Hear the brightest minds talk at the Spokes Privacy Technology Conference.
Register free

What Do I Need to Do for My Website to Be Compliant?

Today… and into the future

May 24, 2021 | Marketing, Regulations

WireWheel Blog Post - Apple iOS 14.5 Release, cover image

Written by Rick Buck, Chief Privacy Officer, WireWheel

After new privacy laws passed within the last 12 months in both Virginia and California, many clients ask us what they need to do to make sure that their website is compliant today and into the future.

Depending on the geography, for a website to be compliant, it must easily provide access information including:

  1. The right privacy policies
  2. The ability for customers to manage their cookies
  3. The ability for customers to exercise their privacy rights

The right privacy policies

If an organization is doing business with or is located in the EU their privacy policy needs to comply with the GDPR. This includes providing people with a privacy notice that is:

  • Concise, transparent, intelligible, and easily accessible
  • Written in clear and plain language, particularly for any information addressed specifically to a child
  • Delivered in a timely manner (i.e. at point of collection of personal information or in the persistent banner at the bottom of the webpage)
  • Provided free of charge

If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:

  • The identity and contact details of the organization, and its Data Protection Officer
  • The specific purpose(s) for the organization to process an individual’s personal data (the legal basis for processing)
  • The legitimate interests of the organization (or third party, where applicable)
  • Any 3rd party or categories of 3rd party of an individual’s data is shared with
  • The details regarding any transfer of personal data to a third country and the safeguards taken
  • The retention period or criteria used to determine the retention period of the data
  • The details about exercising data subject’s rights including:
    • The right to withdraw consent at any time (where relevant)
    • The right to lodge a complaint with a supervisory authority
  • The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences.

To comply with California’s, CCPA, privacy policies must be

  • Easy to read and understand
  • Available to languages in which the business operates
  • Reasonably accessible to people with disabilities
  • Presented with a conspicuous link if a website homepage or on the download or landing page of a mobile application
  • Inclusive of information on consumers’ privacy rights and how to exercise them:
    • Right to Know, the Right to Delete/Correct, the Right to Opt-Out of Sale, and the Right to Non-Discrimination.[1]

    • Categories of personal information collected
    • Categories of sources where personal information is collected
    • Categories of 3rd parties personal information is shared with
    • Purpose for which personal information is being used
  • Updated annually

Ability for customers to manage cookies

Privacy regulations require the capability for consumers to manage cookies. Cookies are small files that websites send to your device that the sites use to monitor you and remember certain information about you — like what’s in your shopping cart on an e-commerce website, or your login information.[2]

For your website to be compliant with privacy regulations, your visitors must have control of the cookies marketing and digital advertisers place. In particular, they have to have control over third party cookies. Third-party cookies are cookies that are stored in the user’s computer and that are created by a website with a domain name other than the one the user is currently visiting.[3]

Whether you fall under these regulations depends on your size and your business model.

To be compliant with GDPR, website visitors must be able to opt-in to cookies on their browser. Cookies cannot be placed on a browser without freely given, specific, informed and unambiguous consent given by a clear affirmative action.

California’s CCPA requires that companies offer their customers the ability to opt out of the sale of their data. Specifically there needs to be a ‘Do Not Sell My Personal Information’ link at the bottom of the homepage. It covers the sharing of personal data captured by cookies and other tracking technologies with third parties like Facebook, Google, and others. Therefore, to be compliant, you should enable consumers to opt out of these tracking cookies.

When CPRA (California) and CDPA (Virginia) go into effect, website visitors will have to be able to have control over the cookies placed on their browser and to be able to:

  • Opt-out of processing personal data
  • Opt-out of automated decision-making
  • Opt-out of target and re-targeting
  • Opt-in processing sensitive data

Exercising Privacy Rights (Data Subject Access Requests)

If you need to comply with GDPR, customers must have the ability to:

Access
Correct
Delete
Restriction of Processing
Data Portability
Object
Avoid Automated Decision Making
  • Deliver all personal information you have on consumer
  • Correct the information you have on me
  • Delete personal information from databases
  • Limits how companies can process personal data
  • Provide consumers their data so that consumers can use it elsewhere.
  • Object to the way their personal data is being used
  • Eliminate the ability for personal data to be used in an automated way without human involvement

For CCPA, customers have to be able to access and delete private information and tell companies not to sell their private information.

In the future, in both Virginia (CDPA) and California (CPRA) companies, in addition to access, delete and do not sell, you will have to allow consumers to:

Correct my data
Do not collect and use my sensitive data
Do not process my personal data for advertising
  • Correct the information you have on me
  • Do not use ethnicity, financial, identification information in analysis (e.g. segment performance)
  • Consent is required in VA
  • Use customer information (e.g. purchase history) to inform any advertising
  • Use browser information (e.g. cookies) to inform advertising on site and elsewhere
In summary, in the United States, for your website to be compliant today, you need to enable :
Do not “sell/share” my personal data
Delete, access my personal information
  • Stop your website from sharing data via cookies to marketing partners
  • Stop employees from sharing customer lists with marketing partners (e.g Facebook for Lookalike targeting) or data brokers services
  • Deliver all personal information you have on consumer
  • Delete personal information from databases
In the future, you will need to allow website visitors to:
Do not process my personal data for advertising
Do not share personal info for cross-context behavioral advertising
Do not use for automated decision-making
Do not collect and use my sensitive data
Allow consumers to make requests about their data
  • Use customer information (e.g. purchase history) to inform any advertising Use browser information (e.g. cookies) to inform advertising on-site and elsewhere
  • Share cookie data with ad exchanges / platforms
  • Do not use to create unique customer experiences on the web-based on browsing behavior or to
  • Do not use ethnicity, financial, identification information in analysis (e.g. segment performance)
  • (opt-in is required in VA)
  • Access, Delete, Correction

Companies should make sure that have in place:

  • The right privacy and cookie policies
  • A cookie management solution they choose, not only works today but well into the future
  • The ability to collect and fulfill rights requests required right now, as well as the ones required in the future

Additionally the website must have the appropriate persistent links to privacy policies and subject rights on their website and download pages of mobile applications.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center to manage DSARs and consent and WireWheel’s Privacy Operations Manager for managing assessments.

Request a demo to learn more.

Suggested Blog Posts