Guest Author: Nicole Cheri Oden
Chances are you’ve got an opt-in form on a landing page or your website. Or you have some other way of gathering email addresses (or other personal information) in exchange for your freebie or discount. Or you ask for a person’s email address before they can join your Facebook group.
But first, know that everything I chat about here is intended to provide legal information and education. It is not business, financial, or legal advice, and does not create an attorney-client relationship between us. I’m an attorney licensed in the United States, so everything will be from the perspective of United States law. You should consult with an attorney in your area who understands your particular business situation so that you can take the right steps for you and your business.
And since you have no idea if the people interacting on your website or landing page is in California or Timbuktu, you should comply.
When the General Data Protection Regulation (GDPR) went into effect in May 2018, it complicated things a bit. I’m not going to get into all of the nitty gritty specifics here. BUT it is important to know that the GDPR applies to any business that processes personal information from even ONE PERSON in the European Union (E.U.) or U.K.
The GDPR also has an expanded definition of personal information – it’s “any information relating to an identified or identifiable natural person.” Holy cow. This includes the items named in CalOPPA (first and last name, email address, physical address, telephone number, social security number, birthday, height, weight) BUT it also includes anything relating to the person’s “physical, physiological, genetic, mental, economic, cultural, or social identity.” This includes IP addresses. All the tracking software and cookies you have on your website? Yeah, you need your website viewer’s consent.
- What personal information you collect;
- What third parties you share the personal information you collect wit
- How a website viewer can contact you to make changes to or update any personal information that was collected;
- How you deal with “Do Not Track” requests;
- How and why you collect personal information;
- What you do with the personal information;
- How you keep the personal information safe;
- How long you retain the personal information
- If you share or sell the personal information with or to third parties (and if so, what third parties); and
- On the home page of your website, or
- Via a hypertext link on the home page of your website that contains the word “privacy” written in capital letters (also known as a “browse wrap” in internet law). This is the more common practice across the interwebs, just look at the bottom of the websites that you visit on a daily basis.
And this is because the GDPR requires affirmative consent from your website viewers to process their personal information.
- Your website viewer’s consent must be “freely given, specific, informed, and unambiguous;” AND
I also did a more in depth interview with Michelle on this topic and you can check that out here!