What You Need to Know About Privacy Laws and Your Website

Updated on Jul 22, 2022

There has been an avalanche of legislation in the United States and Europe regarding online privacy since the rise of the Internet. Today, publishing anything on the web requires familiarity and compliance with privacy laws to avoid the possibility of legal action or fines.

Before I continue, I need to stress that I AM NOT A LAWYER AND THIS IS NOT LEGAL ADVICE! Please consult a lawyer for legal advice for your particular situation.

This article contains some rough guidelines I found in my research on privacy compliance for small business websites. This is an extremely complex legal issue spanning many pieces of legislation on multiple continents, and I am by no means an expert! Please see the links at the end of this article for more information on online privacy.

Why Privacy Is Relevant to Your Website

You may be thinking, “my website doesn’t collect any private information, so I don’t need to worry about any of this.”

Well, if your website has Google Analytics installed on it (or any analytics service for that matter), you’ll need to worry about privacy compliance.

Any time your website collects an email address, that’s private information. So that may include comment forms, contact forms, and blog subscription forms. If you have any of these, you need to worry about privacy compliance.

Every Website Needs a Privacy Policy

Every public-facing website needs a privacy policy that explains what data you collect, what you do with it, how users can control their data, and possibly much more depending on what information your site collects, where its customers reside, and how big your company is. Termly.io has a good explanation of what needs to be in a privacy policy for a small business.

If your company is big enough to have in-house counsel or counsel on retainer, you should definitely use them for guidance on your website’s privacy policy. If your company collects sensitive information or sells personal information as part of its business model, you should also contact a lawyer.

Otherwise, you may be able to use one of the many privacy policy generators online. Two examples are Termsfeed.com and Termly.io. Termsfeed has a free privacy policy template at the end of this article.

Whatever you do, do not just copy another company’s privacy policy. The privacy policy reflects your website’s particular features, as well as your company’s particular policies for handling personal information. Therefore, the privacy policy must be customized for your site and organization.

California Consumer Privacy Act of 2018 (CCPA)

The CCPA is further legislation aimed at protecting user privacy online. It can apply to any site with visitors in California, no matter where your company or organization is based.

The CCPA applies to for-profit entities which meet at least one of the following conditions:

  • Over $25 million in annual gross revenue
  • Receives information for 100,000 or more consumers (up from 50K due to the CPRA going into effect in 2023)
  • Derives 50% or more of its annual revenue from selling consumer personal information

Note that nonprofits and California state and local government entities are exempt!

Note that 100,000 annual visitors translates into 274 daily visitors, which is not that high a threshold.

For information on how to comply with CCPA, check out this Termly.io article on the CCPA.

One hallmark of the CCPA is the requirement for a “Do Not Sell My Personal Information” option if your organization sells personal information collected by the site. While you may not think you sell personal information, the law applies even if there is no monetary exchange. For example, you might get some free services from a CRM company if you use them to manage your email list. Thus you might still need to provide a way for users to opt out.

General Data Protection Regulation (GDPR)

GDPR is a privacy law created in the European Union, but it affects businesses located anywhere in the world that have users in the EU. Termly.io has a great summary of GDPR for dummies.

You may still be wondering if the GDPR applies to your organization. I’ve found somewhat conflicting information on this. Some sources say that if your site has even one visitor from the EU it does apply. But, I found this blurb on the official European Commission Website:

When the [GDPR] regulation does not apply

Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en

In any case, I would think that a local-focused brochure website for Joe’s Barber Shop in Omaha, Nebraska, for example, would not be a high-priority target for European regulators.

Many of the requirements of the GDPR are good privacy practices and can be handled in your privacy policy and your organization’s operational policies (i.e., having someone assigned to remove a person’s data upon request, for example).

Probably one of the most painful parts of GDPR compliance for a small business website that doesn’t collect names or email addresses is making Google Analytics compliant. Google Analytics tracks users so it is not compliant by default. To make it compliant, you need to get permission from the user before activating Google Analytics on your site. That means an annoying popup. Furthermore, a good number of folks will choose not to be tracked, so you’ll lose some valuable analytics data.

I don’t have a great solution to this. You’ll just have to make the risk analysis for your organization. How valuable is having complete analytics data and not annoying visitors with a popup vs. strict compliance with GDPR?

You’re Not Done Yet

Let’s say you’ve gone through the work of constructing a good privacy policy and maybe even a privacy compliance popup. You’re not done yet.

In fact, you’re never done, because privacy compliance is an ongoing thing. It’s not enough just to say that you’ll remove someone’s personal information upon request in your privacy policy. You have to actually have someone in your organization available to receive that request who can remove the info in a timely manner.

This is where privacy trolls come in. They make a request to a site to remove their info. If they don’t get a response in the time specified by law, they may threaten legal action.

So, it’s important that your organization has policies to deal with these privacy requests on an ongoing basis.

Furthermore, new laws are always being passed. That’s why some services like Termly.io provide a subscription service with ongoing updates.

More Information

I’ve barely scratched the surface of website privacy compliance, but I hope I’ve pointed you in the right direction. Here’s where to get more info:

Subscribe to My Posts

Leave a Comment or Question

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Articles

What You Need to Know About Using Contact Forms on your Website

What You Need to Know About Using Contact Forms on your Website

A contact form is a common feature of many business websites. After all, you want to make it as easy as possible for your visitors to get in touch with you to purchase your goods or services. However, contact forms have several important pitfalls that you may not know...

What You Need to Know About Using Fonts on Your Website

What You Need to Know About Using Fonts on Your Website

Often designers will hand me a website design that uses custom fonts (i.e., not the free ones available online). And just as often, they and the client are unaware of the costs and implications of using these fonts on the web. Web Font Licensing Unfortunately, just...

How to Set Up Your Domain Name, Custom Email, and Web Hosting

How to Set Up Your Domain Name, Custom Email, and Web Hosting

Sometimes I get a client who is starting from scratch and needs to get a domain name, branded email accounts, and web hosting (or sometimes they have the domain name already). Here's my process to get that all set up, along with some tips and tricks. Note, the order...

Why I Use the WordPress Divi Theme

Why I Use the WordPress Divi Theme

If you ask a WordPress developer what their favorite builder theme is, you'll get a very opinionated answer, kind of like asking a photographer what brand of camera is best, or a gamer what console is best. The truth is, there are a lot of great themes out there. Many...

My Website Accessibility Checklist

My Website Accessibility Checklist

Today, complying with accessibility regulations is not optional; it is a "must"! That means, your website needs to be designed so that folks with various types of physical or cognitive disabilities will be able to access the information or perform the functions...

Why You Should Own Your Own Domain Name and Web Hosting Accounts

Why You Should Own Your Own Domain Name and Web Hosting Accounts

I always tell my clients to set up their own domain name and web hosting accounts and pay for with their own credit card. I do not provide hosting. Here's why I think you should not let your web developer (or any third party) own your web and domain name accounts. 1....

My Website Project Kickoff Questionnaire

My Website Project Kickoff Questionnaire

These are some questions I think about before starting a new website project. It's a great checklist to go through before starting to help you scope out your project. A. Audience and Purpose Who is the target audience of the website?What is the site tagline, in...

Shares