What do GDPR & CCPA Mean for my Site?
General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)
It’s been a few years now since GDPR first hit… and we all may still have some inbox PTSD from the amount of email messages we received from every company we had ever given our email address to.
You remember, right? May 25th, 2018 – every. single. company. ever. updated their privacy policy and sent out an email about it. While it may have been annoying as a consumer, business owners could face alarming fines if they hadn’t updated their privacy policies and notified consumers.
But updating your Privacy Policy isn’t enough.
GDPR – the General Data Protection Regulation – is a set of European regulations governing how companies manage the personal data they collect from consumers. The end goal of GDPR is to put more control over collected and stored data in the hands of the consumer. As a citizen of an EU country, If I gave my information to your company at one point in time, I now have the right to ask you what information you are storing and to delete the information should I no longer wish you to have it (anything other than what you might need for tax documents) and you must comply. Specifically, GDRP states that the consumer has:
- the right to know what data a given company has about them, and what it's used for
- the right to know if consumer data is being shared with outside groups
- the right to access personal data and take it somewhere else (referred to as "data portability")
- the right to, at least in some situations, have personal data erased
- the right to know (within 72 hours) of any data breach
Most of our customers were like…
“But these are European regulations, I am a US based business, why do I care?”
GDPR does specifically apply to data of people who live in the EU (uniformly binding in all 27 member states). If you do business with someone who lives across the pond, you can be held to GDPR standards. And the ramifications can be steep with the stiffest penalty being $20 Million Euros or 4% of your Gross Profit, whatever is higher. Yikes!
But wait, there’s more…. And now it’s California (and Maine and Nevada on a smaller scale). And other States are considering legislation to protect consumer information.
January 1st, 2020 saw the first major US privacy legislation to be enforced. Similar to GDPR, the CCPA changes the way Californians can handle their own data. It gives consumers the right to request businesses to disclose or delete the data they have already collected, or to opt out completely of third-party data sales.
There are similarities to GDPR and CCPA, however, one major difference is to be compliant with the CCPA, you must have a Do Not Sell My Personal Information-button clear, visible and accessible on your website for your users. This opt-out is a main part of the CCPA.
If you’re hitting your head on the table wondering how in the heck you’re going to make your site compliant to all of these new rules, take a breath. Though the California legislation is comprehensive and can be catastrophic to a company who does not comply, the rules actually exclude many businesses. For CCPA to apply to your business, you must be a for-profit entity that collects consumers’ personal information, determines the purpose and means of processing, does business in California and meets at least one of the following thresholds:
- Annual revenue over $25 million,
- Processes the personal information of at least fifty thousand Californians per year,
- Derives fifty percent or more of its yearly revenues from the sale of personal information.
I’m guessing those three bullet points just provided a bit of relief.
So why didn’t we lead with the fact that most (ok, all) of the companies we deal with won’t have to bother themselves with CCPA regulations? Because we don’t think privacy regulations will end here and we’d prefer to get ahead of it. More and more consumers would prefer to have total control over the data a company collects and how the data is used. While these regulations may not directly affect your business yet, we think it is just a matter of time before there is general US legislation that will mirror what the EU has done.
While we recommend all sites be aware of GDPR and CCPA regulations, the impact of not taking these seriously may not be felt for a while. It feels like what we have seen with the ADA regulations, it’s just a good idea to put these into place while you’re developing your site. And if you don’t voluntarily do it, there is a likely a lawyer our there that will ensure compliance soon enough.
For more information, the Future of Privacy Forum (FPF) has created an extensive comparison document between GDPR and CCPA that can be downloaded.
We will leave you with this one little nugget of truth from Chet Faliszek back in 2018 when GDPR updates were at their peak…
