In today's world, you hear a lot about privacy and security. With hacks happening all the time at some of the largest institutions, personal information is worth its weight in gold. Websites collect a lot of personally identifiable information or PII. Things like IP addresses, form submission information like name and email, or your birthday can all be considered personal information. Because all of this vulnerable information is so prevalent in our digital world, governmental organizations have taken notice and implemented regulations to protect the privacy of consumers and internet users. Two of the most prominent are the General Data Protection Regulation (GDPR) passed by the European Union in 2018, and the California Consumer Privacy Act (CCPA) put into effect by the state of California at the beginning of 2020. So what are these regulations and why am I recommending that they be on your website development checklist? Well, let's get to know them first.
The start of a movement
Information privacy law isn't exactly new. But the global efforts to protect user's privacy have definitely seen a larger focus in the last 5 years or so. The GDPR regulation was put into place to give control back to consumers with how their personal data is collected and used. Specifically,
Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. -General Data Protection Regulation
A new initiative
As of January 1, 2020, California has enacted its own privacy regulations. Very similar to the GDPR regulations used by the European Union, the CCPA aims to protect California consumers wherever they do business. Here’s what you need to know about the CCPA:
- Applies only to for-profit companies (or non-profits that control, or are controlled by, a for-profit) that meet any of the following criteria:
- You have at least $25 million in annual gross revenue
- You have data on more than 50,000 California consumers
- Your company makes more than 50% of its annual revenue from California consumers’ data
- California residents will be able to demand that companies disclose what personal data they have collected about them, ask companies to delete that data, and forbid them from sharing it with third parties.
- The law also covers out-of-state merchants who sell to Californians – or, get this, even display a website that can be viewed by someone living in the state of California – so that’s everyone.
How do you get compliant?
WordPress users have become accustomed to having everything at their fingertips in the form of a plugin. Fortunately, there are various plugins that handle the privacy requirements for WordPress sites. A few of the most popular are:
Now if you're hosting and managing your own website, you'll be responsible for meeting all of the requirements and implementing the necessary functionality as well as demonstrating acceptable handling of PII. For a complete list of GDPR requirements, you can check out the official GDPR Checklist. Now CCPA is a little different because the law is still being written and revised. That means it is extra important to maintain a working knowledge of this regulation and stay up to speed on the new changes and developments. For information on where CCPA is at, you can reference the California Justice Department website.
Penalties for your organization
So what happens if you're found to be in violation of either regulation? Well, that depends on many different factors. Were you intentionally violating or circumventing the regulation? Were you aware of any harm being caused to individuals doing business with your organization? Penalties under GDPR can range from formal warnings and reprimands to fines that can range up into the millions of euros. Other penalties can be limiting your access to process data and or transfer customer data. This particularly impacts big data companies that receive a percentage of revenue from the selling of user data.
With the CCPA, the financial penalties are lower and can range from $2,500 - $7,500, but companies are usually not liable if they remedy the issues within 30 days of a citation. Under the law, consumers do have a legal ground to bring a suit against a company for malicious handling of data or negligence resulting in harm from a data breach which is a major difference from GDPR. Additional penalties can limit the clearance for a company to collect and process data which could cause major problems for anyone in retail or those who have membership and subscription models.
What the future holds
One thing is for sure, privacy is going to be more of a hot topic in the months and years to come than it ever has before. We can expect additional states to implement similar regulations. There is also a potential for sweeping regulation to come down from a federal level. Seeing how much more focus privacy will have moving forward, it's best to establish a solid foundation of proper business practice now from which to build on.
If you're about to embark on a new website project and privacy regulations are a concern for you, let us help.