Do you sell products or services on your website? Collect emails? How about encouraging visitors to download free gifts, white papers, or PDFs after entering an email address?
These laws were passed in response to consumer fears about being tracked online and having no control over the personal information collected about them.
Privacy laws define personal information as anything that can personally identify visitors to your website. It includes but isn't limited to the following data pieces:
The problem is visitors to your site often share personal information without realizing they're doing so. For example, when a customer purchases, your site might collect each of the types of data in our list.
Have you ever asked visitors to sign up for a newsletter, white paper, or free recipe to generate leads or build an email list? At a minimum, your site collected responders' email address and probably their name.
Do you offer chat or live support services? Anyone who uses these tools to solve a problem provides their name, email address, and other information requested during the chat.
Privacy laws say that your visitors have a right to know what's collected, who will see it, and what will be done with it.
Here's an example of how HubSpot explains its data collection:
This is pretty basic. People want to know what you're learning about them while they're on your site. Google, for example, shares a lengthy list of the information it collects. Here's an excerpt:
The GDPR requires that you include specific information about how you'll use the data you're collecting. As noted in Article 5(1)b, personal data can only be:
"Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
Here's how email marketing platform GetResponse addresses this:
The CCPA requires a business and commercial purpose for the information you collect. And the GDPR adds that you must have a legal basis for processing it. According to this, GetResponse collects the personal information it needs to create customers' accounts and give them access to the software.
Cookies. That may not be the only means you use, but it's almost certainly at least one. What is a cookie? According to online security company Kaspersky:
"Cookies are text files with small pieces of data - like a username and password - that are used to identify your computer as you use a computer network. Specific cookies known as HTTP cookies are used to identify specific users and improve your web browsing experience."
A cookie is a tracking file that attaches to your visitors' browser when they arrive on your website. It follows them around the site and can even tell where they go when they leave your website. That's powerful! You need to make users aware of this and comfortable with what you're collecting.
Here's a detailed discussion of how tracking works for businesses and users on websites.
Notice that the policy begins with a description of browser cookies. Later, it describes several other types of cookies that Disney uses.
Visitors want to know, specifically, how you're learning about them. Tell them if you use other methods to learn more about them. Examples might be:
Customers might assume much of this, but spell it out. This protects them and your business.
Tell visitors whether any third-party trackers will get access to their information. This might include, for example, ad media or social media sites like Facebook or Twitter.
In Article 13(1)f, the GDPR specifically requires that you inform users whether any customer data will be transmitted overseas. If so, you need to explain the measures taken to ensure the safety of this information.
Where will you store the data collected? How long will you keep it? Given the frequency of data breaches online and offline, visitors want to know.
Here's how Neil Patel handles the question:
Users aren't looking for a detailed explanation of how your security works, and the privacy laws don't require it. However, they do want to know that you're taking reasonable precautions.
This information is required by the GDPR in Article 13(2)b. Tell users how long you'll keep their information, your criteria for deciding, and what you'll do with it at the end of that period.
What this says is, "It depends," and these are the factors that will determine the retention period. According to the GDPR, data may be:
"Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. (Article 5(1)e)"
The regulation (Article 14) also makes it clear that individuals have the right to:
Notice that the Thrive Themes clause links to the support team where users can see their data and request changes.
Another method is to inform users by email, explaining what has changed and linking them to the updated version for further reading.
Here's how online business magazine Business Insider handles this:
Have a designated person in your business who handles these kinds of questions. They probably won't come up very often, but if they do, someone with an understanding of data protection and your policies needs to interact with users.
Here's how HubSpot refers users who have privacy concerns:
If your company markets to users in the European Union, you also might need a designated Data Protection Officer (DPO).
Here's the footer for online technology magazine, The Verge:
Amazon places a link to its Privacy Notice right near the "Place your order" button, which ensures shoppers will see it before finalizing their order and thus sending their personal data (mailing address, credit card information, etc.) to Amazon:
Does your site require signup by members? The signup page is another important place for the Privacy Page link. Here's where Pinterest places its link:
According to Article 7(1) of the GDPR,
"Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."
"The data subject shall have the right to withdraw his or her consent at any time. (Article 7(3))"
These two points are essential:
Generally, having users check a box is a clear way to demonstrate consent. It requires a conscious action by the user. In this case, you want to leave the box unchecked by default.
It's fitting that the European Commission's website demonstrates the explicit consent policy required in the GDPR: