You may have heard the acronyms GDPR and CCPA recently and wondered what they were all about. Both are acronyms for data privacy rules that seek to control how you collect and control data on your website and within your company. If you’ve heard anything about the GDPR, you know that it’s a European Law, and based on that description you might have concluded that it doesn’t apply to your company. And if you’ve heard about the CCPA, you know that it is California’s new data privacy law, and that it therefore does apply to you. Well, there is a good chance that for you and your company, both assumptions are wrong. Here’s why…
Website Privacy Laws
Since the beginning of the Internet, any company that collects data on its website owned that data, and it could do whatever it wanted to with that data. But that perspective has led to so many of the recent news stories about websites (like Facebook, Cambridge Analytica, Amazon and Google) spying on you, personal data being used to influence your purchasing decisions, personal data being used to influence elections, your data being sold from one company to another, and so on.
The new website privacy laws, such as the GDPR and CCPA, seek to curb this behavior by making consumers the owner of data about themselves.
What Kinds of Data Are Protected By The GDPR and CCPA
You might be thinking that these laws don’t apply to you because you believe that your website doesn’t collect any data. That is likely because you are thinking of data being transactional information, such as your full name, address, credit card information, products you looked at, products you are purchasing, size of clothing you wear, and so on. Or something more personal, like your health and medical information, including symptoms researched, diseases researched, diseases you have, medicines you take...you get the idea, because we’ve all had this kind of information stored about us.
But if your website doesn’t sell anything, or doesn’t even have a login or other registration system, then you could still be collecting data. For example, that data could be information you don’t realize you are collecting, such as web behavior, such as how visitors arrived at the site, how many pages they looked at, which pages they looked at, what did they search for on the site, what images were viewed or downloaded, and so on. And the data could still be considered personal information, such as what a visitor might enter into a contact form, including their name, the job they are looking for, product questions, their IP address, browser type, computer type, and so on.
These privacy laws consider all of this information as personal and data that they seek to protect.
Understanding the GDPR
The acronym GDPR stands for General Data Protection Regulation, the name of the EU law that went into effect in April 2018. The law basically says that consumers -- specifically EU consumers called “Data Subjects” in the GDPR -- are the owner of data about them, and that they have certain rights with respect to this data. In fact, there are eight rights specifically granted by the GDPR.
Rights Under the GDPR
- The right to be informed, specifically when and what data is being collected.
- The right to access the data that is collected and stored. In other words, consumers get to see what data that other websites have collected.
- The right of rectification, specifically to correct data that is incorrect.
- The right to be forgotten. Yes, a website has to comply if a consumer says “I want you to delete all data about me.”
- The right to restrict processing. The website can collect the data, but consumers can limit what can be done with the data.
- The right of data portability, which means consumers can request copies of data about them, receive it in some kind of transportable/usable form, and transfer it to other websites/companies (assuming that one provider can use data from another provider of similar services.)
- The right to object to how your data is used, such as objecting to sharing information with other marketing companies.
What is a GDPR Data Subject?
So who are these “Data Subjects” that the GDPR refers to? All citizens of the EU are Data Subjects, as are all residents of the EU. People from other parts of the world who travel to the EU are also data subjects while in the EU.
Does the GDPR Apply To US-Based Websites?
The GDPR wasn’t really designed to regulate websites as much as was designed to protect Data Subjects and their data. So no matter what websites a Data Subject might reach -- regardless of what country the Data Subject is in -- then the Data Subject is protected under the GDPR. So if the Data Subject can reach a website, then the website must comply with the GDPR.
So you might be thinking that if the GDPR is only concerned with people in the EU, then it doesn’t apply to US-based websites. But this is not correct. The GDPR applies to Data Subjects no matter where they are in the world, which websites they access, or how they access a website. So if, for example, you sell widgets and a British citizen living in the US visits your website, the GDPR applies to your website. If a French citizen is travelling to the US and wants to buy a suit from your clothing website, the GDPR applies to your website. If a Swiss investor is looking at your real estate website for new investment properties, the GDPR applies to you.
So what if you block all European traffic? That won’t help, because Data Subjects can travel. And it’s also relatively common for people all over the world to use a VPN to get around geographic restrictions and make it look like they are actually in the USA.
So in short, the GDPR applies to ALL websites all over the world because it protects Data Subjects no matter where they are in the world, and no matter where the websites they visit are based...including the United States.
Penalties Under the GDPR
The GDPR has two tiers of fines, the first of which can be as high as 10 million Euro or 2% of a company’s annual revenue for the prior fiscal year, whichever is higher. More serious violations can be as high as 20 million Euro, or 4% of a company’s annual revenue, whichever is higher.
The fines are based on the gravity and nature of the violation, the intention, mitigation, precautionary measures (such as securing your website and company network), and more.
Understanding the CCPA
The California Consumer Privacy Act, which became effective on January 1, 2020, has similar goals to the GDPR in that it seeks to make consumers owners of data about them, and give them certain rights with respect to the data.
Rights Under the CCPA
Consumers are granted certain rights under the CCPA that are similar to the GDPR’s rights, although the CCPA uses language that is different than the GDPR and has different provisions with respect to each right. Among the rights that the GDPR and CCPA share are:
- The Right to be Informed
- The Right to Access
- The Right to Object
But the CCPA also contains some rights that are not in the GDPR, including:
- The Right to Know if your data was sold, and to whom
- The Right to Non-Discrimination. If you have exercised any of your rights under the CCPA, the website and company cannot discriminate against you in any way, such as with higher prices.
Does the CCPA Apply To All Websites?
Ironically, while the European law applies to all commercial websites all over the world, the CCPA only applies to a small subset of websites and businesses that meet at least one of three thresholds:
- The company must have a database of at least 50,000 consumers, households or devices
- The company earns 50% or more of its revenue from the sale of user’s personal information
- The company earns more than $25 million per year.
If your company doesn’t meet any of those thresholds, then your company does not need to comply with the CCPA.
Penalties Under The CCPA
But if the CCPA does apply to your company, each compliance violation can cost your company up to $2,500 per unintentional violation, and up to $7,500 per intentional violation. Data breaches are also punishable with fines of up to $750 per record breached. Also, individual consumers can file lawsuits against companies if businesses fail to respond to rights requests under the CCPA.
Plus, the Attorney General could assess other penalties based on the nature of the violations, the number of violations, the length of time the violations occurred, whether the violation was intentional, and the company’s net worth.
How To Become CCPA and GDPR Compliant
Fulfilling the requirements under either of these regulations takes time and planning. On your website, these laws both require that you notify visitors of their rights with respect to the data that you are collecting. That can include:
- Notifying consumers that you are collecting data
- Getting their permission before collecting any data
- Specifying which data you are collecting and the legal reasons for collecting this data
- Giving consumers one and sometimes two methods for exercising their rights (such as access to their data, deleting their data, etc)
- For the CCPA, also giving consumers a way to opt out of selling their personal information.
Data Security for the GDPR and CCPA
Based on the fines in the regulations, both the GDPR and CCPA take data security very seriously. But the required data security isn’t just on the website. Yes, you need to provide the notices and get permission as described above, but you also need to protect the consumer data collected and stored on your website. But these laws also reach into your company and require that you protect this same consumer data on your internal networks.
So while health-care related websites must abide by HIPAA, and financial companies must abide by FINRA, now websites of all types need to comply with the GDPR and CCPA (assuming your company meets a CCPA threshold).
While data breaches, hacks, ransomware and exfiltration have always been expensive and potentially a criminal violation for companies, with the GDPR and CCPA, they have just become even more expensive, and more potentially criminal because of the GDPR and CCPA.
Let’s Talk About GDPR and CCPA Compliance
Digital Uppercut specializes in Cyber Security for your computer networks. If you’re not already a client of ours, then let’s talk about a comprehensive cyber security review for you and your company’s internal network. We are also partnering with a website compliance company who can help to implement the GDPR and CCPA on your website, including securing your websites. Contact us today to schedule your review by using our online contact form or calling us directly at 818-913-1335.