GDPR, CCPA and Other Privacy Laws

Privacy laws are rapidly changing, with countries and individual states taking steps to more clearly define both an individual’s rights, and a company’s responsibilities when it comes to protecting a user’s data. Much is still in flux, but it’s a good idea for organizations to take steps to comply with the strictest of these laws, GDPR.

REMEMBER: This is not legal advice. This article seeks to provide you with background information and additional references so you can get a broader overview and take steps to improve your practices.

What are the GDPR and CCPA Privacy Laws?

The General Data Protection Regulation (GDPR) is a law went into effect on May 25, 2018. It applies to the entire European Union (EU) and European Economic Area (EEA). This law can apply to your website if you collect or process personal data of individuals located inside the EU/EEA. In other words, the minute a visitor from this part of the world stumbles across your website, the law applies.

While the chances of someone from Europe submitting a complaint about your website to a regulator may be slim, the GDPR has spurred interest in lawmakers from the United States, and similar laws are being debated and passed now in individual states.

The first of these laws is the California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020. It has been referred to by some as “GDPR Lite” as it features many of the same concepts as the GDPR. Unlike the GDPR, however, it only applies if at least one of these conditions has been met:

• The company has annual gross revenues in excess of $25 million;
• The company possesses the personal information of 50,000 or more consumers, households, or devices; or
• The company earns more than half of its annual revenue from selling consumers’ personal information.

Why Should I Care?

When the GDPR went into effect, many US-based companies opted to simply block all European traffic rather than make changes to comply with the law. Visitors would receive a message such as this:

However, with individual states now passing or considering similar laws, this is not strategy that can work for very long. For CCPA specifically, chances are that with the exemptions listed above, it will not apply to your organization. However, as more states pass similar laws, they may not feature the same exemptions. GDPR itself has no exemptions.  Therefore, it is in your best interests to make some pre-emptive changes now.

One of the best articles we’ve found yet on this subject comes from WiredImpact. The article is titled “Nonprofit GDPR Compliance: 9 Items to Consider”. We highly recommend you read it in its entirety, but here’s a key point from the article you should consider: “…the GDPR really just formalizes many marketing best practices your nonprofit should already be following. Be honest with people about your marketing efforts and market to people that want to hear from you. Be responsible with the data you collect from your audience. Allow people to easily stop receiving your marketing if they’d like to.“

What Can I Do?

Again, for the full scope of everything you would need to do, you should consult an attorney. However, here are some easy, positive steps you can take immediately:

• Create a Privacy Policy for your website. – Among other things, the privacy policy defines what data is collected from the user, what you do with it, how long you keep it, and how the user can request a copy of their data.
• **Set a limit for how long collected data is stored. **- Data that is collected by contact forms or tools such as Google Analytics should have a time limit for how long you store it.
• Add consent checkboxes to any contact forms. – Contact forms collect information such as a user’s name, email address, and more. You should have some sort of checkbox that indicates that the user understands and accepts how you process this data in accord with your privacy policy.
• Use double opt-in for any email newsletters. – If you use an email marketing service such as MailChimp or Constant Contact, you should already be doing this. It means that someone who provides you with their email confirms via a click or other action that they do indeed want to receive your email newsletter, and that you’re not arbitrarily emailing them without their consent.