Disclaimer: We are not lawyers, and what we present here is not legal advice. It is our understanding based on studying the legislation and industry content.
Heard the acronym “GPDR” recently?
Wondered what it actually meant? Websites and organizations are being held to a higher data privacy standard. The EU General Data Protection Regulation (GDPR), which went into effect on May 25th of 2018, has changed the way businesses can collect and use personal identifying information.
The misuse of personal data is not a new phenomenon, but in light of recent events, such as with Facebook and Cambridge Analytica, the need for this regulation has been further exposed to the public eye.
What do these changes do?
Increased Clarity and Transparency
One goal of these changes is to give users clearer information about what information is being collected and how it is being used. Your information cannot be sold or shared with any third parties without your knowledge and consent.
As laid out by this regulation, the user has the right to be informed about the information collected about them, access that information, and have their information completely erased. If a company collects personal identifying information about you without informing you, asking for your permission, or giving you the opportunity to opt-out, they are in violation of this new regulation.
Following the implementation of GDPR, the state of California passed the 2018 Consumer Privacy Act, which will not go into effect until January 1st, 2020. This legislation, which will more than likely serve as the foundation for other U.S. state legislation, shares many similarities to GDPR.
The main goal of the California Consumer Privacy Act is to inhibit the sharing of personal information without user consent. This legislation is more stringent than GDPR in some areas, and less in others. It provides more regulation for users to access their information that is collected but doesn’t include certain aspects of GDPR like the 72-hour window to report data breaches.
GDPR applies to all companies and organizations holding personal data, while, currently, the California Consumer Privacy Act only applies to companies that meet one or more of the following criteria:
- Generate at least $25 million in annual revenue
- Possess the personal information of at least 50,000 people
- Collect more than half their revenues from the sale of personal data
Another characteristic unique to this legislation is that it provides individuals the right to sue. Companies have 30 days to comply after receiving written notification from regulators or individuals. If they do not comply in the given time, companies will be fined up to $7,500 per record. Just to compare, the fine for violating GDPR is twenty million Euros or 4% of annual global turnover.
California Consumer Privacy Act Rights
Under this legislation, California citizens have the following rights:
- Right to know all data collected by a business on you.
- Right to say NO to the sale of your information.
- Right to DELETE your data.
- Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- Right to know the categories of third parties with whom your data is shared.
- Right to know the categories of sources of information from whom your data was acquired.
- Right to know the business or commercial purpose of collecting your information.
- Enforcement by the Attorney General of the State of California.
- Private right of action when companies breach your data, to make sure these companies keep your information safe.
How does this affect you and your website?
GDPR applies to citizens of the EU while they visit your website from any geographical location. While this may not directly impact your business, it can’t hurt to be prepared for potential changes to U.S. legislation following the California Consumer Privacy act of 2018.
In general, this is all about transparency and the responsible use of personal information. If you are collecting information about people visiting your website, you need to let them know what you’re collecting and what your intent is for that information.
When people arrive on your website, you need to make them aware of your cookie use and privacy policies. When people submit information through forms on your website, you need to let them know what you’re going to be doing with that information. People must always have the option to opt-out and have their information erased upon request.
When you’re collecting information, there is also the matter of data retention. Personal information should only be retained for as long as it takes to serve its intended purpose. If you require to hold certain information longer due to the nature of your business, you must make people aware of this when they’re submitting their information.
Under GDPR, if there is a data breach, companies are required to notify the appropriate regulators within 72 hours of becoming aware of the breach.
The details of the California Consumer Privacy Act are still being worked out, but in 2020 it’s going to lay the groundwork for what happens with the regulation of data privacy across the United States. In light of recent events and a growing public concern for personal internet privacy, it’s becoming more likely that the federal government might step in with national regulations. Keep an eye on this topic to see what you might want to be doing to prepare your business to comply with these new internet data regulations.
We encourage that you seek legal advice on these matters to learn what you need to do for your own business. If you know that you need to add functionality to your website to comply, we can assist in those efforts.
Resources for more information:
California Consumer Privacy Act: