Listen to the Article Here
|
GDPR and Other Website Privacy Laws
The General Data Protection Regulation (GDPR) is a regulation in the European Union (EU) that outlines the rights of individuals and the obligations of organizations that control or process personal data. The GDPR was adopted on April 27, 2016, and became enforceable on May 25, 2018.
The GDPR applies to all organizations that process the personal data of individuals located in the EU, regardless of the organization’s location. The GDPR also applies to organizations that process the personal data of individuals who are not located in the EU, but who offer goods or services to individuals located in the EU or monitor the behavior of individuals located in the EU.
The GDPR sets forth a number of requirements for organizations that process personal data, including:
- Obtaining consent from individuals before processing their personal data
- Providing individuals with access to their personal data
- Deleting personal data upon request from individuals
- Reporting data breaches to data protection authorities
The GDPR also establishes a number of rights for individuals, including the right to:
- Request access to their personal data
- Request that their personal data be corrected or deleted
- Object to the processing of their personal data
- Restrict the processing of their personal data
- Port their personal data to another organization
The GDPR is enforced by data protection authorities in each EU member state. Data protection authorities have the power to investigate complaints, issue fines, and order organizations to comply with the GDPR.
In addition to the GDPR, there are a number of other website privacy laws that website owners need to be aware of. These laws include:
- The California Consumer Privacy Act (CCPA)
- The New York State Department of Financial Services Cybersecurity Regulation
- The Brazil Lei Geral de Proteção de Dados (LGPD)
The CCPA is a law that gives California residents control over their personal data. The CCPA applies to businesses that collect the personal information of California residents. The CCPA requires businesses to provide California residents with access to their personal data, to delete their personal data upon request, and to allow California residents to opt out of the sale of their personal data.
The New York State Department of Financial Services Cybersecurity Regulation is a regulation that requires financial institutions to implement cybersecurity measures to protect customer data. The regulation also requires financial institutions to report data breaches to the New York State Department of Financial Services.
The LGPD is a law that gives Brazilian citizens control over their personal data. The LGPD applies to businesses that collect the personal information of Brazilian citizens. The LGPD requires businesses to obtain consent from Brazilian citizens before collecting or processing their personal data, to provide Brazilian citizens with access to their personal data, to delete their personal data upon request, and to allow Brazilian citizens to opt out of the sale of their personal data.
Enforcement Activities
Data protection authorities in the EU and around the world have been actively enforcing the GDPR and other website privacy laws. In the first year of the GDPR’s enforcement, data protection authorities issued over 800 fines totaling over €1.1 billion.
In the United States, the Federal Trade Commission (FTC) has been the primary enforcer of website privacy laws. The FTC has brought a number of enforcement actions against companies that have violated website privacy laws. In 2019, the FTC settled with Facebook for $5 billion for violating the FTC Act and the Gramm-Leach-Bliley Act. The FTC also settled with Google for $1.7 billion for violating the FTC Act and the Children’s Online Privacy Protection Act (COPPA).
Website Owner Liabilities for Non-Compliance
Website owners who fail to comply with website privacy laws can face a number of consequences, including:
- Fines from data protection authorities
- Lawsuits from individuals
- Damage to their reputation
- Loss of customers
The amount of fines that website owners can face for non-compliance can be significant. In the United Kingdom, the Information Commissioner’s Office (ICO) fined British Airways £20 million for a data breach that exposed the personal data of 500,000 customers. In the United States, the FTC fined Equifax $700 million for a data breach that exposed the personal data of 147 million customers.
Website owners who fail to comply with website privacy laws can also be sued by individuals. In the United States, individuals can sue website owners for violations of the FTC Act, the Gramm-Leach-Bliley Act, and COPPA. Individuals can also sue website owners for violations of state law.
Website owners who fail to comply with website privacy laws can also face damage to their reputation. If website owners are found to have violated website privacy laws, their customers may lose trust in them. This can lead to a loss of customers and a decline in business.
There are a number of WordPress plugins that can help a WordPress website become compliant with GDPR, CCPA and other website privacy laws. These plugins can help website owners to:
- Obtain consent from users before collecting or processing their personal data
- Provide users with access to their personal data
- Delete users’ personal data upon request
- Report data breaches to data protection authorities
Some of the most popular WordPress plugins for website privacy compliance include:
- Complianz is a WordPress plugin that helps website owners to comply with GDPR, CCPA and other website privacy laws. The plugin includes a number of features, such as: Cookie consent banner, Privacy policy generator, data subject access requests (DSAR) management, data export and data breach reporting.
- GDPR Cookie Consent is a plugin that helps website owners to comply with the GDPR’s requirements for cookie consent. The plugin allows website owners to create a cookie consent banner that informs users about the cookies that are used on the website and provides users with the opportunity to opt out of the use of cookies.
- Cookiebot is another plugin that helps website owners to comply with the GDPR’s requirements for cookie consent. The plugin automatically scans a website for cookies and then generates a cookie consent banner that is tailored to the specific cookies that are used on the website.
- WPForms is a form plugin that can be used to create contact forms, order forms, and other types of forms. The plugin includes a GDPR add-on that helps website owners to comply with the GDPR’s requirements for collecting personal data through forms.
- Ninja Forms is another form plugin that can be used to create contact forms, order forms, and other types of forms. The plugin includes a GDPR add-on that helps website owners to comply with the GDPR’s requirements for collecting personal data through forms.
- WP GDPR Compliance is a plugin that helps website owners to comply with the GDPR’s requirements for data protection. The plugin includes a number of features, such as the ability to create a privacy policy, the ability to provide users with access to their personal data, and the ability to delete users’ personal data upon request.
It is important to note that these plugins are not a substitute for legal advice. Website owners should consult with a lawyer to ensure that they are in compliance with all applicable laws. This article, as well, is not a substitute for sound legal advice and website owners ought to consult with a lawyer to ensure they are properly complying.
Actionable recommendations to achieve compliance
To achieve compliance with GDPR, CCPA and other website privacy laws, website owners should:
- Review their website’s privacy policy and make sure that it is accurate and up-to-date. The privacy policy should explain how the website collects, uses, and shares personal data.
- Obtain consent from users before collecting or processing their personal data. Consent can be obtained through a variety of methods, such as a checkbox on a form or a pop-up banner.
- Provide users with access to their personal data upon request. Website owners should be able to provide users with a copy of their personal data in a readable format.
- Delete users’ personal data upon request. Website owners should be able to delete users’ personal data from their systems upon request.
- Report data breaches to data protection authorities. If a website suffers a data breach, the website owner should report the breach to the appropriate data protection authority.
Suggested time-frame to become compliant
The time-frame to become compliant with GDPR, CCPA and other website privacy laws will vary depending on the size and complexity of the website. However, website owners should start the process of becoming compliant as soon as possible.
Estimated cost range to achieve compliance
The cost of becoming compliant with GDPR, CCPA and other website privacy laws will vary depending on the size and complexity of the website. However, website owners should expect to spend a significant amount of time and money on becoming compliant. The range of costs varies widely, from as low as $500 (USD) or $1500 (USD), to anywhere from $3,000 (USD) or $10,000 (USD).
Contact us to help you install or setup a WordPress privacy law compliance plugin!
Suggested reading: