US Data Privacy Legislation is Probably Coming, Here’s 3 Ways to Prepare
For many businesses (including this one), figuring out how to make their web properties GDPR compliant was a Herculean effort. It was such a tough job that a significant number of businesses didn’t even make it into compliance by the May 25th, 2018 deadline and were forced to block access to European users covered by the new regulations for fear of incurring GRPR fines for their remaining privacy issues.
While most of the affected companies have since gotten onto the right side of the law and have put the issue into the rear-view mirror, that doesn’t mean that the user data privacy landscape is settled. In fact, there’s a growing consensus that the United States may soon follow suit and pass its own data privacy legislation in the coming years.
That could mean that all of the companies that believed they had dodged the GDPR compliance bullet could soon find themselves scrambling to make the same kinds of changes their international contemporaries already have. To avoid the same kind of crunch that came along with the GDPR, that means it’s a good idea for those businesses to get a head start on addressing the privacy issues connected to their web properties in advance of any coming legislation.
The best way to do that is to use the GDPR and other existing privacy laws as a guideline to make the necessary changes now. Here are three steps they should take to make proactive changes and stay ahead of the game.
1. A Privacy Policy Face-Lift
The first step on the path to data privacy preparedness is to review and adjust your company privacy policy to provide maximum transparency about how you will collect, store, and use data. It should include easy-to-understand language regarding:
- Cookie practices
- Data sharing with 3rd parties
- How long data is kept
- What it’s being used for
- Why that’s necessary
- How you safeguard collected data
Try to provide as complete a picture as is possible, without making your privacy policy so complex as to be unreadable. The good news is that the EU created a privacy policy template that covers everything you must include for compliance purposes, and it should be comprehensive enough to satisfy any new data regulations that may be coming in the US.
2. Obtain Affirmative Cookie Consent
For a long time, cookies have been vilified as an unnecessary or even malicious component of modern websites. Of course, that’s not really the case – but that doesn’t mean you can continue to use them at will. In fact, the GDPR does have a provision related to cookies, and that’s on top of a preexisting EU regulation on the topic.
The bad news is that for all of the existing rules surrounding cookies, legal experts still consider subject murky at best. It isn’t likely that future US legislation on the topic will be as vague, especially with tech luminaries like Mark Zuckerberg calling for future policy to be as clear as possible.
In a blog post earlier this year, he addressed the issue by saying “As lawmakers adopt new privacy regulations, I hope they can help answer some of the questions GDPR leaves open”. With other big tech firms taking similar stances, it’s a safe bet that cookies won’t escape fresh scrutiny and more specific regulation.
That means the best course of action is to err on the side of maximum care with respect to user consent for cookie use. It’s not enough to simply notify users that your site uses cookies. It should also detail what they’re for and require the user to give affirmative consent before any cookies are stored on their device.
3. Limit Data Collection on Forms
For as long as there have been commercial websites, web forms have been an integral part of user data collection. Today, they’re key features of the digital marketing funnels that are used by businesses of all types. Over the years, however, many businesses have grown the forms on their landing pages to include all kinds of data that they may not even require – or even use in any way.
To keep that from becoming a data privacy concern, it’s important to pare down the data that’s collected via web forms to only what’s absolutely necessary to complete the action the form enables. In the context of a marketing funnel, that could be as simple as a name and email address.
If more data is required, it might be a good idea to outsource the process to a specialist firm like Convincely who already has the right GDPR-compliant infrastructure to safeguard user data. Then all you’d need to do is detail what you’re collecting within the aforementioned privacy policy, along with whichever firm is handling the data for you.
Ahead of the Curve
Making these three adjustments to your web properties now will bring them more in line with existing GDPR obligations and therefore with future US data privacy legislation (which is likely to be less comprehensive). To expand your efforts beyond these steps, it would also be helpful to go through the EU-provided GDPR checklist which contains a far more thorough accounting of compliance measures your business should take to safeguard GDPR rights for your customers.
By doing all of this now, you’ll be well ahead of the curve when new privacy legislation eventually goes into effect in the coming years. In the worst case, you’ll be over-prepared for whatever shape they eventually take, and that’s never a bad thing when it comes to legal compliance. You’ll also be able to hit the ground running in advance of new compliance deadlines without the mad scramble that attended the GDPR rollout – and that in itself is worth the effort and then some.
