Chris FoleyFounder & head honcho over here at PXLPOD Web Strategy
Hi everybody. Welcome in. Let's talk LAW.
I’m old enough to remember when you could put up a website, launch your online business, and not have to worry about getting your face sued off for not following the rules. Remember those times? That was great.
Times they are a’changing and your website - and your business - could be in trouble. In simpler times, there were few or no laws to regulate what site owners could do or how they could track and use visitor information.
Those days are over. Sorry. Sad emoji.
Important fun fact:
Your website is dropping cookies all over the place all day long. Your site's also snooping on your visitors to some varying degree or another. Your site knows where your visitors are coming in from, how long they stay, how many pages they’ve viewed, what part of the world they’re coming from. Your website is even smart enough to suss out exactly who I am if I’ve come to your site with a Facebook cookie in my browser – and that Facebook cookie will slide up to your Analytics cookie and make real friendly, exchanging information about where I’ve been and what I’ve been up to online over the past few months.
You're probably think to yourself: NO! I don’t have any of that stuff running on my website!!
Well, yeah.. You do.
Your fonts package loads in from the Google Fonts API. Those social share buttons you have on your blog? Those collect a bunch of data. Your contact form grabs name, email address and timestamp. Your newsletter form is a grizzled old spy. Don’t get me started on your Analytics plugin. That’s like mononucleosis right there. All modern sites use these services and there's really no way to get around it anymore.
In short, your website is Cookie Monster. Congratulations. And like it or not, you have a legal responsibility to disclose all of the ways in which your monstrous little website is collected user data and how you intend to use that data, which actually means disclosing how Google or Mailchimp or Facebook intends to use that data.
Violating these laws can have serious consequences, even if your violation was unintentional. That's why you have to make sure your website follows modern data privacy laws to the letter.
Thankfully, staying in compliance isn't as painful as it sounds. In this article, I'll explain why data privacy matters, which laws apply to your business, the consequences for breaking them, and how I can help you keep your website compliant with Termly.
Why Is Data Privacy Important?
Privacy has become a complicated subject in recent years. For most of human history, people didn’t even question whether they had the right to privacy in their own homes. The idea that an organization might try to track people’s behavior during their personal time was so outlandish that it was the subject of dystopian novels like 1984.
With the rise of the internet companies acquired (nay, conjured) the tools to monitor what users do on just about any website they visit. As a result, most people today expect their activities to be tracked in one way or another.
Still, government regulators in many locations consider data privacy a core right for their constituents. As a result, these regulators have implemented data privacy laws to protect that right.
So, why is data privacy so important?
- First, people have the right to know when their data is being used, by whom, and why.
- Second, data privacy helps protect people from falling victim to digital crime. Even companies that track data for valid reasons can still get hacked and have sensitive information stolen. Sobering thought.
Data privacy laws ensure that businesses like yours aren’t collecting too much data — especially without consent — and putting their customers at risk if there’s a data breach.
What Data Privacy Laws Impact Your Website?
There are several data privacy laws to be aware of and most depend on where you're located and where your targeted website users are located.
If you target California residents, two primary data privacy laws apply to your business: the CCPA and the CPRA, which works as an addendum to the CCPA. These are California laws that closely regulate how any company with a website that services Californians can track and use personal information.
Here’s what they mean for you.
California Consumer Privacy Act (CCPA)
The CCPA is the strictest data privacy law in the US and went into effect on January 1, 2020.
Any website that targets California residents needs to follow the CCPA’s requirements on topics like:
- Collection of personal information: The CCPA limits the collection of personal data such as names, addresses, contact details, passwords, age, income, political affiliations, geolocation data, accounts and passwords, biometrics, communications, and even browsing history. You need to get user permission to collect any of this info and give them an easy way to opt out of that collection.
- Privacy policies: You need to post a clear and easy-to-read privacy notice explaining what data you collect and how you use it.
- Cookies: You must allow users to turn off any cookies your website uses outside of basic essential cookies.
California Privacy Rights Act (CPRA)
The CPRA is an expanded and improved version of the CCPA. This law won’t actually be enforced until July 1, 2023. However, the bill states that it will retroactively apply to personal data collected as of January 1, 2022.
That means you need to start paying attention to its requirements today.
The CPRA will apply to businesses that meet any of the following criteria:
- Earn more than $25 million gross revenues annually
- Interact with the personal information of more than 100,000 California residents
- Make more than 50% of your revenue from selling or sharing private information
The law will also expand protected and sensitive information to include union membership and religious and philosophical beliefs.
You’ll need to offer users all the same information about your use of this data and give them ways to opt out of data collection or face significant penalties.
Other Data Privacy Laws
- GDPR: US companies must also comply with European Union’s GDPR if they target EU visitors.
- UK GDPR: The UK has implemented a very similar law to the GDPR. Any company with UK visitors must comply with the UK GDPR.
- Germany’s Federal Data Protection Act 2017 (BDSG): Countries within the EU can have their own strict privacy laws. Companies looking for German visitors must also comply with the BDSG.
- Virginia's Consumer Data Protection Act (CDPA): Any company targeting Virginian customers must comply with the state’s CDPA.
What’s the Risk of Not Complying?
Complying with data privacy laws on your own is a lot of work. So, what if you just didn’t?
The idea of just skipping out on all the effort of complying with data privacy laws might be tempting, but it’s not worth it. You will face serious consequences if you choose to ignore the rules and collect user data willy-nilly, including:
Class Action Lawsuits
I’ve seen a lot of weird things while building 300+ websites over the past 15 years.
One of the biggest trends I’ve seen regarding data privacy is the rise of law firms looking for people not in compliance. Local and national firms are actively scouring the web to find websites that don’t comply with the CCPA to add the site owners to class-action lawsuits!
This trend isn’t restricted to privacy disclosures either.
Law firms are also looking for sites that aren’t ADA-compliant, hoping to make their class-action lawsuits larger and earn a bigger payday. (ADA Compliance is another story and the topic of its own article.)
If your site doesn’t follow state and federal laws, you’re at risk of a lawyer sniffing you out specifically to sue you.
Whether or not your site is added to a class-action lawsuit, you’re still at legal risk of fines and penalties.
For example, the CCPA has strict fines for sites that don’t follow its rules — including a $2500 fine for every unintentional violation.
Furthermore, if you’re found to purposefully violate the law, that fine triples to $7,500 per violation or $7,500,000 for a thousand users.
How Do I Handle Data Privacy Compliance?
So, it's clear that data privacy compliance is crucial for keeping your website up and running and avoiding legal action.
But how are you supposed to manage all of that? Chances are you don't have a closet full of high-powered attorneys at your disposal. Or do you?
Thankfully, you don't have to do it on your own. I have processes and partnerships in place that make it easy to keep your site compliant with the data privacy laws that matter.
My Partnership With Termly
When you work with me and PXLPOD Web Strategy to develop, host or maintain your site, we endeavor to ensure that your site makes the most of Termly’s excellent data privacy solutions. In fact, some of our Managed WordPress Hosting packages even include this service in the price!
Here's how Termly makes it easy to comply with data privacy laws:
- Simple Cookie Management: Termly also offers an incredible cookie consent manager program that I'll build into your site. I can customize how your visitors see the cookie consent popup to fit your site's aesthetic. The manager then handles everything about tracking individual users' cookie preferences and tracking their future choices.
- Automatic Updates: Termly keeps your privacy and cookie policies up-to-date without any agency or intervention on my part. If I tell Termly that your site uses Mailchimp and Google Analytics, for example, Termly will catch whenever Mailchimp or Google updates their privacy policies. Termly then automatically updates your policies to match those third-party policies. As a result, you don't need to retain annual legal advice to update your policies.
In combination, these benefits make it easy to keep your website out of legal trouble. Termly is an insurance policy against some of the legal industry's worst habits.
Okay that was a lot, let's wrap this up.
Data privacy is a critical aspect of web development, and I make sure all of my customers are protected with Termly’s powerful data privacy tools. You can get started today by getting in touch to learn more about how I can make your website safer and how Termly helps me do that.
DISCLOSURE: Termly has a version of these policies that's free, but that's not the version you want or need. The Pro+ version of their product is for business owners, stays up to date in real time, is embeddable on your website, and acts as a sort of "set it and forget it" peace of mind product. The Basic version is free and is what I recommend for blogs, personal sites, and non mission-critical properties which have no specific business model to protect. Not one of my customers is on the Basic plan.
If you'd like to see the Termly system in action simply scroll down and check out those disclosure links there in my footer.
Thanks for reading!