Small businesses operating websites must comply with data privacy laws even if they operate across borders, as many governments regulate websites accessible to their residents.
Overview of Major Data Privacy Laws
Website operators can store information about user internet activity. In response to growing data concerns, governments have passed privacy laws. The European Union's General Data Protection Regulation (GDPR) was an early trailblazer, and many governments have followed the EU's example since it passed the GDPR in 2016, including several U.S. states.
The General Data Protection Regulation (GDPR)
The GDPR regulates how website operators store and utilize user data for EU residents or citizens. It applies to businesses tracking information about their online behavior via cookies.
Seven Principles Required:
Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
EU Citizens Have the Right to:
Know what data you collect
Access that data
Correct inaccuracies
Erase the data
Restrict processing
Transmit their data to others
Object to data collection or use
Not be subject to automated or system-based data profiling
Users also have the right to prompt notice of any data breaches.
Lawful Data Collection Bases:
The user provides unambiguous consent
Processing is necessary to complete a contract
A court order requires data collection
Processing is necessary to save someone's life
Processing is necessary to carry out official functions or public interest tasks
You have a legitimate interest in processing the data
You may have a legitimate interest if you process data in ways users would reasonably expect with a minimal privacy impact or when a compelling justification exists.
California Consumer Privacy Act (CCPA)
California became the first state to pass a data privacy law in 2018 in the form of the CCPA. California voters expanded the CCPA's protections by approving the California Privacy Rights Act (CPRA), which amended the CCPA.
The CCPA applies to for-profit businesses in California that:
Have an annual revenue of $25 million or more
Use personal information from 100,000+ California residents or households
Earn half their annual revenue by selling California residents' personal information
Personal information includes data identifying or linking to individuals or households. Sensitive personal information includes government IDs, usernames, passwords, credit card numbers, and medical information.
Californian Consumers Have the Right to:
Know what information businesses collect and how they use it
Delete personal information
Opt out of businesses selling or sharing their information
Not be discriminated against for exercising their rights
Correct inaccurate information
Restrict what a business can do with the information
Businesses May Use Personal Information For:
Certain research purposes
Ways the user reasonably expects according to business activities
Responding to security incidents, avoiding fraud, and protecting user safety
Maintaining accounts, providing customer service, and verifying information
Short-term non-personalized advertising
Verifying, maintaining, or improving product or service quality or safety
Complying with legal obligations and enforcing or defending their rights
If information is publicly available, businesses are subject to few limitations in its use.
Compliance with Data Privacy Rules
Businesses must take several affirmative steps:
Create an easily accessible privacy policy
Notify customers of the website's cookie policy
Provide users the ability to opt out of data collection
Notify consumers about data policies
Offer a way for users to request deletion or correction of data
Create a system for responding to user complaints or requests
For best practices, this means creating a comprehensive, detailed privacy policy and comprehensive, detailed procedures to manage data and respond to user requests.
Privacy Policy
Your privacy policy should detail:
What you collect
Why and how you collect it
What you use it for
How users can contact you
How you update the policy
How you'll notify users about updates
The policy should be linked on your homepage and include the word privacy.
Cookie Notice and Policy
Your website should provide a cookie notice that:
Asks for consent before activating cookies
Clearly explains the cookies you use, their purposes, and whether you share information with third parties
Allow users to accept or reject specific types of cookies
The notice should be easily accessible and not prevent users from accessing website contents.
Data and Request Procedures
Create internal processes and procedures for personal information storage and use.
Data Procedures Should Address:
What data do you collect?
How do you secure the data?
How do you ensure your company doesn't store data from those who've opted out?
When do you delete data?
What are your deletion procedures?
User Request Procedures Should Address:
How can users submit requests?
How do you verify user identity?
How do you verify requests to correct information?
What is your target response time?
What happens when you don't follow the specified procedure?
Policies should be created to identify and respond to any data breaches.
Consequences of Noncompliance
The GDPR authorizes penalty fines of up to $20 million. The CCPA authorizes the California government to act against you. Various other state and national laws set their own penalties, subjecting you to potentially significant fines from multiple places.
Small Business Compliance
Even if you don't expect your website to reach EU citizens or fall under the CCPA, since 2016, more and more governments have adopted regulations covering how websites use data. Ensuring you comply by establishing policies and procedures, consulting a data specialist, and designating a compliance officer is essential to website operation in the modern age.