So, you’ve got a landing page, or a website, and you’ve crafted the perfect opt-in/freemium/discount offer (whatever it is that you provide in exchange for someone signing up to receive your emails). You feel like you’re on top of the world because as an online business owner you were smart enough to realize that while you don’t own your social media following you sure as heck own your email list.
Don’t worry friend, I’ll explain. But first, know that everything I chat about here is intended to provide legal information and education. It is not business, financial, or legal advice, and does not create an attorney-client relationship between us. I’m an attorney licensed in the United States, so everything will be from the perspective of United States law. You should consult with an attorney in your area who understands your particular business situation so that you can take the right steps for you and your business.
That email address you collected in exchange for your opt-in/freemium/discount offer? Yeah, its personal information.
And since the reach of the interwebs is nothing short of impressive, online business owners quickly caught on that they needed to comply with CalOPPA (because they had no idea if the people interacting on their websites were in California or Timbuktu). Especially since fines are $2,500.00 per violation (and each time a Californian resident visits a non-compliant website counts as an individual violation; so fines can add up quickly!)
- What personal information you collect;
- What third parties you share the personal information you collect with;
- How a website viewer can contact you to make changes to or update any personal information that was collected;
- How you deal with “Do Not Track” requests;
- On the home page of your website,
- Via a hypertext link on the home page of your website that contains the word “privacy” written in capital letters (also known as a “browse wrap” in internet law). This is the more common practice across the interwebs, just look at the bottom of the websites that you visit on a daily basis.
I’m not going to lie. The GDPR is pretty complicated. And I’m not going to get into all of the nitty gritty specifics here.
BUT it is important to know that the GDPR applies to any business that processes personal information from even ONE PERSON in the European Union (E.U.) or U.K.
The GDPR requires affirmative consent from your website viewers to process their personal information.
- Your website viewer’s consent must be “freely given, specific, informed, and unambiguous;”
Processing personal information under the GDPR means collecting, recording, retrieving, storing, disclosing, and/or using personal information. It’s pretty expansive.
The GDPR also has an expanded definition of personal information – it’s “any information relating to an identified or identifiable natural person.” Holy cow. This includes the items named in CalOPPA (first and last name, email address, physical address, telephone number, social security number, birthday, height, weight) BUT it also includes anything relating to the person’s “physical, physiological, genetic, mental, economic, cultural, or social identity.” This includes IP addresses. All the tracking software and cookies you have on your website? Yeah, you need your website viewer’s consent.
The big unknown under the GDPR stems from the fact that it allows an individual to sue a business – typically lawsuits are left to regulatory agencies. The law is so newly enacted that as I’m writing this there haven’t been any lawsuits. But there is speculation in the worldwide legal community that should a future data breach occur, E.U. and U.K. residents will be filing suits that could be extremely costly to small businesses around the world. Especially since the fines are up to €20 million, or 4% of the business’ worldwide revenue of the prior financial year, whichever is higher.
And, as a note, the GDPR actually provides that you cannot simply block website viewers in the E.U. or U.K. So, don’t do it.
- How and why you collect personal information;
- What you do with the personal information;
- How you keep the personal information safe;
- How long you retain the personal information;
- If you share or sell the personal information with or to third parties (and if so, what third parties); and
How does the GDPR Affect Me if I Don’t Live or Do Business in the E.U. or U.K.?
Plus, there is a trend of global convergence in consumer privacy laws – to give control in how businesses use personal information back to the consumer.
Case in point? The California Consumer Privacy Act of 2018 (CCPA). The law goes into effect January 1, 2020 and requires businesses that do business in California to:
- Disclose what personal information they collect;
- Disclose how the personal information will be used (including whether it will be sold or shared with third parties);
- Allow consumers to say “no” to the sale of their personal information via an “opt out” process;
- Provide consumers with access to the personal information that has been collected; and
- Delete personal information upon the request of a consumer.
The CCPA applies to businesses that do business in California and earn annual gross revenue of $25 million or more; collect, share, or store the personal information of at least 50,000 consumers for commercial purposes; or earn at least 50% of their annual revenue from selling consumers’ personal information.
As a small online business owner, you’re probably thinking: “That doesn’t apply to me, so why should I be concerned?”