Website Data Privacy Laws to Know About in 2022
To date, the United States hasn’t enacted many comprehensive federal data privacy laws, but there are a few progressive data privacy laws that have been enacted at the state level.
California and Virginia are leading the way in data protection legislation and other states will soon be joining the fight. Similar to the EU’s General Data Protection Regulation (GDPR), these laws have a wide reach because any company providing services to citizens of a US state must comply with its privacy laws. We’ve included detailed descriptions of existing state data privacy later on in this post.
Getting to Data Privacy Compliance
Since non-compliance can result in fines, fees, and legal measures, there is an increasing consumer demand for websites that prioritize privacy and security.
To ensure your website is in compliance, web developers should implement the Privacy by Design framework (a requirement under GDPR) when building a website. This framework to protect people’s data through technology design has 7 foundational principles:
- Proactive, not reactive; Preventative, not remedial
Anticipate and prevent privacy invasions before they happen
- Privacy as the default setting
Ensure personal data is protected and no action is required by individuals to protect their own privacy
- Privacy embedded into design
Make privacy an essential component of the core functionality being delivered
- Full functionality – Positive-Sum, not Zero-Sum
A website can provide both privacy and security
- End-to-End Security – Full Lifecycle Protection
Strong security measures are essential to privacy
- Visibility and Transparency – Keep it Open
Assure stakeholders that your business practices and technologies are operating according to the stated promises and objectives, subject to independent verification
- Respect for User Privacy – Keep it User-Centric
You are required to keep the interests of the individual uppermost, by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options
Data privacy laws are essential to keeping consumer information safe. Federal data privacy laws in the U.S. are lacking in comparison to the data protection efforts of the EU, but US states are increasingly stepping up to protect the right of privacy for their citizens.
While consumer data can help create a stronger website, don’t build your website around it. Web developers, strategists and designers don’t need to demand data to create a good user experience. Usability, design and security benefit from consumer data, but privacy laws must guide how any personal data is collected and used. It is critical to respect the consumer’s right to privacy.
Details on State Data Privacy Laws
The California Consumer Privacy Act (CCPA):
Inspired by the GDPR, took effect on January 1, 2020 and is the most important data privacy law ever passed in the US. It has its own unique scope, but both laws redefine what an individual’s rights to their personal data are and put methods in place for how these rights should be protected and enforced.
The CCPA regulates company’s data privacy practices and provides state residents with:
- The right to know what personal information is collected
- The right to opt-out of the sale of personal information
- The right to delete personal information upon request
- The right to equal service and price (consumers cannot be penalized for exercising these rights under CCPA)
The CCPA applies to any company that meets one or more of the following criteria:
- Has gross annual revenue exceeding $25 million
- Annually processes the personal information of 50,000 or more California consumers
- Earns more than half of their annual revenue by selling personal information
CCPA fines reach up to $7,500 per record violated, and the law also allows consumers to sue in response to violations.
The Virginia Consumer Data Protection Act (CDPA):
CDPA is similar to the CCPA and GDPR, and is based on the same principles of personal data protection. Covered entities have the same responsibilities as under CCPA, including giving users the right to access, view, download and delete personal information from a company’s database.
An entity is covered if it:
- Annually processes the personal information of 100,000 or more Virginia consumers
- Annually processes the data of at least 25,000 people annually but make at least half of their income from selling the data
Virginia’s CDPA uses a narrower definition of what constitutes the sale of personal information than the CCPA. CCPA and GDPR define it as the exchange of personal information, either for money or for other reasons, whereas CDPA narrows down those other reasons to just a few specific cases.
Virginia’s CDPA does not include a private right of action, meaning that Virginia residents cannot sue companies for CDPA violations.
The Colorado Privacy Act (ColoPA):
ColoPA follows in the same footsteps and adheres to the same principles of personal information protection. While CCPA allows consumers to request access to all their personal data (based on personal data is defined under CCPA), ColoPA gives consumers access to information of any kind that the company has collected. It also includes a sensitive data requirement to consent requests. Data processors must request permission to process data that could classify a person into a protected category, such as race or gender.
The Utah Consumer Privacy Act (UCPA):
UPCA is the latest state data security law to be passed in the U.S. Like the previously discussed laws, it uses the example set by the GDPR.
One significant difference is that its definition of personal data only applies to consumer data. This excludes data that an employer has about its employees, or that a business gets from another business.
There is also no requirement for data protection assessments. Colorado requires a recurring security audit for all data processors to ensure they’re implementing reasonable data security measures, but Utah does not. There’s also a $25 million annual revenue threshold for data processors — entities earning less than that are not required to comply.
Data Privacy Practices in Action
- Treliant knows data privacy is of the utmost importance when it comes to their consulting services for the financial industry. They highlight their privacy statement and cookies policy in an easy-to-find location right next to their newsletter sign-up. Sharing a transparent view into how you value the privacy of customers and business partners establishes trust right from the start. You can read more about how we helped lay the groundwork for data privacy in Treliant’s site design in our case study.
- Metron puts data privacy front and center the moment you visit their website. For first-time visitors, a banner prompts users for their preferences about how their information is tracked and kicks off the conversation with a sense that they value what’s most important to their audiences.
- Ferrari gives their customers links to declaration forms that comply with both CCPA and GDPR guidance. These give their site visitors power over their personal data and speak to the overall level of conscientious quality, care and service that the name Ferrari stands for.
If you want to go on an even deeper dive into data privacy or stay updated on the most current laws and regulations, be sure to bookmark these resources:
- National Conference of State Legislatures – State Laws Related to Digital Privacy
- Termly.io – Data Privacy & Web Accessibility: What’s the Link?
- PrivacyPolicies.com – Costs of Non-Compliance with Privacy Laws
We’ve Got You Covered
And on the topic of data privacy, if you’re currently using Google Analytics to collect data on your site, it’s time to upgrade to Google Analytics 4. This new instance of Google Analytics is designed with privacy protection as a part of its DNA.
We’ve got the experts and resources to guide you through every aspect of your web design journey, including compliance and accessibility. Get in touch and let us know where we can help out.