Privacy Compliance

privacy compliance

Are you confused whether privacy regulations apply to your website and what is required? We were too so we did some homework.

Privacy regulations were developed as a result of public concern over privacy. With all the privacy regulations, it is difficult to understand what the requirements are. No one wants to be fined. There is a growing list of location-based regulations, but here are some starting points below to consider. A legal professional should be consulted to ensure you are in compliance.
  1. Does your website collect any Personal Data from Users? The following are examples of privacy data:
    • Basic identify information such as name, address and ID numbers
    • Web data such as location, IP address, cookie data and RFID tags
    • Birthday
    • Height, weight, hair color
    • Health and genetic data
    • Biometric data
    • Racial and ethnic data
    • Political opinions
    • Sexual orientation
  2. Where are the people from that can access your site and is your business included in that location’s compliance requirement criteria?
    • California CalOPPA (California Online Protection Act) (statute)
      1. Criteria
        • Any person or entity that owns or operates a commercial website or online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” said website or online service.
      2. Requirements
        • Conspicuously post your Privacy Policy on home page you’re your website.
        • Privacy Policy include process by which users can request changes to personal data
        • Include in your Privacy Policy how “Do Not Track” requests are handled (AB 370)
        • Notify affected users in the occurrences of security breaches that impact their data.
        • Effective Date of Privacy Policy
      CCPA (California Consumer Privacy Act) (statute) includes the following rights:
      1. Criteria
        • Gross annual revenue of over $25 million
        • Buy, receive or sell the personal information of 50,000 or more California residents, households, or devices, or
        • Derive 50% or more of their annual revenue from selling California resident’s personal information.
      2. Requirements
        • Notice at collection – list categories of personal information collect and purpose
        • If the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell link.
        • Link to Privacy Policy which is a written statement that gives a broad picture of its online and offline practices for the collection, use, sharing, and sale of consumers’ personal information. Required to include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination.
    • European Union
      1. Criteria for companies required to comply with GPDR:
        • A presence in an EU country.
        • No presence in the EU, but it processes personal data of European residents.
        • More than 250 employees.
        • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive data.
      2. What is required? Here is a link to the full article with requirements. Here are some of the highlights:
        • Processing and storing personal data All personal data must be processed lawfully and transparently, and only for the purpose specified to the individual. That data may be stored “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” All personal data must be processed securely to protect against unlawful access, loss or damage “using appropriate technical or organizational measures.” Those measures are not defined, but presumably if the data is lost or stolen, a company could be considered not in compliance.
        • Consent All processing of personal data must be done lawfully, by which is meant that each individual must give consent to use their personal data. The data collected must also be necessary to complete a task or transaction initiated by the individual, with the exception of public authorities.
        • Right to Access: EU citizens have the right to know upon request what personal data a company is using and how it is being used.
        • Right to Personal Data Deletion EU citizens can expect companies to stop processing and to delete their personal data upon request.
        • Reporting of Data Breaches Companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected.
  3. Add policies and tools as needed to comply. Some tools that may be useful:

The Site cannot and does not contain legal advice. The information is provided for general informational and educational purposes only and is not a substitute for professional advice.
Accordingly, before taking any actions based upon such information, we encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.

Share:

Facebook
Twitter
Pinterest
LinkedIn

Social Media

Recent Posts

Categories
Get The Latest Updates

Subscribe To Our Email Updates

No spam, notifications only security alerts, tips, and updates.