There have been a lot of talks lately about online data protection and privacy. You may have noticed many of the online services you use, asking you to read and approve of new privacy policies and updates. While the main reason behind this relates to changes in EU laws, there are some reasons here at home you may want to consider this for your business.
What’s Going on in the EU
Much of this is in response to the new EU law on data protection and privacy, known as the General Data Protection Regulation (GDPR). The purpose of the GDPR is to provide a set of standardized laws, to make it easier for EU citizens to understand how their data is being used, and how to file formal complaints, even if they are not in the country where a website or online service is located. While this regulation addresses individuals within the European Union (EU) and the European Economic Area (EEA), it matters to us websites owner here in the U.S., because there is no way to guarantee that a person from a European country will never use one of our websites. Every website is part of the world wide web, which means everyone, worldwide, is affected.
This makes sense because Google products can collect a surprising amount of information. Google Analytics, for example, uses a tracking cookie (a small data file downloaded to your device upon viewing a website), so your web browser automatically sends information such as the:
- Internet domain through which you access the Internet (e.g., yourServiceProvider.com if you use a commercial Internet service provider, or yourSchool.edu if you use an Internet account from your school),
- Internet Protocol address of the computer you are using,
- type of browser software and operating system you are using,
- date and time you access a site, and
- the Internet address of the site from which you linked directly to a site.
In order for this type of data collection to be compliant with GPDR, a website must clearly state what information is being collected, how the information is being used, and so on.
“It is important to know, Google has passed this responsibility off to its users by requiring all users of Google products (like Google Analytics) to have their own Privacy Policies.”
U.S. Federal and State Regulations
Outside of these new GDPR requirements, there isn’t one specific law here in the U.S. that explicitly requires Privacy Policies. However, there are enough various federal and state laws that suggest you need to have one. This is especially true for websites related to specific industries, such as:
- Financial services, and
- Services that target children (under the age of 13).
The Federal Trade Commission, FTC, does enforce these laws and works to protect consumer privacy.
In the state of California, this includes any websites or online services that collect information from residents of California. This is regardless of whether or not a business is physically located in the state, under Section 22575 of the California Business Code. Under this law, a website is required to have privacy policies if it:
- Collects any type of personally identifiable information.
Personally, identifiable information is any information that can be used to contact or identify a person directly (like first name, last name, email address, phone number, and so on). Most often, this is collected through contact forms and email newsletter sign-up forms on a website.
Good Business Practice
Whether or not it is required by law, it is good business practice to have Privacy Policies on your website. Letting your customers know how and why you use their information builds trust and transparency. It also helps you, as a business, be protected from legal liability. Furthermore, it is becoming the standard for websites on the internet. Many customers expect this now. In every sector of the internet, there is an ever-increasing demand for transparency in regards to information collection and security. Privacy policies are here to stay.
If you don’t, this may be the right time. You may need one because the law requires it, Google requires it (if you have Google Analytics or another Google service active on your site), or because it is simply good business practice.
Here are a few tips for writing your policy:
- Be clear. Use language your customer’s can understand. It is unfortunate, but many companies resort to complicated legalese, to be as vague and flexible with wording as possible, an effort to reduce legal liability.
- What information is being collected,
- What options a customer has about how the data is being collected and used,
- How a customer can see/request a correction or change to their information,
- How the data is protected, and
The Better Business Bureau has a great sample policy you may want to use as a guide.
Thrive Can Help
Posted In: News