General Data Protection Regulation (GDPR) was adopted in 2016 as the European Union's regulation to manage data protection and privacy for Europeans. Since then, individual states in the US have started to follow suit, especially as data collection has become more lucrative. The goal of these laws is to give website users the option of controlling what data is shared, and force penalties for operators not adhering to these laws.
Disclaimer - A disclaimer is a formal notice that limits the liability of the website owner. It can also include specific rules for eCommerce stores regarding purchases and returns, and can also cite copyright information for the media being used on the website.
Terms of Service (ToS) - This is more of a legally binding document that governs how the website should be used. In most cases, a user accepts the ToS by default just by using the website.
Each state has different definitions of the terms defined in privacy protection. (So glad they made it easy! #sarcasm) The most important term to always be on the lookout for is Personally Identifiable Information (PII). Typically, this term includes unique identifiers which can range from their email address to social security number.
Feel free to click on each state's bill to view the signed legislation. Just get comfy first because they're pretty... dry.
No surprise here, but our state of Missouri does not have one single bill introduced to address online privacy 🙃
If you're wanting to dig into specific legislation by state, you can download the PDF from iapp US State Privacy Legislation Tracker.
In short: you (the business) must make data collection optional for users in the required states. It could still be "turned on" by default, but you must honor an individual's request if they choose to opt-out of data tracking. You must also make it clear (1) how someone can opt-out, and (2) show their status of whether they're opted-in, or out, at any given time.
Each state has a specific timeline on how quickly you, as the business, must act when someone makes this request. For example, Virginia mandates a maximum of 45 days.
If you're using a third-party tool or plugin, as noted below, they'll generate a how-to section for the user that includes the business' primary point of contact for opting out. And then, once they've reached out and you've verified their identity, you'll need to delete ALL of their data.
But, this is also where it gets tricky. Removing every single instance of that user could pose other issues, like any guarantees or warranties from a purchase, or the ability to handle future customer service requests. To that regard, you as the business owner and operator have a tiny bit of wiggle room when it comes to data deletion. We recommend you call your lawyer to get legal guidance 😁
Penalties will also vary by state. Essentially, it will be a fine per violation meaning that you'd pay a certain amount per number of users who visited your website while you were not in compliance. In Nevada, for example, this could be up to $5,000 per user.
As a general rule across all state privacy laws, here are the top items you must include:
Most of these laws apply to "operators" with certain criteria, including:
Again, it varies by state, but here's the generalized summary of who may be exempt"
Instead, we recommend using a premium tool to generate a policy, or combo of policies, specific to your business (listed in alphabetical order):
Our friends at Termageddon have put together SO MANY AMAZING resourceson each individual state’s laws and how to be in compliance. (This is also the software platform we choose to use to help keep our compliance up-to-date.) No, this is not a sponsored post. We just genuinely like their stuff!
iapp has a detailed resource center with lots of lovely data, including the nifty chart we included above. You can also use their tracking tools to monitor global privacy laws.
And s/o to Mine Privacy Ops for being one of the few who actually outlines how to handle data erasure.