X

The Small Business Owners Guide To GDPR & CCPA Privacy Regulations

Published: August 21, 2019
Author: Martin William Harvey

Chapter 1: What is Privacy?
Chapter 2: The General Data Protection Regulations (GDPR)
Chapter 3: The California Consumer Privacy Act (CCPA)
Chapter 4: How does GDPR & CCPA benefit my customers?
Chapter 5: How does GDPR & CCPA effect my business?
Chapter 6: How to make sure I am GDPR & CCPA compliant?
Chapter 7: GDPR & CCPA Deadlines
Chapter 8: What Happens if I don’t get compliant?
Chapter 9: How to get GDPR & CCPA compliant?
Chapter 10: The Future of GDPR, CCPA and International Privacy Protection

Running short on time? Want to read on the go? We've got you covered! Download this article to your device and read at your convience.

Download Now

What is Privacy?

Have you ever wondered how companies are able to target you with specific ads and promotions at almost the exact moment you were considering a purchase? Since its creation, the internet as we know it has evolved from a simple information database to a global data warehouse full of trends, IP Addresses, logs of demographic data and buyer personas all derived from your every movement, being tracked as your browse websites, forums and eCommerce stores.

Many businesses, including ours, use user tracking to establish KPI’s, monitor growth and improve user experience. However, user tracking ventures far beyond individual website tracking codes and user analytics, it starts with browsers and search engines you use daily and evolves into companies selling mass pools of your data so other companies can target you more accurately with their promotions.

The basic understanding of privacy is simply being free from being observed by others and in 2016 the European Union took the first steps to tackling a global epidemic of anonymous data collecting and selling. In 2019 California became the first U.S state to act on the fundamentals of privacy to protect its citizens and in 2020 we may see broader privacy regulations on a federal level to cover the other 49.

The immediate perception of these regulations has been seen as detrimental to businesses large and small. Businesses rely on data to improve their website’s user experience and sell products in store and online. In this article, we want to clarify and only give you the facts as we know them so you can have a clear understanding of what privacy is in terms of your online presence and how you can ensure you are compliant with these regulations as they evolve.

An Important Note:

Before we get started, we have to tell you that although we do our research, we are not lawyers and this article is not intended to give you legal advice. This article should not be taken as legal advice, but rather a guide to understanding the effects new privacy regulations could have on you, your business and your customers.

The General Data Protection Regulations (GDPR)

GPDR stands for General Data Privacy Regulation, a set of regulatory laws that regulates the processing by an individual, a company or an organization of personal data relating to individuals of the European Union.

The GDPR applies to:

  1. A company or entity which processes personal data as part of the activities of one of its branches established in the European Union, regardless of where the data is processed.
  2. Or a company established outside the European Union and is offering good/services (paid or free) or is monitoring the behavior of individuals in the European Union.

At first glance, you may think “I own a small business in the United States, none of this applies to me”. However, before your write off the GDPR as something you don’t have to concern yourself with, let’s look at how the European Union defines personal data.

The GDPR defines personal data as any information that relates to the identified or identifiable living individual. Personal data includes:

  • A first or last name
  • A home addresses
  • An email address that contains the name of the person it belongs to
  • Location data
  • An IP Address
  • A Cookie ID
  • The Advertising Identifier on your phone
  • Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

Personal data does not include data that is rendered anonymous in such a way that the individual is not or no longer identifiable.

So, what about Google Analytics? Most small business utilize Google Analytics as a way of tracking user actions on their website, but the user is never actually identified in the dashboards and reports the business owner sees. However, under GDPR Google is designated as your Data Processor and your business is the Data Controller since you control which data is sent to Google Analytics through your tracking code.

Google uses their tracking code to obtain the users IP Address, but then strips the information before it enters your report. With that said, although you can’t see the user IP addresses in Google Analytics, your account still collects the data and under the GDPR IP Addresses are considered personal data. So, the simple answer is – yes, if you are using Google Analytics and your website is being accessed by users from the European Union then yes you are technically not compliant under the GDPR (even if you live in the United States), because you are technically monitoring the data of someone in the European Union.

Another way small business owner can get tangled up in the GDPR is through email campaigns. No matter how the email addresses for the email campaign is obtained, storing someone’s personal information (email address, name, etc.) without their expressed permission is prohibited under the GDPR. That means that if you collect business cards and manually add them to your email campaign, you have to either make sure they do not live in the EU or they have given you an informed and unambiguous consent (this is what we recommend 😊).

If you are still unsure whether you are GDPR compliant, the GDPR also gives us a few examples as to what applies vs what does not apply to the regulation.

Regulation Applies When..

  1. A company with an establishment in the EU provides travel services to customers based in the [United States] and in that context processes personal data of natural persons.
  2. Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrollment form.

Regulation Does Not Apply When..

  1. An individual uses their own private address book to invite friends via email to a party that they are organizing (household exception).
  2. Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

So, what does the GDPR say specifically about small businesses? We already know that GDPR does apply to small businesses and the rules are governed are not based on the size of your company but on the nature of your activities as a company. However, the obligations of the GDPR do not apply to all small businesses. The exceptions include:

  1. Companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.
  2. SMEs (Small & Medium Enterprises) will only have to appoint a Data Protection Officer if processing is their main business and it poses specific threats to the individuals’ rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it’s done on a large scale.

If you would like to learn more of the GDPR specifics visit the official website here.
If you would like to read the full GDPR, click here.

The California Consumer Privacy Act

In 1972, citizens of the U.S state of California amended the California Constitution to include the right of privacy as an “inalienable” right of all people. On June 28, 2018 California Governor Jerry Brown signed Assembly Bill 375, which is more commonly known as the California Consumer Privacy Act (CCPA).

The CCPA is simply the specific mechanisms California adopted to enforcing Californian’s right to privacy which include the Online Privacy Protection Act, the Privacy Right for California Minors in the Digital World Act, and the Shine the Light , a California law intended to give Californians the ‘who, what, where and when’ of how businesses handle consumer’s personal information.

Beginning January 1, 2020, the CCPA would grant a consumer the right to request a business to disclose the following:

  1. Categories and specific pieces of personal information that it collects about the customer,
  2. The Categories of sources from which that information is collected,
  3. The business purposes for collecting or selling the information,
  4. The Categories of 3rd parties with which the information is shared.

In whole, the CCPA requires a business to make disclosures about the information and the purposes for which it is used. The CCPA also requires businesses to delete personal information from a consumer if the consumer sends a verified request.

In addition to granting the above, businesses that collect consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. Businesses are prohibited from collecting additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice.

Essentially, this means that as business owners we can no longer collect personal information via Google Analytics, Crazy Egg, or any other third-party tracking tools without receiving the consumers consent before-hand and if the consumer requests access to the information we collect on them, we have to comply free of charge.

The CCPA also has a few regulations that apply to businesses that sell personal information, however generally small businesses do not generally engage in selling personal information so, this information can be found in the section 1798.115 and 1798.135 of the CCPA.

It important to also note, that consumers that request that companies delete their personal information are covered from decimation by the business. You cannot deny goods or services, charge different prices or rates, or provide a different quality or service just because the consumer elected not to have their personal information tracked.

Before we start talking about how to comply with the CCPA, it’s important to note that unlike the GPDR, not all businesses are included in the CCPA regulations. According to the CCPA, a business that must comply with the CCPA are:

  1. A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

    -- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)

    -- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

    -- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
  2. Any entity that owns or is owned by a business, as defined above, and that shares common branding with the business (shares servicemark, or trademark).

If you are a business that must comply with the CCPA, then understanding how Personal Information is defined by the CCPA will be important to you. According to the CCPA, Personal Information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes but is not limited to:

  1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  2. Any categories of personal information described in subdivision (e) of Section 1798.80.
  3. Characteristics of protected classifications under California or federal law.
  4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  5. Biometric information: meaning an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
  6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory, or similar information.
  9. Professional or employment-related information.
  10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
  11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

However, Personal Information does not include publicly available information meaning any information made public by federal, state or local government records.

To read more about the CCPA, you can access the entire bill here.

How does GDPR & CCPA Benefit My Customers?

If your head isn’t already spinning from reading the legalize of the GDPR and CCPA, then you probably already see the positive benefits the GDPR and the CCPA has on your customers. In the last 3000 years, privacy has been put on the back-burner in leu of wealth and prosperity, however the key benefit of these regulations is that the consumers (including you and I) have been given control of our personal information back to us. We now get to choose when a company sell our information to third-parties and we now get to choose if we want companies to know our exact location (including Google).

How does GDPR & CCPA Effect My Business?

Depending on the size and nature of your business, the GDPR and the CCPA can have several effects on your business. With that said, speaking solely to small business owners who don’t sell consumers personal information the GDPR and the CCPA could actually benefit your business rather than hurt it.

First is the Trust Factor. The trust factor is everything in business, it’s your greatest marketing tool and it keeps customers using you and referring you over and over again. When you are transparent about your business, privacy policy, terms and conditions and the data you collect you pull down a barrier that creates a deeper level of trust that a billboard ad or commercial could never obtain. Ultimately, the GDPR and the CCPA is requiring you put the customer first in one of the biggest aspects of your business and by leading with transparency your trust factor increases substantially.

Second, you are not losing that much data by complying with the GDPR and the CCPA. You can continue to build your email campaigns and track data through Google Analytics, all while still complying with the regulations.

Finally, the SEO benefits. Now we are not saying that if you comply with these regulations you are going to get a boost in your search engine optimization. However, federal privacy regulations are more of a “when” rather than an “if” at this point and proving that you are ahead of the market is a great indicator to Google that you are a legitimate business, willing to put your customers first.

How to make sure I am GDPR & CCPA Compliant?

If you are a small business making less than $25,000,000 a year in gross revenue and you don’t buy or sell customers private information, then the CCPA is probably not a concern for you. However, just because you are not forced to comply doesn’t mean you shouldn’t. By complying early, you can benefit your business greatly for the long-haul.

However, if you use Google Analytics then you most likely have to comply with the GDPR. There are two routes you can take to comply with the GDPR:

The first is simple…stop tracking consumers personal information. As we discussed above, Google Analytics tracks consumers IP Addresses and thus requires you to comply with the GDPR restrictions. However, if you don’t track consumers IP Addresses, then it is our understanding that you don’t have to comply because you are not tracking or processing anyone’s personal information (as outlined in The GDPR section). Luckily, Google Analytics allows us to opt-out of tracking consumers IP Addresses, and it can be done by just altering the tracking code on each page of your website.

If tracking IP Addresses or to any other personal information is important to you, then you will have to comply with the GDPR or risk getting fined (assuming you still want to gather data from the EU). Depending on the type of data you are collecting and storing, you may be required to meet several guidelines, you can find more information about these here.

PWC recently compared the GDPR and the CCPA to help businesses better understand the additional requirements the CCPA will place on businesses collecting personal information.

It is our belief that privacy is a right of every person not a privilege, so we recommend all businesses comply with both the GDPR and the CCPA, even if they do not meet some of the requirements of enforcement.

With that said, we follow a strict set of guidelines that we believe allow every client of ours to comply with both the GDPR and the CCPA, we provide this service with our website development and website management services. These include:

  1. All websites have IP Address tracking turned off and to the best of our knowledge, no personal data defined by the GDPR or the CCPA is being collected by the website.
  2. All consumers have the ability to turn Google Analytics tracking off at any time, by clicking on the Analytics button at the bottom right-hand-side of each page.
  3. Characteristics of protected classifications under California or federal law.
  4. All Google Analytics Accounts agree to Google Data Processing Agreement, disable Data Sharing with Google, Data Collection for Advertising is turned off and User-ID tracking is disabled. Data Collection for Advertising is only turned on when the customer has an active advertising campaign.
  5. All websites have a clear Privacy Policy provided by our clients; websites that use our Google Ads or Facebook/Instagram digital advertising services also include a Cookie Policy.
  6. All website forms include a “required” checkbox that ensures the consumer gives permission for their personal data to be collected and processed by the website when contacting the business.
  7. All websites include two forms of contact information where the consumer can request personal information be removed from company records at any time.

We believe by following these guidelines based on our knowledge of the GDPR and the CCPA, ensures that consumer personal information is not collected thus not within the scope of either regulation and provides transparency and data control to the consumer to establish trust between them and the brand.

GDPR & CCPA Deadlines

After being signed into legislation, the European Union and the California State Government set a series of deadlines for when all businesses must comply with the regulations within their respective constituencies:

GDPR

Date Adopted: April 6, 2018
Compliance Deadline: May 28, 2018

CCPA

Date Adopted: June 28, 2018 Compliance Deadline: January 1, 2020

What Happens If I Don’t Get Compliant?

Getting compliant with various regulations costs businesses both time and money, so it is understandable that some choose to wait until the last minute to get compliant. If you have your website managed through White Whale Web Design and meet certain requirements, most of the work has been completed for you to stop personal information from being collected, however if not, then below are some of the penalties outlined in each regulation.

GDPR

The European Union has been less strict about catching businesses not in compliance however the official GDPR states that a business found not in compliance is subject to a ceiling of a 4% penalty. This may not seem like much, but if your annual revenue is $100,000 then your penalty could be as high as $4,000!

CCPA

The CCPA is expected to be enforced at a greater level than the GDPR and the penalties for not complying can be much higher. Private Right of Action damages can be as little as $100 to $750 per consumer and enforcement penalties start at $7,500 per violation with no maximum limit.

How to get GDPR & CCPA Compliant

Before we talk about the details of compliance, it’s important to note that the GDPR and the CCPA only apply to “personal information” (defined in each section). For most small businesses, the best way to avoid high costs is to simply stop collecting personal information without the consumers freely given, unambiguous consent.

It is our understanding based on researching each document that this can be achieved at the bare-minimum:

  • By turning off IP Address tracking within the Google Analytics code of your website,
  • Adding a Privacy & Cookies Policy to the website,
  • Disable information sharing on Google Analytics
  • Allowing consumers to disable tracking, and
  • “Requiring” consent before users can submit forms to your business

By doing this, your tracking software (Google Analytics) is no longer monitoring or collecting personal data (IP Addresses), you unambiguously disclose that you are collecting data when someone uses your website and you are collecting data when a consumer submits a form.

As we discussed before, we offer these types of services free to all clients that have their website built by our team and for clients who choose to have their websites or advertising managed through us.

If collecting personal information is a priority whether you are selling personal data or collecting it for company use and you meet the lower GDPR/CCPA guidelines to qualify then this option will not be enough to make you compliant. Depending on the size and nature of the business, you may have to hire a Data Protection Officer and a team that handles compliance issues as they arise as well as keep records and follow strict information removal guidelines.

What is the future of GDPR, CCPA and International Privacy Protection?

The nature of privacy is far from hitting its peak and we believe that more countries are going to enforce data protection in the near future. The GDPR has been in effect since May of 2018 and companies such as British Airways and Google have already been fined over $50 million dollars.

The CCPA will bring more strict privacy regulations to the United States and we believe these privacy regulations will escalate to federal government legislation in the next 3-5 years.

Are we missing something? We have done extensive research to ensure we offer the best service to our clients and their customers, however if you believe we are missing something please leave a comment below.