As a small or medium-sized business, it's easy to overlook data privacy or see it as a burden. Doing so could be a big mistake thanks to a range of privacy laws that could lead to substantial fines for non-compliance.
As well as some specific measures for individual laws, you should follow some wider principles for good data practice.
We'll break down the laws and the common data privacy principles, then give you a 15-point checklist to make sure you cover all the bases.
- 1. Key Privacy Laws
- 1.1. California Online Privacy Protection Act (CalOPPA)
- 1.2. California Consumer Privacy Act (CCPA)
- 1.3. Children's Online Privacy Protection Act (COPPA)
- 1.4. General Data Protection Regulation (GDPR)
- 1.5. Personal Information Protection and Electronic Document Act (PIPEDA)
- 2. Privacy Law Self-Audit Steps
- 2.1. Organize Your Data
- 2.2. Review Your Consent Mechanisms
- 2.3. Assess Your Level of Notice Given
- 2.4. Facilitate User Access and Control of Data
- 2.5. Disclose and Sell Data Legally
- 2.6. Secure Data
- 3. Self-Audit Summary Checklist
- 4. Summary
Key Privacy Laws
Depending on your location and business, you could come under several different privacy laws, particularly if you do business online. These are the key points of some of the most common ones.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
California Online Privacy Protection Act (CalOPPA)
CalOPPA is a California law that covers any business with a website that collects "personally identifiable information" from Californian citizens. It doesn't matter where the business is based.
- What types of personal data you collect
- Who you share data with
- How users can check and correct the personal data you hold on them
- How you respond to "Do Not Track" requests in web browsers
California Consumer Privacy Act (CCPA)
The CCPA applies if your business meets any of three annual thresholds:
- Revenue of more than $25 million
- Number of Californians whose personal data you handle is 50,000 or more
- The percentage of your revenue that comes from selling the personal data of Californians is 50% or more
Children's Online Privacy Protection Act (COPPA)
COPPA is a federal law that covers any U.S. business that collects personal data about children aged under 13. It applies if you know that you are collecting data about under-13s. It also applies if your website is "directed" (that is, aimed at) under-13s.
General Data Protection Regulation (GDPR)
The GDPR applies to any business that processes personal data if any one of the business, the person or the processing is in a European Union country.
Note: The GDPR will apply directly in the United Kingdom until the end of 2020. At that point the same easures will apply as part of UK domestic law unless and until the law is changed.
The key requirements of the GDPR are to get meaningful consent before processing personal information, which covers collecting, using and passing on. You must give a lawful purpose for processing the data and you cannot use it for any other purpose without getting fresh consent.
You also need to facilitate user rights under the GDPR.
Personal Information Protection and Electronic Document Act (PIPEDA)
PIPEDA is a Canadian law that covers most private sector businesses in Canada. Some activity conducted solely within Alberta or British Columbia is exempt because provincial laws have a similar effect.
Under the rules of PIPEDA you must inform individuals and get consent before collecting, using or disclosing personal information. You must say why you are collecting the data, only use it for this purpose, and retain it only as long as necessary.
You must also keep personal information secure, make sure it is accurate, and let individuals check what data you hold on them and correct it if necessary.
Privacy Law Self-Audit Steps
Organize Your Data
To properly control your data and comply with privacy laws, you need to know exactly what data you store and collect about people. The definition of "personal data" varies from law to law, but generally it is any information that specifically relates to an identifiable person.
This can include:
- Contact details
- Date of birth
- Identification numbers
- Demographic data
- Internet activity
- Purchase history
- Information about employment, education or health
A good approach is to track and monitor the personal data you collect using the categories referred to by the CCPA. Even if you don't currently come under the CCPA, you may do so in the future. It's also possible the CCPA may serve as a template for other state or federal privacy laws developed later on.
As well as knowing what data you collect, you should keep records of why you collected it and the purpose you gave for using it. You should also keep records of how long the data is needed for this purpose (or how you will know it is no longer needed).
Review Your Consent Mechanisms
The requirements for consent vary from law to law. As a rough guide, if you operate in the European Union or collect data from people aged under 13, you will need to get explicit consent in advance before collecting personal data. Even when it isn't a legal requirement, consent can be useful to avoid any complaints or loss of trust among customers.
With the GDPR in particular, consent has to be meaningful and active. To be meaningful, consent has to be based on the customer getting clear and complete details of what data you collect and why and how you will use it.
The threshold for active consent has strengthened both with the introduction of GDPR and in its evolution.
At one point consent could work on a "browsewrap" basis that meant you could simply tell the user that they consented to personal data by continuing to use the site after seeing the warning. This was not valid under GDPR as it didn't show clear intent. The user might not have seen the notice.
This example from Credit Suisse, which isn't covered by the GDPR, shows the browsewrap approach:
This example from De Nederlandsche Bank shows clickwrap:
One limitation to this approach was that some sites used a pre-ticked checkbox. A later court ruling said this wasn't sufficient as the user could have clicked through by accident or without reading what the checkbox related to.
Since the court ruling, the best approach is to use an unticked checkbox. This effectively means the user has to actively give consent (by ticking a checkbox) and then confirm the consent (by clicking a button).
This example from The Telegraph's Privacy Manager for cookie settings uses sliders set to off by default, which has the same effect as an unchecked checkbox:
Assess Your Level of Notice Given
- What data you collect
- How you use the data
- Why you use the data
This example from Here explains how it uses the data it collects:
Facilitate User Access and Control of Data
You should respond as quickly as possible to such requests. A good approach is to respond immediately to acknowledge the request and then respond in full when you have gathered the relevant information.
Privacy laws also commonly say the customer has the right to correct or update their personal information if it is inaccurate. Make sure your data management system can handle these corrections.
Some laws also allow a user to ask you to delete data, though the acceptable reasons to do so vary from law to law. You'll almost always need to delete the data if you no longer need it for the purpose you originally gave for collecting it. Again, make sure your data management system can handle deleting the data without causing technical problems.
Disclose and Sell Data Legally
The rules for passing on data to third parties are usually tougher than for simply collecting and using it. Check the specific laws that apply to you, but the general principles are as follows:
- You will often have to get advance consent to sell personal data.
- Customers usually have the right to tell you not to pass on the data to other people. You should tell users if exercising such an opt-out has any consequences, for example a reduced service.
This example from Experian covers these points well:
If you are covered by the GDPR, you can only transfer data to third parties in non-European Union countries in two circumstances:
- The country has "data adequacy status" from the European Union, or
- You put adequate safeguards in place
Some privacy laws have additional clauses requiring you to properly secure data. This can entail many measures, but the key ones include:
- Physical security, such as locking rooms with files or computers
- Computer security, such as password protection and encryption
- Organizational security, such as only letting authorized staff access files, or having differing levels of access depending on role
- Monitoring security, meaning safeguards so you know immediately when a breach happens
- Data integrity measures to reduce the risk of data being damaged, destroyed or lost, for example adequate backups
This example from Privacy International covers the measures it takes to protect personal data without creating unrealistic expectations:
It's often an effective technique to balance convenience and security by having differing levels of protection and restriction depending on the sensitivity of different types of personal data. This is another example of why understanding exactly what data you hold is so important.
Self-Audit Summary Checklist
There's a lot to remember when it comes to complying with data privacy laws. Here's a checklist that will help make sure you've covered everything:
- Check which data privacy laws apply to you, taking into account your location and that of your customers.
- Make sure you know all the data you collect and hold about people, including data you collect directly and from other sources.
- List the types of personal data you hold. This will make it easier to write Privacy Policies.
- List the different ways you use personal data. This will make it easier to give correct and useful notice to customers. Check that it's legal to use data for each purpose.
- Make sure you have a process for identifying when you will no longer need data for the stated purpose.
- Keep track of the personal data you disclose to third parties, including the reasons for disclosure. This includes selling data.
- Get active consent before collecting data in the EU or from children under 13. Consider doing so for all data collection as this is good practice. Make sure the consent is informed and active. Don't rely on "browsewrap" or pre-ticked checkboxes.
- Get fresh consent if you want to use data for a different purpose to the one you gave when you collected it.
- Figure out the consequences of a customer refusing to provide, or consent to collection of, personal data. This will help you give customers a better chance to make an informed decision about consent.
- Make sure you have procedures for dealing with data access requests promptly.
- Verify a person's identity before giving them a copy of their personal data.
- Check your data management system can handle corrections or deletions of data.
- Audit your data security procedures. Remember that security isn't just about unauthorized access to data. It also covers data integrity, meaning data isn't corrupted or lost without a backup.
Let's recap what you need to know and do to keep on track of the personal data you handle:
- You may be covered by multiple privacy laws, particularly if you operate online.
- If you handle data from a lot of Californians, the CCPA says you must let customers know what types of data you collect, disclose and sell.
- If you collect data about under-13s in the United States, COPPA says you must get parental consent first.
- If you operate in, process data in, or have customers in the European Union, the GDPR says you must give a lawful reason and get meaningful consent before collecting or using personal data.
- If you operate in parts of Canada, PIPEDA says you must get meaningful consent before collecting or using personal data.
- You should keep track of any personal data you collect, use and disclose. Personal data is information that identifies or refers to a specific individual.
- You can use categories to track the types of personal data you handle. The CCPA's designated categories are a good starting point.
- You'll often need to get consent before collecting data. This needs to be informed and meaningful. You must be certain the person understood the consequences of consenting and did so intentionally.
- You should tell users how to ask for details of the personal data you hold about them, how to correct it, and whether they have the right to ask you to delete it.
- Privacy laws often require you to secure personal data.
- Review your data privacy procedures using our 15 point checklist.