GDPR and Online Privacy, 1 Year LaterApril 30, 2019
For many of us in the U.S., the GDPR is still a mystery. Although it had been in the works for a long while, it seemed to appear out of nowhere, cause a sudden rush of panic as the deadline to comply arrived, and then disappear without a trace.
At first blush, it seems like the kind of thing we could ignore. That’s Europe’s law, and not America’s. But a closer look suggested it would apply to any site doing business with Europeans, even if it was simply receiving site visitors from Europe. Here at Electric Citizen, that seemed to be a fairly small part of our client base, but something we took seriously nevertheless.
What's Still True
The principles of GDPR are still in effect, whether or not anyone in the US is paying attention. At its heart, the law requires all companies provide explicit notification regarding any data they are collecting from their customers.
For websites, this could mean data collected in a contact form, cookies that track where you come from or what you browse, or adding someone to a mailing list.
GDPR establishes that all users have the legal right to know (and easily understand) what information a company is collecting about them, and request that this information be deleted upon request.
In addition, should a company suffer a data breach, they need to disclose this to “relevant authorities” within 72 hours. If the data is considered “high risk” to consumers, such as a credit card number, they also need to be notified.
If you develop websites in Drupal, as we do, there remains a wealth of additional info on Drupal.org.
What’s On the Horizon for the USA
In 2018, the state of California passed the California Consumer Privacy Act, or CCPA, as a consumer-rights focused bill to protect user privacy. Similar to the GDPR, the new law would require businesses to be upfront about what data they are collecting, who they are sharing it with, and allow consumers to request their data be deleted.
This changes the equation significantly for US-based organizations. You may be fairly certain your site’s visitors are US-based, but what about the state they live in? What if they are from California? Similar to other laws originating in California, the mere presence of a law like this begins to affect how all the states treat issues of privacy.
As recent as April 2019, lawmakers were pushing several news bills to reign in some of those protections, on behalf of employers and businesses who found the new law too broad. The tech industry is somewhat discouragingly behind a lot of the lobbying as well. The original law was set to take effect by 2020, but some of the details are still being debated.
The CCPA doesn’t appear to apply to everyone, however. It is targeted towards businesses with annual gross revenues over $25 million, and/or companies whose annual revenue primarily comes from selling users personal information. And unlike the GDPR, it is more of an “opt-out” law than “opt-in.” Websites don’t have to ask before applying a cookie, and businesses don’t have to ask before selling personal information. They do, however, need to offer an easy method to opt-out.