New data privacy legislation—including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)—has emerged to make it important to give consumers certain power and freedom over their own data.
Not only are data privacy policies important for compliance with different privacy legislation, but data privacy policies also help set expectations with your website visitors. They’ll know the types of data you’re collecting, why you’re collecting, and how they can contact you with questions or concerns.
There are a number of laws that require data privacy policies. Chances are one of the laws applies to your company.
The legal landscape around privacy is constantly evolving. The GDPR is one of the most recent privacy laws to take effect, and the CCPA is going to take effect in just a few months.
California Online Privacy Protection Act (CalOPPA)
Detail the kinds of information you gather
Explain how that information will or could be shared
Explain how the website visitor can review and make changes to their stored information
Include the policy's effective date and an update on any changes that have taken place since then
Enforcement of CalOPPA falls to the California Attorney General’s Office.
Children's Online Privacy Protection Act (COPPA)
To comply with COPPA, your company must:
Make reasonable efforts to notify parents of how you collect and use their child’s data
Obtain parental consent
Provide a way for parents to review the data
Have procedures for data protection
Retain data only for as long as necessary
The FTC has fined companies up to $170 million for failing to comply with COPPA.
Gramm-Leach-Bliley Act (GLBA)
The GLBA is geared towards financial institutions. It went into effect in 1999, and similar to the two acts above, this law requires financial institutions notify their websites’ users of what data is collected, how it is used, and how it is protected. The GLBA defines financial institutions as “companies that offer consumers financial products or services like loans, financial or investment advice, or insurance.”
The one big difference between the GLBA and the other laws we’ve covered is that the GLBA requires financial companies to give visitors a way to opt out of sharing their data with nonaffiliated companies.
Failure to comply with the GLBA can result in fines of up to $100,000 for each violation, and even jail time for the person responsible for the violation.
General Data Protection Regulation (GDPR)
The GDPR is one of the most well-known data privacy laws, partially because it is so new, and partially because of how big the changes are as a result of it. The GDPR went into effect in 2018. If your company collects data from European Union citizens (whether as a data controller or a data processor), there’s a chance you must comply with the GDPR, even if your company isn’t located in the EU.
What types of data you collect
What you do with that data
Why you need to collect that data
How long your data will be stored for
How customers can get in touch with your company
If your company is found to be in breach of the GDPR, it could be fined up to €20 million or up to 4% of the annual revenue.
California Consumer Privacy Act (CCPA)
What data is being collected, and why
Whether that data is being sold or shared
Who that data is being sold or shared with
Failure to comply can result in fines of up to $7,500 per violation, regardless of whether the violation was intentional or not.
External tools that require data privacy policies
You can do this by following three steps:
Step #1: Use plain language
Step #2: Add a '“Frequently Asked Questions” section
Wikimedia does this perfectly:
The way Wikimedia lists all questions and links to the appropriate answer creates a good user experience for any website visitor who has questions about their data privacy.
Step #3: Structure it for the user
Data privacy is becoming more important
More data privacy legislation is passed every single year. On top of that, website visitors are becoming increasingly aware of the impact their data has. People want to know what you’re collecting, why you’re collecting it, and what you plan to do with it.
NOT LEGAL ADVICE
This information provided in this article does not, and is not intended to, constitute legal advice. All information and content in this article is for informational purposes only. Information in this article may not contain the most up-to-date legal information. Readers should contact an attorney to obtain advice with respect to any particular legal matter, and consider a data privacy training course for a more detailed understanding of how to approach these matters.
Segment's Privacy Portal
With the Segment Privacy Portal, you can automate your approach to keeping your customers' data private.Get started
Getting started is easy
Start connecting your data with Segment.