The evolving data privacy landscape has become a serious concern for webmasters and businesses that collect, process, handle, and store personal data. While these laws and regulations are excellent for improving the rights of consumers by ensuring that their data is handled appropriately and transparently, the rapid onset of new laws and amendments to existing laws has proven to be a challenge for anyone that relies on consumer data.
In this article, we will leverage key principles of Europe’s GDPR and California’s CCPA to provide you with actionable steps that you can take to prepare your website for meeting compliance with data privacy laws of the present and the future.
Table of Contents
Changes to Make to Your Website
Present and future data privacy laws are all about protecting the privacy of your customers. While the specific changes you’ll need to make to your website will vary depending on the data privacy laws you’ll need to be compliant with, the below list will help you get started with immediate changes you can make to be better prepared.
Cookie Consent
The ePrivacy Directive and GDPR both consider internet cookies and similar tracking technologies used on websites to be classified as personal data. If you use these tracking technologies, you are required to notify your website visitors and get their explicit informed consent. This is usually handled through a cookie consent pop-up that alerts the visitor to the presence of trackers on your website by requesting them to provide opt-in consent for their use. It’s critical that users are able to continue using your website regardless of whether or not they allow you to use tracking cookies and that they have a convenient means of later revoking their consent.
Data Privacy For Mailing Lists
Though not explicitly required by GDPR, ensuring that your mailing list has double opt-in consent enabled is an excellent proactive measure for documenting that consent has been given by the recipients on your mailing list. Double opt-in consent means that your visitors are only added to your mailing list when they supply their email address through your sign-up form and confirm their interest by visiting an opt-in confirmation link that is sent to their email address.
Privacy Policy
Both GDPR and CCPA require that you provide a highly detailed and easily accessible privacy policy for your website visitors. You should avoid strictly relying on templates to write your privacy policy for you – while a template can provide you with the core structure, you’ll need to make sure that your policy is tailored to specifically address how your website and company collects, processes, handles, and stores personal data.
What to Include in Your Privacy Policy:
- The exact data you will be collecting from your website visitors.
- Why your website collects the data that it does and how that data will be used.
- How the collected data will be secured against unauthorized access and use.
- The consent your visitors must provide before their data is collected, processed, handled, and stored and how their consent can be later revoked.
- Whether or not you use internet cookies and other tracking technologies on your website.
- The contact details of a designated person your visitors can reach out to if they have any data privacy questions or concerns.
How To Handle Sensitive Data
If you collect categories of sensitive data such as personally identifiable information (PII), you are responsible for ensuring that data is handled safely. The data privacy laws your website and company are subject to will (at the minimum) require that you secure sensitive data with “appropriate safeguards” – how that term is interpreted varies, though in practice it means that you’ve taken proactive cybersecurity and physical security measures to ensure that sensitive data is not accessed by anyone that doesn’t require access to it.
Data Minimization
You can greatly reduce the amount of risk and liability you have by limiting the quantity and sensitivity of the data in your custody. The less data you collect, process, and store, the fewer resources you will need to dedicate to the management of sensitive data.
Easy Steps for Data Minimization:
- Online Forms: Keep the amount of information you request in your web forms to the bare minimum you need to maintain your business operations. If more data is needed in later stages, it can be collected at that time rather than increasing your liability by collecting that information before it’s necessary.
- Data Culling: When data is no longer needed, your best bet is to delete it wherever possible. This process can be automated to cull data at specified intervals, allowing you to easily ensure that the data you collect is not hoarded needlessly.
- Data Anonymization: If the collection and long-term storage of data is a necessary part of your operations, consider obscuring personally identifiable information with data anonymization measures. This allows you to gain insights from historical data without storing data that is clearly linked to identifiable individuals.
Prepare for Data Subject Access Requests (DSAR)
If your website collects PII, you need to have a system in place for accurately identifying the data subject of the data you’ve collected. The data subject is the specific person whose data you have collected; under both GDPR and CCPA you will need to be prepared to respond to DSARs from your data subjects. The exact details that you are required to provide in response to a DSAR will depend on the data privacy laws your website is subject to.
How to Prepare for DSARs:
- Keep highly detailed documentation about the data you collect, who it belongs to, the specific reasons for its use, how it was collected, why it was collected, and any other important information you are required to document in order to stay compliant with the data privacy laws you are subject to.
- Consider implementing a system that automates responses to DSARs. DSAR response systems are especially important if you expect a high volume of requests as they will save you countless hours of manual work.
- When a DSAR request is submitted to you, confirm with the data subject in a timely manner the exact data you have about them and provide them with any related details you are required or able to give – this could include details around how the data was obtained, how long you’ll be storing it for, and your legitimate business interest in collecting the data.
Choose A Trustworthy Web Hosting Provider
Depending on the data privacy legislation that you need to be compliant with, you are likely to be liable for any data breaches caused by third-party partners that you work with – this includes your web hosting provider as well as any plug-ins you intend to use on your website. When choosing a web hosting provider for your website, It is your responsibility to ensure that they have appropriate physical and technical safeguards for protecting the data you’ll be storing with them.
Physical Safeguards
Physical safeguards are fairly straight-forward – they protect web hosting equipment from unauthorized physical access, tampering, and theft. Physical security measures implemented by your hosting provider ensure that direct in-person access to their hosting servers are exclusively limited to the people that are required to have that level of access.
Examples of Physical Safeguards:
- Door Locks: Deadbolts and electronic locks such as those that use key cards and/or biometric finger-print access.
- Security System: 24/7 security systems such as those with CCTV video surveillance, alarms, and/or security guards that remain on-premise.
- Gated Access: Access-controlled gates and fences that provide a barrier against unauthorized vehicle and pedestrian traffic.
Technical Safeguards
It is critical that your web hosting provider has appropriate technical safeguards for data privacy compliance as they will protect the data you store on your hosting provider’s servers against unauthorized access and misuse from threats such as hackers engaging in cyberattacks.
Examples of Technical Safeguards:
- Data Encryption: HTTPS encryption for your website through SSL certificates helps protect data by ensuring that attackers cannot snoop on the data transmitted to and from your website. In addition to the added security, Google favors websites that are secure, giving you added SEO benefits that help your website rank higher in Google searches.
- Managed Services: Managed services ensure that critical security patches are always up-to-date on your website. While you can apply security updates manually under a non-managed plan, managed hosting service providers take care of this for you so you can focus on your business while giving you the peace of mind that your website is secure.
- Dedicated Servers: While VPS hosting from a trusted provider will give you a high level of security, if you have strict data privacy or security requirements you can use dedicated servers to give you the highest level of control over your website’s servers and data. This extra level of control is a great step for enhancing your options for maintaining compliance with HIPAA and PCI.
Conclusion
Though the exact steps we will need to take to be compliant with changes in the evolving data privacy landscape are uncertain, meeting compliance with leading legislation such as GDPR and CCPA will help you establish the core infrastructure you need to adapt successfully. By understanding that the core intent of data privacy laws is to enhance the rights of data subjects, you can take the necessary steps to ensure that the way you handle data emphasizes privacy and security at its core.
Note From the Author
While we’ve put considerable effort to ensure the accuracy and validity of the information present in this article, we are not a legal professional and thus we cannot give legal advice. It is our hope that the guidance we have provided you with in this article will help you make informed decisions and take the necessary steps to become compliant with data privacy laws, however, you will need to consult with a lawyer that is proficient in data privacy to ensure that you are truly compliant.