In this post, we share tips for protecting your users’ privacy and maintaining compliance with new and emerging laws like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). Download our free data privacy checklist at the end. 

In the mad dash to bring more and more digital products and services online, we collectively neglect our privacy. Digital products are so ubiquitous that we often forget real consequences occur when personal data is shared without our knowledge or permission:

• Our information is used not only to make fraudulent purchases. More sophisticated laundering schemes are increasingly prevalent. 
• Large-scale misuse of personal data—a price we often pay when using “free” online tools—allows misinformation to spread and feeds a growing “surveillance economy”. 

Your Data is Already Under Seige

Every minute a person spends online helps countless companies build a thicker dossier about that person. Despite what corporations profess, much of this personal data is used not to improve products themselves but to make those products more attractive to advertisers.

— The New York Times, America, Your Privacy Settings Are All Wrong

While website hacks, malware, and other security threats are still on the rise, millions of websites all over the internet already collect your personal information every day. Ad-tracking scripts let companies know all sorts of information related to your browsing habits.

In the wrong hands, this information could potentially be used against you. Consequences might range from minor annoyances, like increased spam, to life-changing issues like fraud, discrimination, or access to products and services.

Prioritizing Data Privacy

The decisions we make about privacy today and in the coming years will shape the future of humanity for decades to come. Societal choices about privacy will influence how political campaigns are run, how corporations earn their keep, the power that governments and private businesses may wield, the advancement of medicine, the pursuit of public health goals, the risks we are exposed to, how we interact with each other, and, not least, whether our rights are respected as we go about our daily lives.

— Carissa Véliz, Lit Hub

Adopting smart data privacy and security practices is part of a larger corporate digital responsibility strategy that aligns all your organization’s digital practices with stakeholder needs and ethical behavior. Plus, with ongoing legislative changes, we must be vigilant in setting up and maintaining effective, long-term data privacy practices that include informed consent, among other things. What’s legal today might very well put you at risk for a fine tomorrow. Better to err on the proactive side. 

This is clearly a big deal. So, what can we do? Put simply, organizations must protect the integrity and privacy of their users’ data. They must communicate transparently about which information is collected, how it is used, and what is done with it once a user requests deletion. On the personal side, we all must take a more proactive stance in how our personal information is collected and used. 

Privacy Legislation

GDPR and CCPA are frontrunners in online privacy regulations. Several other U.S. states have introduced similar legislation as well. It is inevitable that more will follow. 

These laws provide clear guidelines for protecting user data and giving people the right to choose how their data is used, stored, and deleted. If your website serves people from California or the European Union, you need to pay attention to these laws today and do what’s necessary to comply. Also, forward-thinking organizations should adopt more stringent privacy policies that apply to users from any state, region, or country, since that’s where things are headed.

Financial Consequences

Since GDPR legislation was enacted in 2018, over €153 million worth of fines were levied as of August 2020. Even small infringements can incur penalties of up to €10 million. Individual CCPA fines start at around $7,500.00 and there is no ceiling. It should go without saying that these fines are serious and businesses should do everything they can to comply.

Data Privacy + Security: You Need Both

A Pew Research Institute study found that controlling PI [personal information] online is “very important” to 74% of Americans. According to another Pew study, 86% of Americans have taken action to maintain their privacy—deleting cookies, encrypting email, and protecting their IP address.

— Thomson Reuters

Additionally, every year, millions of people’s data is exposed to malicious attacks on every type of online entity you can imagine. From credit reporting companies and webcams to fitness apps and online games, any company using network-enabled technology—basically, all of them—can be exposed to this type of risk. No organization is truly safe. 

What’s more, if your business or nonprofit is hacked and your customers’ data leaked, you’re responsible for the consequences.

Privacy Breach: A Cautionary Tale

Equifax had a data breach in 2017. 147.9 million people’s data was compromised. This data included social security numbers, birth dates, addresses, and even drivers’ license numbers. Another 209,000 people had their credit card data exposed.

Worse, Equifax’s data breach is just a small drop in a much, much larger bucket. If you tally up the 15 biggest data breaches of the 21st century, over 6,457,100,000 online accounts have been compromised. There’s a good chance your data is among them. These breaches cost companies billions of dollars. If you’re not careful, your organization could be next.

A Downloadable Data Privacy Checklist

This data privacy checklist will help you better understand business requirements specific to GDPR and CCPA. Plus, it includes general privacy recommendations to inform a more impactful long-term privacy and security plan. We hope you find it useful. Please reach out if you have any questions. 

Fill out this form to download your data privacy checklist:

Disclaimer: Digital privacy is an always-evolving issue. This post is not to be construed as legal advice.