US Data Privacy Legislation is Probably Coming, Here’s 3 Ways to Prepare
For many businesses (including this one), figuring out how to make their web properties GDPR compliant was a Herculean effort. It was such a tough job that a significant number of businesses didn’t even make it into compliance by the May 25th, 2018 deadline and were forced to block access to European users covered by the new regulations for fear of incurring GRPR fines for their remaining privacy issues.
While most of the affected companies have since gotten onto the right side of the law and have put the issue into the rear-view mirror, that doesn’t mean that the user data privacy landscape is settled. In fact, there’s a growing consensus that the United States may soon follow suit and pass its own data privacy legislation in the coming years.
That could mean that all of the companies
that believed they had dodged the GDPR compliance bullet could soon find
themselves scrambling to make the same kinds of changes their international
contemporaries already have. To avoid the same kind of crunch that came along
with the GDPR, that means it’s a good idea for those businesses to get a head
start on addressing the privacy issues connected to their web properties in
advance of any coming legislation.
The best way to do that is to use the
GDPR and other existing privacy laws as a guideline to make the necessary
changes now. Here are three steps they should take to make proactive changes
and stay ahead of the game.
1. A Privacy Policy Face-Lift
The first step on the path to data
privacy preparedness is to review and adjust your company privacy policy to
provide maximum transparency about how you will collect, store, and use data.
It should include easy-to-understand language regarding:
- Cookie
practices - Data sharing
with 3rd parties - How long data
is kept - What it’s
being used for - Why that’s
necessary - How you
safeguard collected data
Try to provide as complete a picture as is possible, without making your privacy policy so complex as to be unreadable. The good news is that the EU created a privacy policy template that covers everything you must include for compliance purposes, and it should be comprehensive enough to satisfy any new data regulations that may be coming in the US.
2. Obtain Affirmative Cookie
Consent
For a long time, cookies have been
vilified as an unnecessary or even malicious component of modern websites. Of
course, that’s not really the case – but that doesn’t mean you can continue to
use them at will. In fact, the GDPR does have a provision related to cookies,
and that’s on top of a preexisting EU regulation on the topic.
The bad news is that for all of the existing rules surrounding cookies, legal experts still consider subject murky at best. It isn’t likely that future US legislation on the topic will be as vague, especially with tech luminaries like Mark Zuckerberg calling for future policy to be as clear as possible.
In a blog post earlier this year, he addressed the issue by saying “As lawmakers adopt new privacy regulations, I hope they can help answer some of the questions GDPR leaves open”. With other big tech firms taking similar stances, it’s a safe bet that cookies won’t escape fresh scrutiny and more specific regulation.
That means the best course of action is
to err on the side of maximum care with respect to user consent for cookie use.
It’s not enough to simply notify users that your site uses cookies. It should
also detail what they’re for and require the user to give affirmative consent
before any cookies are stored on their device.
3. Limit Data Collection on
Forms
For as long as there have been commercial
websites, web forms have been an integral part of user data collection. Today,
they’re key features of the digital marketing funnels that are used by
businesses of all types. Over the years, however, many businesses have grown
the forms on their landing pages to include all kinds of data that they may not
even require – or even use in any way.
To keep that from becoming a data privacy
concern, it’s important to pare down the data that’s collected via web forms to
only what’s absolutely necessary to complete the action the form enables. In
the context of a marketing funnel, that could be as simple as a name and email
address.
If more data is required, it might be a good idea to outsource the process to a specialist firm like Convincely who already has the right GDPR-compliant infrastructure to safeguard user data. Then all you’d need to do is detail what you’re collecting within the aforementioned privacy policy, along with whichever firm is handling the data for you.
Ahead of the Curve
Making these three adjustments to your web properties now will bring them more in line with existing GDPR obligations and therefore with future US data privacy legislation (which is likely to be less comprehensive). To expand your efforts beyond these steps, it would also be helpful to go through the EU-provided GDPR checklist which contains a far more thorough accounting of compliance measures your business should take to safeguard GDPR rights for your customers.
By doing all of this now, you’ll be well
ahead of the curve when new privacy legislation eventually goes into effect in
the coming years. In the worst case, you’ll be over-prepared for whatever shape
they eventually take, and that’s never a bad thing when it comes to legal
compliance. You’ll also be able to hit the ground running in advance of new
compliance deadlines without the mad scramble that attended the GDPR rollout –
and that in itself is worth the effort and then some.
