If you are a member of a company in any industry, you likely have an online presence. The value and positive impact of a commercial website is critical and necessary today. Your website represents you, putting forward the image you want customers and employees to have of your company. You may have spent a great deal of time and money making sure it looks and functions just the way you want. Even so, you may still be at risk for fines and lawsuits with respect to the treatment of your site visitor’s data. This is where compliance and privacy policies and procedures come into play.
A visitor clicking on your company’s website may seem no different from a customer coming into browse your company’s store, but there are significant differences and hidden computer functions that you need to keep in mind to stay ahead of applicable law and policy. For example, by the time the visitor reaches your website, countless amounts of data about that individual have been collected by their browser, other sites the person visited, and even their internet carrier. However, once the visitor accesses your site, the collection and handling of data that occurs on your page is your responsibility. So, now that you know there are rules to follow, what are the rules and where are they found? Well, that is where the confusion starts. The rules you will need to follow are a patchwork of federal and state law, and the technology is ever changing.
State law in this area is still relatively new but quickly developing. The two major laws now in place regarding the collection of private information are the Virginia Consumer Data Protection Act (“VCDPA”) and California Consumer Privacy Act (“CCPA”), with the latter’s being the most inclusive. For this reason, most developers and compliance departments will use the CCPA as an example for their websites to follow. The CCPA gives your consumers several rights such as the right to know what information is collected from them and how it is used, that they can delete the information collected, and that they can opt out of the sale of the information. To add more confusion, the CCPA also limits its application and provides exclusions. Other state laws are also coming, and with the global reach of the internet every company must remain diligent in staying compliant.
As with any business act, your company’s credibility is on the line, so be sure your policy doesn’t over-promise what you cannot deliver. For example, although you will no doubt take steps to protect your visitor’s information, you simply cannot guarantee their personal information will be safe. Your policy should also be written in a manner to allow for business needs and changes; If you state you will not sell your visitor’s personal information, you will need their consent to pass it over in the event you sell your company. However, with proper planning you can inform and receive consent in advance, saving you time and money down the road.