In our previous post, we looked at the most important privacy laws and how to tell which one applies to you.
Now let’s have a more specific look at what you need to do to get compliant: it’s easier than you think!
Here’s a short list of mistakes to avoid, practical ways to comply, and the software solutions that can help you.
1. Be transparent
Transparency is at the core of data privacy compliance.
Firstly, your business information should be accurate, up-to-date, and easily accessible to users.
Furthermore, it’s important (and legally required!) for you to have a valid privacy policy containing all relevant disclosures on how and why you process user data, and the third parties that access that data. Third parties can include anything from widget providers via things like Facebook login and Pinterest buttons, to video embedding services and payment processing providers like Paypal and Stripe. You can read more about what should be in a privacy policy here.
? Not sure which third parties have access to the user data processed by your site? Use their free site scanner to learn more about which third-party services you should include in your privacy policy and how to do so.
Common mistake: Unclear endorsements.
If you do endorsements or share affiliate links, do be careful to follow the legal requirements of the region that applies to you and your users. In general, your endorsements should be non-misleading and fully disclosed, and you must inform users when you’re given an incentive to promote a product. For full details on endorsements, read the guide here.
2. Let users set consent preferences for cookies or similar technologies
Nowadays, almost every website (and even app) uses cookies or similar technologies to enhance the user experience.
What are cookies?
Cookies are small pieces of data sent from a website or app and stored on the user’s computer. They are essentially used to remember information about the users and their browsing activity to give them a more personalized or enhanced experience on your website or app.
Cookies can be first-party (cookies actually produced by you), or third-party (cookies in use on your site or app, but which are produced by third-party services like social widgets, iframes, video scripts, etc.). Cookies can be a helpful tool for your business, but they also mean you have a few additional legal responsibilities when you plan on using cookies or similar technologies on your site. More specifically:
- If you have EU-based users, you must block cookie scripts from running until you’ve collected the informed and freely given consent of the user. If no consent is granted, you must block all cookies that require consent.
- If you have California-based users, the CCPA might apply to you. This means that you must inform California-based users of any selling or sharing of their personal data (for example via cookies) and you must give them the option to directly opt-out.
If your website uses cookies (or similar technologies), but you don’t have a cookie consent management solution in place, you could be violating user rights and exposing yourself to legal consequences.
Here’s what you should do:
- Be sure to have a cookie consent management solution in place that allows you to inform users, block cookies before consent and manage it.
- If you’re a publisher (i.e you run ads to monetize content on your site), make sure that your cookie management solution supports the IAB TCF (Transparency and Consent Framework) and is an IAB-registered CMP (consent management platform).
- If the CCPA applies to you, ensure that you give California-based users the ability to opt-out. If you’re a publisher with California-based users, be sure to choose a consent management platform that supports IAB’s US Privacy Framework.
Learn more about iubenda Cookie Solution (free plan available).
Common mistake: Not passing TCF consent to ad vendors.
Much like you or me, ad companies also need to follow the law and protect themselves from liabilities and fines. For this reason, most vendors (including Google) now require a valid form of user consent before running personalized ads. The TCF was developed to make it easier for publishers and ad vendors to communicate user consent preferences in an identifiable and seamless. Where TCF consent is not passed to the vendor, only non-personalized ads or no ads at all (e.g. in the case of Google) will be shown. To the publisher, this potentially means a dramatically reduced revenue.
3. Allow users to opt-out (and opt-in)
Newsletters and email marketing are getting more and more popular, but you should know that compliance applies to them, too. There are two basic rules:
- Opt-in: if your users are EU-based, they must give explicit consent to receive your marketing emails. Avoid using pre-ticketed checkboxes or combining purposes, and clearly indicate that consenting to your newsletter is optional!
- Opt-out: both EU and US-based users should have a clear and easy email opt-out option, to unsubscribe to your emails. In the US, the CAN-SPAM allows you to send marketing without first getting the user’s consent, however, the user must always and clearly be given the option to unsubscribe.
Failure to meet these requirements can result in heavy fines, so be sure to read the specific requirements for both EU and US email marketing here.
Common mistake: A complicated opt-out process.
Both the CAN-SPAM Act and the GDPR state that users should be able to withdraw consent as easily as they gave it.
Do not disguise the option to opt-out: instead, make sure it’s clearly visible and, most importantly, that it isn’t hidden behind a complicated log-in process.
What happens if I don’t comply?
The consequences of non-compliance vary according to the law:
- The GDPR sets fines of up to EUR 20 million (€20m) or 4% of your annual worldwide turnover (whichever is greater). It also establishes sanctions such as official reprimands, periodic data protection audits, and liability damages. Read more about potential GDPR fines and sanctions here.
- According to the CCPA, consumers have the right to sue businesses that violate the law. The fines are between $100 and $750, or any higher amount related to actual damages. The state can bring charges up to $2,500 per violation for businesses that unintentionally violate the CCPA, and up to $7,500 per violation, for intentional violations. Even though these fines might not seem particularly large compared to the GDPR, consider that they apply per individual violation and per consumer. Full details on CCPA fines are here.
- The violations of the CalOPPA can cause the Federal Trade Commission to bring an enforcement action against businesses that fail to comply with their posted privacy policy.
?iubenda makes compliance easy! With a full set of global compliance solutions, iubenda can help you get compliant in minutes. Learn more here.
