What do I need for my website to be compliant for data privacy?
• read
After new privacy laws passed in Virginia, Colorado, and California, many clients ask us what they need to do to make sure that their website is compliant today and into the future for data privacy.
For a website to meet data privacy compliance requirements, depending on the geography, it must easily provide access information including:
- The right privacy policies
- The ability for customers to manage their cookies
- The ability for customers to exercise their privacy rights
Need to compare requirements for several data privacy laws? Check out our Privacy Laws Comparison Table to see them side-by-side
1. Compliant websites have the right privacy policies for visitors
GDPR (Europe) Privacy Policy Requirements
If an organization is doing business with or is located in the EU, their privacy policy needs to comply with the GDPR. This includes providing people with a GDPR compliant privacy policy (i.e., privacy notice) that is:
- Concise, transparent, intelligible, and easily accessible
- Written in clear and plain language, particularly for any information addressed specifically to a child
- Delivered in a timely manner (i.e. at point of collection of personal information or in the persistent banner at the bottom of the webpage)
- Provided free of charge
If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:
- The identity and contact details of the organization, and its Data Protection Officer
- The specific purpose(s) for the organization to process an individual’s personal data (the legal basis for processing)
- The legitimate interests of the organization (or third party, where applicable)
- Any 3rd party or categories of 3rd party of an individual’s data is shared with
- The details regarding any transfer of personal data to a third country and the safeguards taken
- The retention period or criteria used to determine the retention period of the data
- The details about exercising data subject’s rights including:
- The right to withdraw consent at any time (where relevant)
- The right to lodge a complaint with a supervisory authority
- The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences.
CCPA/CPRA (California) Privacy Policy Requirements
To comply with California website privacy policy requirements, privacy notices and policies must be
- Easy to read and understand
- Available to languages in which the business operates
- Reasonably accessible to people with disabilities
- Presented with a conspicuous link if a website homepage or on the download or landing page of a mobile application
- Inclusive of information on consumers’ privacy rights and how to exercise them:
- Right to Know, the Right to Delete/Correct, the Right to Opt-Out of Sale, and the Right to Non-Discrimination.[1]
- Categories of personal information collected
- Categories of sources where personal information is collected
- Categories of 3rd parties personal information is shared with
- Purpose for which personal information is being used
- Updated annually
For CPRA, your privacy policy must make consumers aware of their additional right to request that you limit your use and disclosure of their sensitive personal information.
CDPA (Virginia) Privacy Policy Requirements
For Virginia, the controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal data collected or processed by the controller or a data processor;
- The purposes for which the categories of personal data are processed;
- An estimate of how long the controller may or will maintain the consumer’s personal data;
- An explanation of how and where consumers may exercise their rights
- The categories of personal data that the controller shares with third parties, if any; and
- The categories of third parties, if any, with whom the controller shares personal data.
CDPA does not expressly require businesses to display a privacy notice at or before the point of the collection of personal data, nor does it require businesses to provide a “do not sell my information” link.
CPA (Colorado) Privacy Policy Requirements
The CPA’s privacy notice required disclosures are nearly identical to those required by the VCDPA, requiring that controllers provide a reasonably accessible, clear and meaningful privacy notice that includes:
- the categories of personal data collected or processed
- the purposes for processing of personal data
- how and where consumers may exercise their rights and how to appeal a controller’s action in response to a request
- categories of personal data shared with third parties
- the categories of third parties with whom the controller shares personal data.
If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt-out of the sale or processing.
2. The ability for customers to manage cookies
Privacy regulations require the capability for consumers to manage cookie consent. Cookies are small files that websites send to your device that the sites use to monitor you and remember certain information about you — like what’s in your shopping cart on an e-commerce website, or your login information.[2]
For your website to be compliant with privacy regulations, your visitors must have control of the cookies marketing and digital advertisers place. In particular, they have to have control over third-party cookies. Third-party cookies are cookies that are stored in the user’s computer and that are created by a website with a domain name other than the one the user is currently visiting.[3]
Whether you fall under these regulations depends on your size and your business model.
GDPR Cookie Consent
To be compliant with GDPR, website visitors must be able to opt-in to cookies on their browser. Cookies cannot be placed on a browser without freely given, specific, informed and unambiguous consent given by a clear affirmative action.
CCPA and Cookie Consent
California’s CCPA requires that companies offer their customers the ability to opt out of the sale of their data. Specifically, there needs to be a ‘Do Not Sell My Personal Information’ link at the bottom of the homepage. It covers the sharing of personal data captured by cookies and other tracking technologies with third parties like Facebook, Google, and others. Therefore, to be compliant, you should enable consumers to opt out of these tracking cookies.
Cookie Consent and Future Privacy Legislation
When CPRA (California), CDPA (Virginia), and CPA (Colorado) go into effect, website visitors will have to be able to have control over the cookies placed on their browser and to be able to:
- Opt-out of processing personal data
- Opt-out of automated decision-making
- Opt-out of target and re-targeting
- Opt-in processing sensitive data
3. Exercising Privacy Rights (Data Subject Access Requests or DSARs)
GDPR Rights (DSAR) Requests
In order for a website to comply with GDPR, customers must have the ability to:
- Access. Deliver all personal information you have on a consumer.
- Correct. Correct the information you have on me.
- Delete. Delete personal information from databases.
- Restriction of Processing. Limits how companies can process personal data.
- Data Portability. Provide consumers their data so that consumers can use it elsewhere.
- Object. Object to the way their personal data is being used.
- Avoid Automated Decision Making. Eliminate the ability for personal data to be used in an automated way without human involvement.
CCPA Rights (DSAR) Requests
In order for a website to comply with CCPA, customers have to be able to access and delete private information and tell companies not to sell their private information.
Privacy Rights Requests for Future Privacy Legislation
In the future, in Virginia (CDPA), Colorado (CPA) and California (CPRA) companies, in addition to access, delete and do not sell, you will have to allow consumers to:
- Correct my data
- Correct the information you have on me
- Do not collect and use my sensitive data
- Do not use ethnicity, financial, or identification information in analysis (e.g., segment performance)
- Consent is required in CA, VA and CO.
- Do not process my personal data for advertising
- Use customer information (e.g., purchase history) to inform any advertising
- Use browser information (e.g., cookies) to inform advertising on site and elsewhere
In summary, in the United States, for your website to be compliant today, you need to enable:
- Do not “sell/share” my personal data
- Stop your website from sharing data via cookies to marketing partners
- Stop employees from sharing customer lists with marketing partners (e.g., Facebook for Lookalike targeting) or data brokers services
- Have a ‘Do Not Sell My Personal Information’ link at the bottom of your homepage
- Delete, access my personal information
- Deliver all personal information you have on consumer
- Delete personal information from databases
In the future, you will need to allow website visitors to:
- Do not process my personal data for advertising
- Use customer information (e.g., purchase history) to inform any advertising
- Use browser information (e.g., cookies) to inform advertising on-site and elsewhere
- Do not share personal info for cross-context behavioral advertising
- Share cookie data with ad exchanges / platforms
- Do not use for automated decision-making
- Do not use to create unique customer experiences on the web-based on browsing behavior
- Do not collect and use my sensitive data
- Do not use ethnicity, financial, identification information in analysis (e.g., segment performance)
- (opt-in is required in VA)
- Allow consumers to make requests about their data
- Access, Delete, Correction
Another note, while CA has stated the Global Privacy Control (GPC) is recognized as a valid means of opt-out it isn’t a requirement in any law. If you accept GPC signals you should state it in your privacy policy. If it is in your privacy policy (like anything else) you should be sure to actually do it.
Summary
Companies should make sure that they have in place:
- The right privacy and cookie policies
- A cookie management solution they choose, not only works today but well into the future
- The ability to collect and fulfill rights requests required right now, as well as the ones required in the future
Additionally, companies must have the appropriate persistent links to privacy policies and subject rights on their website and download pages of mobile applications.
Here is a summary table of the rights and preferences required by each law: