GDPR and Online Privacy, 1 Year Later
For many of us in the U.S., the GDPR is still a mystery. Although it had been in the works for a long while, it seemed to appear out of nowhere, cause a sudden rush of panic as the deadline to comply arrived, and then disappear without a trace.
At first blush, it seems like the kind of thing we could ignore. That’s Europe’s law, and not America’s. But a closer look suggested it would apply to any site doing business with Europeans, even if it was simply receiving site visitors from Europe. Here at Electric Citizen, that seemed to be a fairly small part of our client base, but something we took seriously nevertheless.
For Graywolf Press, a publisher with an international audience, we made sure to implement warnings about any cookies present, and allow users to opt-in before browsing the site for the first time.
For other clients, such as a nonprofit only serving those in the Twin Cities, or a legal aid site advising only Minnesota residents, it seemed less critical. It certainly wasn’t anything our clients were asking for.
But now that a year has passed, I wonder where this leaves us. In some ways, it feels like the GDPR came and went like Y2K. A lot of hype and no actual change.
But that doesn’t feel true. Privacy concerns are more relevant than ever before. From unscrupulous data miners like Cambridge Analytica to frequently-breached social media accounts, it doesn’t feel safe out there. How much of your personal data is being collected, and how is it being used? That seemed to be the fundamental drive behind implementing the GDPR, and it shouldn't be too much longer before a similar policy takes effect in the US.
So what should we be doing? What can we do? What should we be expecting from the websites we browse and use everyday?
The principles of GDPR are still in effect, whether or not anyone in the US is paying attention. At its heart, the law requires all companies provide explicit notification regarding any data they are collecting from their customers.
For websites, this could mean data collected in a contact form, cookies that track where you come from or what you browse, or adding someone to a mailing list.
GDPR establishes that all users have the legal right to know (and easily understand) what information a company is collecting about them, and request that this information be deleted upon request.
In addition, should a company suffer a data breach, they need to disclose this to “relevant authorities” within 72 hours. If the data is considered “high risk” to consumers, such as a credit card number, they also need to be notified.
If you develop websites in Drupal, as we do, there remains a wealth of additional info on Drupal.org.
In some ways, it feels like the GDPR came and went like Y2K
The GDPR states that if you collect personal data or behavioral information from someone in an European country, your company is subject to the requirements of the GDPR.
What has not been as clearly stated is that US-based organizations need to be specifically targeting a European audience for the law to applicable. In other words, just because someone in Europe stumbles upon your site isn’t cause for legal action. The website would need to specifically make reference to EU consumers, and perhaps offering content in those nation’s language.
This does leave a lot of leeway for US organizations, and seems to be more applicable to international firms marketing to European audiences. I am not a lawyer, of course, so when in doubt, ask a professional!
In 2018, the state of California passed the California Consumer Privacy Act, or CCPA, as a consumer-rights focused bill to protect user privacy. Similar to the GDPR, the new law would require businesses to be upfront about what data they are collecting, who they are sharing it with, and allow consumers to request their data be deleted.
This changes the equation significantly for US-based organizations. You may be fairly certain your site’s visitors are US-based, but what about the state they live in? What if they are from California? Similar to other laws originating in California, the mere presence of a law like this begins to affect how all the states treat issues of privacy.
As recent as April 2019, lawmakers were pushing several news bills to reign in some of those protections, on behalf of employers and businesses who found the new law too broad. The tech industry is somewhat discouragingly behind a lot of the lobbying as well. The original law was set to take effect by 2020, but some of the details are still being debated.
The CCPA doesn’t appear to apply to everyone, however. It is targeted towards businesses with annual gross revenues over $25 million, and/or companies whose annual revenue primarily comes from selling users personal information. And unlike the GDPR, it is more of an “opt-out” law than “opt-in.” Websites don’t have to ask before applying a cookie, and businesses don’t have to ask before selling personal information. They do, however, need to offer an easy method to opt-out.
Early results from the GDPR has been less data collection online. Perhaps a more deliberate, targeted approach by companies towards our personal data is coming to America?
What do you think? Do these laws seem like a good thing, or an unnecessary burden to bear? Or perhaps these laws don’t seem strong enough?