The California Consumer Privacy Act (CCPA) and the European Union’s EU's General Data Protection Regulation (GDPR) have changed the way businesses and other organizations handle the data of customers, users and website visitors. More such laws are on the way.
Organizations that do business on the internet must determine whether the data privacy laws apply to them, what impact the rules might have on the organization, and how to comply.
We can help with all three. For starters, listen to a recording of our privacy webinar, co-presented with our compliance partner, Godfrey & Kahn, S.C..
As the webinar notes, non-compliance with evolving internet privacy laws can lead to some scary outcomes. But fear not; compliance is within reach and even has some good side effects -- if you get out in front of the rules and put the right tools and procedures in place.
You’re better off addressing compliance early and on your own terms. Keep in mind that the goals of these rules are benign: They aim to give your cherished users control over data they share with you and to guide you on how to manage that data in a way that respects the wishes of your users. The particulars vary with each law, but they all promote transparency with your visitors.
You want that, too, right? So keep calm and carry on toward compliance with CCPA, GDPR and other privacy laws.
Start by picking three pieces of the lowest-hanging fruit.
1. Update Your Privacy Policy
CCPA and GDPR require you to update your privacy policy to inform users of the rights granted to them under these laws. Work with your legal or compliance team to draft an updated privacy policy for your websites, so users know their rights and how to assert them.
Design your privacy policy with follow-through in mind; make sure that your company can meet your stated commitments. Some of these laws require you to update policy not only when the regulations go into effect, but also at set intervals going forward.
2. Manage Cookies with a Cookie Manager
A cookie is a small text file created or placed by websites. It lives on the user's computer either temporarily (session cookie) or for a set period (persistent cookie). Cookies are means for websites to recognize users, track their preferences and provide analytics data back to website owners.
Cookies play a big role in eCommerce. When a user adds an item to a shopping cart, that action triggers a cookie, so the site can remember the added item. Depending on how the cookie is configured, users could leave the site and later return to find the same products sitting in their carts. Cookies also figure in third-party tracking tools, such as Google Analytics.
The new rules are pushing sites to inform users of cookie usage and give users control of what cookies they want to accept.
Give them that power through an online cookie consent tool. Content management systems (CMS) offer native tools, or you can turn to a third-party vendor. Cookie consent tools block cookies from being placed on a user’s device until the user gives consent.
Make sure that any third-party tool meets the criteria set forth by your legal and compliance teams. Northwoods partners with CookiePro by One Trust. We selected CookiePro because of the broad install base, multi-language support, and easy-to-use interface for visitors, among other reasons.
3. Implement a Data Subject Request Process
Some of the most recent privacy laws bestow website users with additional rights. Visitors now have a method for understanding what data websites have about them and, beyond that, control over how that data is processed.
Assure your users by establishing methods for them to contact you to let you know how they want their data managed. Data Subject Access Request (DSAR) systems provide secure portals for managing user requests and creating customized workflows for your employees to follow. Having simple, easily followed procedures ensure uniform management of users’ requests.
This is not a matter of flipping a switch. Your internal teams must know where all user information is stored. These laws apply to marketing, sales, contractor and employee records, and more.
On this and every step on the path toward compliance, work with your legal or compliance team to be sure to meet the requirements of each law.
Data Mapping to the Rescue
Many businesses employ people to keep track of physical inventories and will dedicate days or weeks every year to counting items to ensure they know where everything is and what they have. The process of data mapping is like inventory tracking but for data instead of physical products.
To begin the process, select a data collection method (e.g. a web form) and follow the data submitted to all points of entry and storage in your organization. The end goal is to document where all personal information is collected, stored, secured, and accessed.
You can’t respond to a user request to delete data if you don’t know where that data lives. This process will help inform your DSAR workflows by guiding your employees to the systems that house the requested data.
Key Takeaways
- Keep in mind the common purpose of these laws: User control over their personal information.
- Manage their data as they wish and do so transparently.
- Compliance with online privacy laws is not set-it-and-forget-it. These laws have continuing requirements, and new regulations are in play in different states, countries, and regions.
- Online privacy regulation is here to stay.
Non-compliance with online privacy laws can result in some very big problems (aka, fines). Listen to a recording of our CCPA webinar to learn more, and get our tips for ensuring a successful online privacy tool implementation.