Chances are if you’ve been anywhere on the internet, you’ve noticed a small box at the bottom, asking you to decide if you should accept cookies or not. For most people, this rises slightly above the level of a minor annoyance. But if you own a business and have a website, this recent trend raises a lot of questions, not the least of which: Is this necessary?
For a lot of people, it is.
With security breaches in the news and high-profile cases about the abuses of personal data, legislation has been created to protect the individual on the internet. These include the GDPR in Europe and the CCPA in California, which can affect any company or website, regardless of location.
What is The GDPR?
The General Data Protection Regulation (GDPR) is a law drafted and passed by the European Union (EU) to ensure European internet users’ data privacy and security. It also subjects organizations with websites within the EU to strict rules governing the personal data collected from users and mandates the transparent disclosure of data collection methods, the purpose for collection, and the encryption of the data collected.
The main point of contact for the average user with GDPR compliance is the popup box to deny or accept cookies that is frequently seen at the bottom of most larger websites, Consent from a user—referred to within the law as a “data subject” — is the most important matter when it comes to compliance.
According to GDPR.EU:
- Consent must be “freely given, specific, informed and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
- Children under 13 can only give consent with permission from their parent.
- You need to keep documentary evidence of consent.
Furthermore, data cannot be processed unless the data subject gives specific, unambiguous consent to process their data; for instance, if the user has opted into an email marketing list.
Does The GDPR Apply to My Website?
As it’s a far-reaching law, and in some cases purposefully open-ended, it’s very difficult to know what applies to website owners and what doesn’t. For instance, since the GDPR is designed to protect the data of EU users within the boundless and borderless internet, the GDPR does not just apply to European companies, but companies and organizations around the world. Even though your garden shop in Philadelphia may have no connection with Europe, if you track and analyze EU users on your website, you may be technically subject to the provisions of the GDPR.
However, since that would be rather harsh, not to mention difficult to enforce, the GDPR makes allowances. First and foremost, a lot of the GDPR’s regulations do not apply to small or medium-sized companies, defined in the law as organizations with fewer than 250 employees. While this is not a complete exemption from the GDPR, it does exclude record-keeping obligations in most cases.
Secondly, since this law is focused on the EU, a company in the United States will not be a target for GDPR compliance unless it specifically targets people in the EU to sell their goods and services. Those companies, regardless of their size, who create ads specifically for the European market, or perhaps include pricing in euros on their site, should seek GDPR compliance.
What is The CCPA?
The California Consumer Privacy Act (CCPA) is a privacy and consumer protection law similar in scope to the GDPR. This statute specifically is designed to protect the rights of California residents and requires a “Do Not Sell My Personal Information” link on the home page of websites, in addition to cookie consent, and the requirement to obtain parental consent for minors under 13 in cases of data sharing.
Does My Site Need to Be CCPA Compliant?
Fortunately, the exemptions to the CCPA are more clearly defined. The CCPA applies to any business which does business in California, collects the personal data of consumers, and satisfies any one of these three thresholds:
- The company has annual gross revenues over $25 million.
- The company buys, receives, or sells the personal information of 50,000 or more California consumers or households.
- The company earns more than half of its annual revenue from selling consumers’ personal information.
How Can I Make My Site Compliant?
Create That Popup We All Know so Well
Yes, it’s obtrusive. Yes, it’s not very pretty, but if your site is tracking any sort of information, even if it’s with something as simple as Google Analytics or a Facebook Pixel, you have to allow the user to decide to accept or deny these cookies. It sounds simple enough, but since most of us are not experts in the field of data security, it’s best to lean on those who are.
For a recent site, we relied on CookieFirst to create the popup, as they have a WordPress plugin that can easily integrate the banner into the site. Their banner can automatically list the cookies for the user, and it will allow the user to accept all, deny all, or accept a selection of cookies. CookieFirst has a free version, but higher levels of service can be purchased.
Make Sure You’re Doing What You Say You’re Doing
Have Someone in Your Business or Organization Familiarize Themselves With These Laws
There are three circumstances in which organizations are required to have a Data Protection Officer (DPO), but it’s not a bad idea to have one even if the rule doesn’t apply to you. The DPO should be an expert on data protection whose job is to monitor GDPR compliance, assess data protection risks, advise on data protection impact assessments, and cooperate with regulators.
The three criteria for having a Data Protection Officer are:
- Public authority — The processing of personal data is done by a public body or public authorities, with exemptions granted to courts and other independent judicial authorities.
- Large scale, regular monitoring — The processing of personal data is the core activity of an organization that regularly and systematically observes its “data subjects” (which, under the GDPR, means citizens or residents of the EU) on a large scale.
- Large-scale special data categories — The processing of specific “special” data categories (as defined by the GDPR) is part of an organization’s core activity and is done on a large scale.
Should I Make My Site Compliant Regardless?
However, if you are on the edge of meeting these standards, it’s best to get prepared. More states, including Virginia, are introducing their own versions of the European and California laws.
For more information about cookie policies, the GDPR provides a checklist for Data Controllers on their website: https://gdpr.eu/checklist/. CookieFirst also provides very good information and solutions for websites that utilize content management systems such as WordPress, Shopify, Magneto, and Drupal.