There has been an avalanche of legislation in the United States and Europe regarding online privacy since the rise of the Internet. Today, publishing anything on the web requires familiarity and compliance with privacy laws to avoid the possibility of legal action or fines.
Before I continue, I need to stress that I AM NOT A LAWYER AND THIS IS NOT LEGAL ADVICE! Please consult a lawyer for legal advice for your particular situation.
This article contains some rough guidelines I found in my research on privacy compliance for small business websites. This is an extremely complex legal issue spanning many pieces of legislation on multiple continents, and I am by no means an expert! Please see the links at the end of this article for more information on online privacy.
Why Privacy Is Relevant to Your Website
You may be thinking, “my website doesn’t collect any private information, so I don’t need to worry about any of this.”
Well, if your website has Google Analytics installed on it (or any analytics service for that matter), you’ll need to worry about privacy compliance.
Any time your website collects an email address, that’s private information. So that may include comment forms, contact forms, and blog subscription forms. If you have any of these, you need to worry about privacy compliance.
California Consumer Privacy Act of 2018 (CCPA)
The CCPA is further legislation aimed at protecting user privacy online. It can apply to any site with visitors in California, no matter where your company or organization is based.
The CCPA applies to for-profit entities which meet at least one of the following conditions:
- Over $25 million in annual gross revenue
- Receives information for 100,000 or more consumers (up from 50K due to the CPRA going into effect in 2023)
- Derives 50% or more of its annual revenue from selling consumer personal information
Note that nonprofits and California state and local government entities are exempt!
Note that 100,000 annual visitors translates into 274 daily visitors, which is not that high a threshold.
For information on how to comply with CCPA, check out this Termly.io article on the CCPA.
One hallmark of the CCPA is the requirement for a “Do Not Sell My Personal Information” option if your organization sells personal information collected by the site. While you may not think you sell personal information, the law applies even if there is no monetary exchange. For example, you might get some free services from a CRM company if you use them to manage your email list. Thus you might still need to provide a way for users to opt out.
General Data Protection Regulation (GDPR)
GDPR is a privacy law created in the European Union, but it affects businesses located anywhere in the world that have users in the EU. Termly.io has a great summary of GDPR for dummies.
You may still be wondering if the GDPR applies to your organization. I’ve found somewhat conflicting information on this. Some sources say that if your site has even one visitor from the EU it does apply. But, I found this blurb on the official European Commission Website:
When the [GDPR] regulation does not apply
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
In any case, I would think that a local-focused brochure website for Joe’s Barber Shop in Omaha, Nebraska, for example, would not be a high-priority target for European regulators.
Probably one of the most painful parts of GDPR compliance for a small business website that doesn’t collect names or email addresses is making Google Analytics compliant. Google Analytics tracks users so it is not compliant by default. To make it compliant, you need to get permission from the user before activating Google Analytics on your site. That means an annoying popup. Furthermore, a good number of folks will choose not to be tracked, so you’ll lose some valuable analytics data.
I don’t have a great solution to this. You’ll just have to make the risk analysis for your organization. How valuable is having complete analytics data and not annoying visitors with a popup vs. strict compliance with GDPR?
You’re Not Done Yet
This is where privacy trolls come in. They make a request to a site to remove their info. If they don’t get a response in the time specified by law, they may threaten legal action.
So, it’s important that your organization has policies to deal with these privacy requests on an ongoing basis.
Furthermore, new laws are always being passed. That’s why some services like Termly.io provide a subscription service with ongoing updates.
I’ve barely scratched the surface of website privacy compliance, but I hope I’ve pointed you in the right direction. Here’s where to get more info:
- Termly.io – Provides policy generators but also has a great collection of easy-to-understand articles about privacy laws.
- Termsfeed.com – Provides policy generators but also has a useful blog. I use their templates for my privacy policies.
- Cookiebot.com – Article on Google Analytics and GDPR.