JoomConnect Blog
UPDATED: What is the GDPR/California "Shine the Light" Law? [FREE DOWNLOAD]
GDPR was introduced by the European Union, but it applies to businesses all over the world, especially if you could potentially collect personal data from a person residing within the EU. We feel, as a business, it’s important to safeguard personal data of your prospects and customers, and we think the GDPR is a big step in the right direction to provide transparency and understanding to your users. We've also made some updates to this blog post and the corresponding free download to cover California Civil Code Section 1798.83, also known as California's "Shine the Light" or "Your California Privacy Rights" law.
The Basics of the GDPR
The key elements of the GDPR are the following:
- You must process personal data in a way that is lawful, fair, and transparent.
- You must only use personal data for the specific purpose that you have declared.
- You must collect only the minimum amount of personal data required to achieve your stated objective(s).
- You must take all reasonable steps to ensure that any data you collect is accurate and kept up-to-date.
- You may only hold personal data for as long as it is required to achieve the stated objective(s).
- You must process personal data in a way that ensures appropriate security.
There is a lot to the GDPR (it’s over 255 pages long), but we’ve found a lot of the concepts make sense. Chances are, if you are handling your marketing and the data you collect as white-hat as possible, you are already mostly there.
A few big things to look out for:
Automatic Opt-Ins are Not Okay
If you have a Newsletter or ‘More Information’ checkboxes pre-ticked on forms, that is not enough to be considered an opt-in.
Enable SSL
If your website doesn’t have SSL, reach out to us and we’ll provide you with a free one under your hosting agreement. You can also purchase one, but for non-ecommerce sites, the free SSL is a good alternative.
Check Your Lists
It never hurts to run the occasional re-opt-in campaign to ensure you aren’t sending unsolicited emails.
Updating Your Privacy Policy
You’ll want to be as transparent as possible in your privacy policy. We’ve included a template to work off of, but don’t assume it is ready to publish for your business. You’ll want to review it with your lawyer, along with the rest of the GDPR. Updating your privacy policy alone is not going to make you compliant.
Document Any Extra Tracking/Analytics
We’ve covered the basics that we apply to most of our clients, such as Google Analytics. If you use a third-party service for tracking analytics or metrics on your website, or you have other scripts that collect data, you’ll need to make sure that it is applied to your Privacy Policy and that those services are GDPR compliant.
Check With Your Host
If you host the website yourself or use a third-party besides us, you’ll need to make sure they are GDPR compliant.
It Doesn’t Stop There
Be sure to review the GDPR to determine if you are within its scope and to ensure that your business is compliant. This will involve reaching out to any vendors that you might share or transfer data to and reviewing their policies, and making sure you are protecting any personal information you collect.
California's "Shine the Light" Law
When we originally built out the free privacy policy template, we included a clauss specifically for California Civil Code Section 1798.83. This law was proposed back in 2003 and became active in 2005. It basically states that California residents should know where their personal data goes, so businesses need to disclose certain information about what they collect and then share with third parties. You need to be transparent and disclose who these third parties are.
The California "Shine the Light" Law applies to:
- Businesses who have any customers who are residents of California
- Businesses with 20 or more employees
- Businesses who have shared personal information from any of your customers with a third-party for the purpose of marketing.
How to comply with the "Shine the Light" law
Transparency is key here. If you share any information with a third-party for marketing, including personal information, name, address, email, any information about children, or any financial information, you need to disclose it clearly.
- Disclose what information you collect.
- Disclose the name and address of any third-parties that you have shared that information with.
- Designate a mailing address, email address, or telephone number in which customers may make requests for this information.
- Educate your employees/managers to be able to respond appropriately to these requests.
- Add a "California Privacy Rights" clause to your Privacy Policy or add a seperate "Your Privacy Rights" page to your website homepage.
- Any requests from customers need to be replied to within 30 days.
- You are only required to disclose this information to customers who ask for it once per the calendar year.
You can read more about the California "Shine the Light" Law here
Want to Update Your Privacy Policy?
We’ve built a template that our clients can use as a starting point for their privacy policy. We took into consideration the services most of our clients use to make it a little easier. Keep in mind, this document needs to be edited and reviewed internally before it is put on your website. It's just a starting point, and we aren't your lawyer.
Click here to download our free privacy policy template. (Right-click and select Save As to save the Word Document)
More Resources
You can read the original regulation here: http://eur-lex.europa.eu/eli/reg/2016/679/oj
There is also a great breakdown of the GDPR here: https://gdpr-info.eu/
Disclaimer: We’re Not Your Lawyer
Please be advised that Directive is not your attorney, and this information is not legal advice. This information does not provide, nor constitute, and should not be construed as, legal advice. It is for educational purposes only and is not to be acted or relied upon as legal advice. Use of this information does not create any attorney-client relationship between you and Directive. The information does not constitute legal advice and is not a substitute for competent legal advice from a licensed attorney representing you in your jurisdiction. Applying or asking us to apply the privacy policy template to your website does not make us responsible in any way for the accuracy of the content or your compliances. You should seek advice from your legal counsel to determine your legal obligations.