Not sure about your responsibilities as a website owner when it comes to data privacy? Confused by all the acronyms and how to comply? In this mini-episode we’re covering the two main privacy laws and how they apply to you.
Note: I am not a privacy professional or a lawyer and this is purely informational, not legal advice. It’s important for you to do your own research, due diligence, and hire a professional to support you.
This week, my goal is to make sure this important topic is on your radar. I’m not a privacy professional, and I don’t have all the answers.
Truth be told, the extent of my experience implementing the requirements is limited to gathering all the necessary information for a privacy professional and a legal team to craft the necessary documents.
But, I have noticed there isn’t a lot of conversation around this, so I want to make sure everyone knows it’s a thing. While you may not be required to comply today, based on the size of your business, it’s still something you need to keep your eye on. The more digital our world becomes, the more rules and regulations that will keep popping up.
Prefer to listen to this episode? Click here
So what does that mean?
This episode is here to bring this topic to light and encourage you to do your own research and due diligence. If you have already done your own research, you know where you stand and you are keeping up with all the changes, awesome — I’ll see you in the next episode.
If you have no idea what I’m talking about or haven’t given this a second thought, keep listening.
10 things your privacy policy should include
You should already know that you need to have a privacy policy on your website. This privacy policy tells your website visitors:
- What information you collect about them
- How it’s collected
- Why It’s collected
- How the information is used
- Who will have access to it
- How the website visitor can opt-out of having this information collected about them
- How they can review or update the information
- What measures you’re taking to protect that information
- The effective date of the policy
- Who to contact about the policy
New laws are coming into effect and the standard is changing
For a long time, that was the standard, but… in the last few years, two big laws went into effect that took things to the next level. First was GDPR in the EU, and then CCPA in California.
Side note: in our most recent election, there was a ballot measure to expand the privacy laws in California called the CCPR, which did pass. This is on top of the CCPA laws. I don’t know many details about it, but know that more requirements are coming.
While these two look and sound similar to each other there are some differences between them. Just because you’re compliant with one, doesn’t necessarily mean that you’re compliant with the other. And of course, which ones you have to comply with depend on where your customers are and other thresholds for who is responsible to comply.
Compliance depends on where your customers are, not where you are
Just because you don’t live in the EU, doesn’t mean you don’t have to comply with GDPR. If you sell to customers there, you do. The same is true for CCPA in California.
Just like the requirements for collecting sales tax that I talked about in last week’s episode, there are thresholds for who is required to comply with the CCPA.
3 conditions for complying with the CCPA
If you meet at least one of the three conditions, you are required to comply. They are:
- You have annual gross revenues of 25 million
- Buy, receive, sell or share personal information for commercial purposes of 50,000 or more consumers, households or devices annually, or
- Receive half or more of annual revenues from selling consumers’ personal information,
Now, it’s unlikely if you’re listening to the podcast that you’re doing 25 million a year in revenue. If you are, ahhhmazing, please message me so I can bring you on as a guest to the show. And as an eCommerce business it’s not likely you’re receiving more than half of your annual revenue from selling information.
But requirement #2 — 50,000 consumers, households, or devices — that device piece is what gets tricky. A device is defined as any physical object that can connect to the internet. So that can be a desktop computer, a laptop, or a cell phone — all of which would count as a separate device.
But then again, CCPA only protects California residents.
With all that said, it’s likely that you’re not technically required to comply.
GDPR is based on intent, not threshold
With GDPR, compliance doesn’t have a threshold. It’s based on intent. Because GDPR protects consumers located in the EU, everyone who offers goods and services to customers to data subjects in the EU, whether or not it’s connected to a payment, is required to comply.
Are you likely to get fined for not complying?
Now, as a small business doing a few hundred thousand, or a few million dollars a year, are you likely to be prosecuted and fined for not complying? No, probably not. Enforcement is happening with big tech giants like Facebook, Google, and WhatsApp.
So why are we talking about this?
Because the rules and regulations of data privacy are changing rapidly, and they will continue to do so as more and more businesses move online. So far, the rules being implemented in the U.S. are at the state level, but it’s possible that will change. Ultimately, I want you to be aware and as prepared as possible.
Consumers are becoming more and more aware of their privacy on the internet. More and more breaches by from the big guys, means consumers are becoming more weary. And knowing that you give a shit about them, their data and their privacy is just one way you can instill confidence with your consumers and set your business up for future success.
So what should you do today?
First thing, do our own research because I’m not a privacy professional (had to get that disclaimer in there!)
Secondly, make sure you have a solid privacy policy in place at a minimum.
Get a consultation with a privacy professional who can help you figure out when and if you might need to be compliant. The IAPP, the International Association of Privacy Professionals is a non-profit organization that helps define, promote, and improve the privacy profession globally.
Stay in the know. Just like states enacted new laws to recoup lost sales tax at the rise online sales, it’s likely that they may pop up with their own privacy rules. Sooner rather than later it may even reach a federal level.
Listen to the Episode
Episodes Mentioned
Episode 36: How To Charge Sales Tax for Your eCommerce Business
Additional Resources
CCPA – California Consumer Privacy Act
Writing a Privacy Policy for Your Small Business
