. When I use Termly to make your site's privacy policy, I can customize the policy to cover your exact needs and fill any legal loopholes. There are a couple of other outfits doing what Termly is doing and I've found Termly's system and interface to be comprehensive while staying user friendly and easy to update.
• Simple Cookie Management: Termly also offers an incredible cookie consent manager program that I'll build into your site. I can customize how your visitors see the cookie consent popup to fit your site's aesthetic. The manager then handles everything about tracking individual users' cookie preferences and tracking their future choices.
• Automatic Updates: Termly keeps your privacy and cookie policies up-to-date without any agency or intervention on my part. If I tell Termly that your site uses Mailchimp and Google Analytics, for example, Termly will catch whenever Mailchimp or Google updates their privacy policies. Termly then automatically updates your policies to match those third-party policies. As a result, you don't need to retain annual legal advice to update your policies.

In combination, these benefits make it easy to keep your website out of legal trouble. Termly is an insurance policy against some of the legal industry's worst habits.

Okay that was a lot, let's wrap this up. 

Data privacy is a critical aspect of web development, and I make sure all of my customers are protected with Termly’s powerful data privacy tools. You can get started today by getting in touch to learn more about how I can make your website safer and how Termly helps me do that.

DISCLOSURE: Termly has a version of these policies that's free, but that's not the version you want or need. The Pro+ version of their product is for business owners, stays up to date in real time, is embeddable on your website, and acts as a sort of "set it and forget it" peace of mind product. The Basic version is free and is what I recommend for blogs, personal sites, and non mission-critical properties which have no specific business model to protect. Not one of my customers is on the Basic plan.

If you'd like to see the Termly system in action simply scroll down and check out those disclosure links there in my footer.

Thanks for reading!

~ Chris