Why Data Privacy Just Got Serious for American Websites

By Bekkah Anderson, Art Unlimited.

California rolled out their own data privacy rules on June 28, 2018 via the California Consumer Privacy Act. Here is what you need to know.

We have seen pretty much every app developer or corporate business send us an email saying they have recently updated their privacy policy. We’ve even seen those new annoying pop-ups telling us they have cookies, but now, consumer data rules are hitting your business.

As a business owner, is data privacy something to think about?

Two months ago, many people were saying, “Naw, just change your settings to block other countries from viewing your website.” But since California rolled out their own data privacy rules on June 28th, 2018 via the California Consumer Privacy Act, this isn’t something to sneeze at. As we start to see more initiatives to protect Americans’ privacy, big data should respond accordingly.

What do I have that could be considered private information?

You might not think you have any “big data,” but if you have a list of past customers, newsletter subscribers, a mailing list, online payment options, or use Google Analytics, you technically have possession of data that has privacy rights. Some privacy rights have always been out there, but most businesses had to make the ethical choice to use the information at their discretion because enforcing compliance on every business was obnoxiously hard for anyone to do.

Caveat: Unless one of two things happened to you that got people worked up:

1. You had a ton of people you were contacting without permission that all decided to complain together and make a class action lawsuit against you.
2. You got hacked and all of your customer data was stolen

Most of the rules for the new data protection, honestly, just made good marketing sense. Such as, if you send a previous customer 27 emails in one day, you’re going to get marked as spam and email providers will block you. This also has probably happened to you if you tried to include 60 people in the same email and you accidentally locked down your email account.

What can I do to ensure I’m compliant with the 2018 California Consumer Privacy Act?

Step :1 Ensure you have an updated privacy policy that clearly lays out how you use the data such as (but not limited to):

• If you do remarketing with this data
• If you keep their data to contact them later with promotional content
• If you sell their purchase habits to a 3rd party provider
• If you record their device location
• If you track their last click to leave your website
• If they like your page on Facebook
• If you share their contact information with any of your affiliates in order to target users better
• If you collect their information to use for marketing purposes via sweepstakes, trade shows, or drawings (or any other paper form)

The list could just keep going. Anything that collects information about your users on your website should be listed in your privacy policy or anyone who has access to this information should be listed. If you do it, name it in your privacy policy. You should probably get this reviewed by your legal adviser as well to make sure it has everything.

Step 2: Clearly provide an opportunity for customers to “opt-out” of how you are using the data

Website users now have the right to request that you stop collecting their data, and you need to make sure this option is provided loud and proud.

Tip: be careful with how your program your pop-up though, especially on mobile. If all your users can see is a pop up that blocks your homepage navigation on mobile, it could affect your ranking because of a poor user experience.

Step 3: Have a process for actually following through on the users that request to be removed from your data uses.

This is where my heart hurts for business owners because this is rarely enforced well. If you say you’re going to stop talking to them after they ask you to, ACTUALLY DO IT. In the past, I just marked you as spam, but now (if I was a California resident) I could just report you to the Attorney General’s office or go after you with a personal lawyer. Have a process the thoroughly removes their information from your system and documents when the user requested to be removed.

Step 4: Don’t target people under the age of 16 unless they have specifically given you permission to or their parents have agreed to consent (if under the age of 13).

Bottom line: You have to disclose how it’s used, who has access to it, and how users can choose to not be a part of the data.

Having a data control officer who knows where the information is, where it’s going, and how it can be removed is good to have for your business. The more you know, the safer you can make your business for your customers.

What happens now if I accidentally do something I shouldn’t with customer data?

Under the new California laws, you could have to pay a civil penalty of $7,500 per incident AND pay for the cleanup/recovery of any person that had actual damages affect them OR pay out $750 a person for the violation to their privacy (whichever is a larger payout).

How long do I have before I need to make these changes?

The California Consumer Privacy Act unleashes its fangs of consequences for non-compliant business owners in 2020. You have some time to start planning your implementation strategy. Don’t get nervous but have a clear plan of action steps to get you to where you need to be. It’s also important to keep an eye on the changes that might happen to the data rules in the months ahead. If the laws get extended to other states, there might be some new changes that make things more detailed as to certain industry or specific platform compliance.

I don’t do business in California: Do I still need to change my privacy policies?

For the present, yes and no, if you want to block your website from being searchable by any of your customers within California you could just avoid this all together….But it’s going to limit your reach, hurt your ranking ability, and if some of your customers have a beach home in California, you might be losing some of your client base because they can’t find you.

More Data Privacy Rules Are Inevitable

No matter how much money Amazon and AT&T pump into lobbyists, the passing of new laws usually has a domino effect in American legislature. If it works out nicely for California, you can expect it to either start rolling out in your state soon or becoming a federal initiative.

We’ve already seem rumblings in Washington to push this into a federal compliance law. So, it’s always better to start being privacy complaint sooner rather than deal with the consequences of doing it later. Rushing things in the last minute to avoid penalties is never a fun spot to be in as a business. Plus, who wouldn’t want to gain a higher level of trust with customers by being respectful of their data?

Don’t Freak Out—We’ve Got Your Back

If you have additional questions or need help to get your business started on data privacy compliance, please feel free to let us know! Who doesn’t love avoiding hefty fines? Contact Art Unlimited today, to see how you can start planning your data privacy initiative.

Editor’s note: This article first published on Art Unlimited’s website and can be viewed here.