California’s Privacy Laws, GDPR, and Your Website: Action Steps You Need to Take

There is no doubt you have heard the term “GDPR” being discussed around the web and in the news. Spoiler: it’s not a type of PR! Data protection is a hot topic thanks to Facebook data breaches and heightened consumer security on e-commerce sites and even big banks. GDPR is a privacy law designed to give individuals control of their personal data and could potentially affect how the entire internet deals with data. We at LISI want to make sure you know the facts, understand what may be required of your website, and offer our assistance to help make your website compliant.

What is GDPR?

GDPR stands for General Data Protection Regulation and is a new data protection law in the European Union, which went into force in May of 2018.

The aim of the GDPR is to give citizens of the EU control over their personal data and to change the approach of organizations across the world towards data privacy. The GDPR provides much stronger rules than previous laws and is something all businesses should be concerned about when it comes to their websites.

Rules the GDPR dictates:

• users must confirm that their data may be collected;
• there must a clear privacy policy showing what data is going to be stored, how it is going to be used; and
• the website owner must provide the user a right to withdraw the consent to the use of personal data (such as deleting the data), if required.

Does GDPR apply to my website?

Yes, it does! It applies to every business, large and small, around the world that can be accessed by someone in the European Union. The GDPR applies to data collected about EU citizens from anywhere in the world. As a result, a website with any EU visitors or customers must comply with the GDPR, which means virtually all businesses that want to sell products or services to the European market.

What steps are needed to be compliant for GDPR?

Create and/or update your privacy policy
Depending on the services and functionality you use on your website; you’ll need to update your privacy policy to include disclosures for all of the cookies and data being collected on your website. Most websites use cookies for analytics, ad campaigns, CDN services, opt-in services, video players, shopping carts, and much more.

Contact forms/Newsletter opt-ins
Be sure to include a checkbox for consent on your contact forms. You’ll also need to add a section to your privacy policy about all the information you collect. This will depend on the fields you include in your forms – name, email, address, or anything else.

As with contact forms, you need to confirm user consent for newsletter subscriptions. This can be done with either a checkbox that a user must click before they opt-in, or by requiring double opt-in to your email list which requires the user to verify their email address and confirm they wish to join your mailing list. With the consent confirmation method in place, the addition of a section to the privacy policy stating that you do retain users’ email addresses for your newsletter is recommended.

Add a Cookie Notice
You must disclose your use of cookies (the small snippets of code that help control how a computer displays a website), and not just in your privacy policy. You need to add a cookie disclosure and acceptance notice to the first page a user will visit.

By using cookies, you can significantly improve the user experience on your site. However, installing tracking cookies without express user consent constitutes a breach of the ePrivacy Directive 2002/58/EC (EU Cookie Law), and can result in noncompliance for European users.

Meanwhile, in California …

Still not convinced because your law firm business is only in the United States? You still don’t get a pass, sorry! The California Consumer Privacy Act (CCPA) goes into effect in 2020 and protects individual’s “personal information” similar to GDPR. In summary, if someone in California happens to click through to your website, the proactive disclosures regarding what data is collected, and how it’s used must be accepted in the website policies.

Noncompliance comes with a price! Businesses that fail to comply with the CCPA are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. That can add up quickly, considering companies only have 30 days to update their website to comply after being notified by the attorney general.

Take action now!

Now that you know a little more about GDPR, the CCPA, and how they affect your website, let’s set up a time to talk about the next steps. We want to make the process of becoming compliant as easy as possible for you, so let’s discuss your website needs, the customers you are reaching, and how LISI can help you!