DISCLAIMER: This information has been provided as a guide only and does not constitute legal advice. Monterey Bay Design will bear no responsibility for errors or misinformation.
Privacy and Personal Data Policies and Compliance
What is Personal Data?
Personal Data has a broad scope and it includes any information that can be used to directly or indirectly identify someone: basic contact information such as name, address, phone #, email address, IP address, photo or special categories like sexual orientation, ethnicity, income, etc.
Failure to comply with privacy regulations can potentially result in fines.
CCPA (California Consumers Protection Act)
What is the CCPA?
CCPA stands for California Consumers Protection Act 2018. It is the most recent personal data protection law passed by the State of California as a response to the increased role of personal data in contemporary business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.
Who does CCPA apply to?
CCPA affects your website if you collect and process data of California residents and exceed at least one of the following thresholds:
- Annual gross revenues of at least $25 million
- Obtains personal information of at least 50,000 California residents, households, and/or devices per year
- 50,000 sounds like a lot, but to meet that, you’d only need 137 unique visitors daily
- At least 50% of your annual revenue is generated from the sales of California residents’ personal information
If you exceed or may soon exceed any of the thresholds listed above and you use any type of tracking tool, it is better to be CCPA-compliant.
GDPR (General Data Protection Regulation-EU)
What is the GDPR?
The GDPR is the European Union’s General Data Protection Regulation. It covers all individuals within the EU and it was introduced to give control back to citizens and residents of the EEA (European Economic Area) over their Personal Data.
I’m in the United States – under what conditions does the GDPR affect me?
- If you market to or sell to the EU directly
- If you allow commenting on your blog (and the commenter is from the EU)
- If you have forms that can be filled out by someone from the EU
- You have visitors from the EU on your site and
- If you track with Google Analytics (or similar)
I’m a small, US-based business or individual – do I really have to comply with the GDPR?
Unless you have a basic, static website - regardless of your intended audience - you are obliged to comply with the GDPR.
If any of the above applies to you, yes, technically. Even if not mandatory, solid privacy and data protection should be standard operating procedure – wherever your site visitors are from.