Here’s how to protect web visitor data privacy
If you’ve got website visitors, you’ve got a big responsibility. The 2018 General Data Protection Regulation (GDPR) lists the steps you must take to protect your guests’ privacy.
What is Private Data?
Private data includes any information that, alone or in combination, can personally identify an individual. A website visitor’s name, for instance, is obviously identifiable and, therefore, private data.
A user’s birthdate and occupation could be used to personally identify an individual, so those elements must be protected.
The European GDPR standard is the international best practice
While the law technically applies only to visitors in Europe, the United States government holds website managers to a high standard of data protection in the event of a breach.
Even if you run a local barbershop in St. Louis, Missouri, and have no interest in marketing to Europe, it’s good practice to understand data privacy and how to protect your visitors.
Good data protection starts with the “cookie opt-in,” which is the small popup that you see on some websites. The opt-in allows visitors to accept the terms of the website as is, or adjust the limits of their permission.
A privacy page and cookies policy page defines the nature of the data collected, what it will be used for, and how long it will be kept.
Tip: Users can manage their own data collection
Typically, websites collect data using small snippets of code called “cookies.” These programs are stored in the website visitor’s browser (Internet Explorer, Chrome, Safari, Firefox, etc.).
When you clear your browser, you automatically delete all cookies, which revokes all permissions. Visitors will be prompted to accept the terms when they visit the site again.
The 7 Principles of Data Privacy
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
We’ve converted these 7 principles into easy steps you can follow to make sure you don’t get hit with a huge federal fine.
Fine? Yes. Even if you’re in the United States, and not technically under the jurisdiction of the European GDPR laws, the Federal Trade Commission will hold you responsible for data breaches.
Following these steps will help protect you.
Of course, this is a blog post and not legal advice. Please consult your attorney, using this as a conversation starter.
Principle #1: Lawfulness, Fairness and Transparency
Lawfulness
This is a broad concept that assumes you are not doing anything unlawful with visitor data. For instance, you are not planning to commit a fraud or use the information to hurt anyone.
Fairness
You agree to only use enough information to achieve your stated goal.
You must consider any negative impact collecting that data could cause a visitor and justify that value.
Transparency starts with visitor consent. The “opt-in” allows visitors to accept your terms and learn about your policies.Transparency
You must be candid about how the data you collect will be used and with whom it will be shared. Only use the data in ways the visitor would consider “reasonable.”
For instance, you need the visitor’s email to communicate about your service. It wouldn’t be fair, considerate or transparent to sell or share the email address with another party.
Here’s what to do to:
- Don’t use the data to commit a crime.
- Be transparent about the data you collect and how you will use it.
- If it’s a third-party that may be collecting visitor data, make it easy and quick for visitors to identify those parties and what they are doing with the data.
Tip – Keep it simple
Make sure the language is simple English. Shoot for a “54” (10th-12th grade) on the Flesch-Kincaid readability chart.
Principle #2: Purpose Limitation
The data you collect must be used only for the specific purpose you describe in your published Privacy Policy or Cookies Policy.
At the start of a website session, visitors must consent to your collection of their data and understand your broadest use of the data.
If you ever change the use of the data, visitors must be allowed to see and consent to the updated privacy policy.
Here’s what to do:
- Whenever you change the nature of the data you collect or the purpose for its collection, send out a privacy policy update and seek visitor consent again.
- Visitors must have the opportunity to delete their information at any time. They have a right to be forgotten.
Clicking the “Settings” button on the GDPR Opt-In opens a dialogue box inviting the visitor to learn about and select which cookies to enable or disablePrinciple #3: Data Minimization
Collected data must be adequate to deliver the promised service. It must be relevant to the goal, and limited to what is absolutely necessary.
You can only collect the minimal amount of data necessary to satisfy your privacy policy and cookie policy. The data, however, must be adequate to successfully meet the needs of that task.
Here’s what to do:
- State, in your privacy/cookie policy exactly what data you’ll be collecting and how it will be used.
- Explain to visitors, through your policies, why the data is necessary.
- Periodically review the data and delete what is no longer needed.
Principle #4: Data Accuracy
If you collect visitor data, you must make an effort to ensure the data is accurate – even if the visitor enters the data incorrectly or if the data changes over time.
Have a process in place to ensure the accuracy of data. For instance, a copy of the information a website visitor shares can be delivered back to that visitor as an emailed “receipt” of the data transaction.
You may have experienced such a receipt when you’ve completed a form and a copy of your responses was emailed back to you.
Here’s what to do to:
- Inform visitors that they have the right to review their data and that you have a process to correct the data if it is incorrectly entered or if it changes.
- Keep a record of any challenges to the accuracy of data and how the situation was resolved.
- These policies should be stated clearly in your Privacy/Cookies Policy.
Example of cookie identification and description on a properly designed Cookies Policy page. In one case, GPS is the name of the cookie. It’s an “analytics” type cookie and helps YouTube understand where the user is located.Principle #5: Storage Limitation
As important as accuracy is to the integrity of your database and your relationship with your website visitors, so is respect for the duration of that data.
An example of Storage Limitation would be sales information.
How long would an online retailer need to maintain copies of a specific transaction? Through the warranty period? Through the useful life of the product?
The GDPR does not fix a specific data retention period. That’s because each situation calls for a different length of time.
A physician might keep patient data for years as part of a medical record.
An event manager may need the billing address of a participant just a few days after the event ends.
Here’s what to do:
- Explain, in your Privacy/Cookies Policy, your data retention policies.
- Review your data regularly and delete elements that are no longer relevant.
Tip: Delete it as soon as possible!
Keeping data for longer periods, in addition to consuming expensive storage space, could create a lot of extra work for you.
Since visitors have the right to examine their data, you may be fielding requests to find and verify data that is no longer needed.
The best answer might be “we disposed of those records when the warranty ended.”
Principle #6: Integrity and Confidentiality
You are the custodian of a website visitor’s information. That means you are responsible for ensuring that the data is protected from unauthorized third parties. You must also protect the data from being contaminated or corrupted.
Here’s what to do:
- Explain, in your Privacy/Cookies Policy, the security measures you take to protect visitor data.
- Limit data access only to employees and partners who absolutely need it.
- Maintain the data in a secure, encrypted environment
Principle #7: Accountability
Not only must you comply with the rules of GDPR, you must also be prepared to demonstrate your compliance.
Data protection should be designed into your website using verified secure plugins and scripts created by developers who, themselves, understand the responsibilities of data protection.
Much of the data collected on your website doesn’t live in your database. Rather, it resides on the servers of partners such as contact form company or payment gateway developer.
Tip: Get help with your Privacy Policy!
DecemberPress and its privacy partner, Termageddon, have a simple, comprehensive solution to get your website FTC and GDPR compliant.
In just a few minutes, you can make your site more transparent and compliant. Termageddon’s fully automated process generates an accurate, customized, GDPR-compliant privacy policy tailored for your visitors.
Here’s what to do:
- Insist that your web or theme developer be versed in GDPR standards. Ask for a demonstration of security features.
- Have written contracts with your plugin and payment gateway partners explaining data protection measures.
- Appoint a data protection officer at your business who understands GDPR and is willing to advocate for website visitor data protection.
If you’d like a comprehensive Privacy/Cookies policy, but don’t know where to start, DecemberPress can help.