Published: August 21, 2019
Author: Martin William Harvey
Chapter 1: What is Privacy?
Chapter 2: The General Data Protection Regulations (GDPR)
Chapter 3: The California Consumer Privacy Act (CCPA)
Chapter 4: How does GDPR & CCPA benefit my customers?
Chapter 5: How does GDPR & CCPA effect my business?
Chapter 6: How to make sure I am GDPR & CCPA compliant?
Chapter 7: GDPR & CCPA Deadlines
Chapter 8: What Happens if I don’t get compliant?
Chapter 9: How to get GDPR & CCPA compliant?
Chapter 10: The Future of GDPR, CCPA and International Privacy Protection
Running short on time? Want to read on the go? We've got you covered! Download this article to your device and read at your convience.
Have you ever wondered how companies are able to target you with specific ads and promotions at almost the exact moment you were considering a purchase? Since its creation, the internet as we know it has evolved from a simple information database to a global data warehouse full of trends, IP Addresses, logs of demographic data and buyer personas all derived from your every movement, being tracked as your browse websites, forums and eCommerce stores.
Many businesses, including ours, use user tracking to establish KPI’s, monitor growth and improve user experience. However, user tracking ventures far beyond individual website tracking codes and user analytics, it starts with browsers and search engines you use daily and evolves into companies selling mass pools of your data so other companies can target you more accurately with their promotions.
The basic understanding of privacy is simply being free from being observed by others and in 2016 the European Union took the first steps to tackling a global epidemic of anonymous data collecting and selling. In 2019 California became the first U.S state to act on the fundamentals of privacy to protect its citizens and in 2020 we may see broader privacy regulations on a federal level to cover the other 49.
The immediate perception of these regulations has been seen as detrimental to businesses large and small. Businesses rely on data to improve their website’s user experience and sell products in store and online. In this article, we want to clarify and only give you the facts as we know them so you can have a clear understanding of what privacy is in terms of your online presence and how you can ensure you are compliant with these regulations as they evolve.
An Important Note:
Before we get started, we have to tell you that although we do our research, we are not lawyers and this article is not intended to give you legal advice. This article should not be taken as legal advice, but rather a guide to understanding the effects new privacy regulations could have on you, your business and your customers.
GPDR stands for General Data Privacy Regulation, a set of regulatory laws that regulates the processing by an individual, a company or an organization of personal data relating to individuals of the European Union.
The GDPR applies to:
At first glance, you may think “I own a small business in the United States, none of this applies to me”. However, before your write off the GDPR as something you don’t have to concern yourself with, let’s look at how the European Union defines personal data.
The GDPR defines personal data as any information that relates to the identified or identifiable living individual. Personal data includes:
Personal data does not include data that is rendered anonymous in such a way that the individual is not or no longer identifiable.
So, what about Google Analytics? Most small business utilize Google Analytics as a way of tracking user actions on their website, but the user is never actually identified in the dashboards and reports the business owner sees. However, under GDPR Google is designated as your Data Processor and your business is the Data Controller since you control which data is sent to Google Analytics through your tracking code.
Google uses their tracking code to obtain the users IP Address, but then strips the information before it enters your report. With that said, although you can’t see the user IP addresses in Google Analytics, your account still collects the data and under the GDPR IP Addresses are considered personal data. So, the simple answer is – yes, if you are using Google Analytics and your website is being accessed by users from the European Union then yes you are technically not compliant under the GDPR (even if you live in the United States), because you are technically monitoring the data of someone in the European Union.
Another way small business owner can get tangled up in the GDPR is through email campaigns. No matter how the email addresses for the email campaign is obtained, storing someone’s personal information (email address, name, etc.) without their expressed permission is prohibited under the GDPR. That means that if you collect business cards and manually add them to your email campaign, you have to either make sure they do not live in the EU or they have given you an informed and unambiguous consent (this is what we recommend 😊).
If you are still unsure whether you are GDPR compliant, the GDPR also gives us a few examples as to what applies vs what does not apply to the regulation.
Regulation Applies When..
Regulation Does Not Apply When..
So, what does the GDPR say specifically about small businesses? We already know that GDPR does apply to small businesses and the rules are governed are not based on the size of your company but on the nature of your activities as a company. However, the obligations of the GDPR do not apply to all small businesses. The exceptions include:
In 1972, citizens of the U.S state of California amended the California Constitution to include the right of privacy as an “inalienable” right of all people. On June 28, 2018 California Governor Jerry Brown signed Assembly Bill 375, which is more commonly known as the California Consumer Privacy Act (CCPA).
The CCPA is simply the specific mechanisms California adopted to enforcing Californian’s right to privacy which include the Online Privacy Protection Act, the Privacy Right for California Minors in the Digital World Act, and the Shine the Light , a California law intended to give Californians the ‘who, what, where and when’ of how businesses handle consumer’s personal information.
Beginning January 1, 2020, the CCPA would grant a consumer the right to request a business to disclose the following:
In whole, the CCPA requires a business to make disclosures about the information and the purposes for which it is used. The CCPA also requires businesses to delete personal information from a consumer if the consumer sends a verified request.
In addition to granting the above, businesses that collect consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. Businesses are prohibited from collecting additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice.
Essentially, this means that as business owners we can no longer collect personal information via Google Analytics, Crazy Egg, or any other third-party tracking tools without receiving the consumers consent before-hand and if the consumer requests access to the information we collect on them, we have to comply free of charge.
The CCPA also has a few regulations that apply to businesses that sell personal information, however generally small businesses do not generally engage in selling personal information so, this information can be found in the section 1798.115 and 1798.135 of the CCPA.
It important to also note, that consumers that request that companies delete their personal information are covered from decimation by the business. You cannot deny goods or services, charge different prices or rates, or provide a different quality or service just because the consumer elected not to have their personal information tracked.
Before we start talking about how to comply with the CCPA, it’s important to note that unlike the GPDR, not all businesses are included in the CCPA regulations. According to the CCPA, a business that must comply with the CCPA are:
If you are a business that must comply with the CCPA, then understanding how Personal Information is defined by the CCPA will be important to you. According to the CCPA, Personal Information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes but is not limited to:
However, Personal Information does not include publicly available information meaning any information made public by federal, state or local government records.
To read more about the CCPA, you can access the entire bill here.
If your head isn’t already spinning from reading the legalize of the GDPR and CCPA, then you probably already see the positive benefits the GDPR and the CCPA has on your customers. In the last 3000 years, privacy has been put on the back-burner in leu of wealth and prosperity, however the key benefit of these regulations is that the consumers (including you and I) have been given control of our personal information back to us. We now get to choose when a company sell our information to third-parties and we now get to choose if we want companies to know our exact location (including Google).
Depending on the size and nature of your business, the GDPR and the CCPA can have several effects on your business. With that said, speaking solely to small business owners who don’t sell consumers personal information the GDPR and the CCPA could actually benefit your business rather than hurt it.
Second, you are not losing that much data by complying with the GDPR and the CCPA. You can continue to build your email campaigns and track data through Google Analytics, all while still complying with the regulations.
Finally, the SEO benefits. Now we are not saying that if you comply with these regulations you are going to get a boost in your search engine optimization. However, federal privacy regulations are more of a “when” rather than an “if” at this point and proving that you are ahead of the market is a great indicator to Google that you are a legitimate business, willing to put your customers first.
If you are a small business making less than $25,000,000 a year in gross revenue and you don’t buy or sell customers private information, then the CCPA is probably not a concern for you. However, just because you are not forced to comply doesn’t mean you shouldn’t. By complying early, you can benefit your business greatly for the long-haul.
However, if you use Google Analytics then you most likely have to comply with the GDPR. There are two routes you can take to comply with the GDPR:
The first is simple…stop tracking consumers personal information. As we discussed above, Google Analytics tracks consumers IP Addresses and thus requires you to comply with the GDPR restrictions. However, if you don’t track consumers IP Addresses, then it is our understanding that you don’t have to comply because you are not tracking or processing anyone’s personal information (as outlined in The GDPR section). Luckily, Google Analytics allows us to opt-out of tracking consumers IP Addresses, and it can be done by just altering the tracking code on each page of your website.
If tracking IP Addresses or to any other personal information is important to you, then you will have to comply with the GDPR or risk getting fined (assuming you still want to gather data from the EU). Depending on the type of data you are collecting and storing, you may be required to meet several guidelines, you can find more information about these here.
PWC recently compared the GDPR and the CCPA to help businesses better understand the additional requirements the CCPA will place on businesses collecting personal information.
It is our belief that privacy is a right of every person not a privilege, so we recommend all businesses comply with both the GDPR and the CCPA, even if they do not meet some of the requirements of enforcement.
With that said, we follow a strict set of guidelines that we believe allow every client of ours to comply with both the GDPR and the CCPA, we provide this service with our website development and website management services. These include:
We believe by following these guidelines based on our knowledge of the GDPR and the CCPA, ensures that consumer personal information is not collected thus not within the scope of either regulation and provides transparency and data control to the consumer to establish trust between them and the brand.
After being signed into legislation, the European Union and the California State Government set a series of deadlines for when all businesses must comply with the regulations within their respective constituencies:
Date Adopted: April 6, 2018
Compliance Deadline: May 28, 2018
Date Adopted: June 28, 2018 Compliance Deadline: January 1, 2020
Getting compliant with various regulations costs businesses both time and money, so it is understandable that some choose to wait until the last minute to get compliant. If you have your website managed through White Whale Web Design and meet certain requirements, most of the work has been completed for you to stop personal information from being collected, however if not, then below are some of the penalties outlined in each regulation.
The European Union has been less strict about catching businesses not in compliance however the official GDPR states that a business found not in compliance is subject to a ceiling of a 4% penalty. This may not seem like much, but if your annual revenue is $100,000 then your penalty could be as high as $4,000!
The CCPA is expected to be enforced at a greater level than the GDPR and the penalties for not complying can be much higher. Private Right of Action damages can be as little as $100 to $750 per consumer and enforcement penalties start at $7,500 per violation with no maximum limit.
Before we talk about the details of compliance, it’s important to note that the GDPR and the CCPA only apply to “personal information” (defined in each section). For most small businesses, the best way to avoid high costs is to simply stop collecting personal information without the consumers freely given, unambiguous consent.
It is our understanding based on researching each document that this can be achieved at the bare-minimum:
By doing this, your tracking software (Google Analytics) is no longer monitoring or collecting personal data (IP Addresses), you unambiguously disclose that you are collecting data when someone uses your website and you are collecting data when a consumer submits a form.
As we discussed before, we offer these types of services free to all clients that have their website built by our team and for clients who choose to have their websites or advertising managed through us.
If collecting personal information is a priority whether you are selling personal data or collecting it for company use and you meet the lower GDPR/CCPA guidelines to qualify then this option will not be enough to make you compliant. Depending on the size and nature of the business, you may have to hire a Data Protection Officer and a team that handles compliance issues as they arise as well as keep records and follow strict information removal guidelines.
The nature of privacy is far from hitting its peak and we believe that more countries are going to enforce data protection in the near future. The GDPR has been in effect since May of 2018 and companies such as British Airways and Google have already been fined over $50 million dollars.
The CCPA will bring more strict privacy regulations to the United States and we believe these privacy regulations will escalate to federal government legislation in the next 3-5 years.
Are we missing something? We have done extensive research to ensure we offer the best service to our clients and their customers, however if you believe we are missing something please leave a comment below.