A Complete Breakdown of Privacy Policies in 2023

General Data Protection Regulation (GDPR) was adopted in 2016 as the European Union's regulation to manage data protection and privacy for Europeans. Since then, individual states in the US have started to follow suit, especially as data collection has become more lucrative. The goal of these laws is to give website users the option of controlling what data is shared, and force penalties for operators not adhering to these laws.

The Different Types of Website Policies

Privacy Policy - This is a document that outlines how the website collects information, and what they do with that information.

Cookie Policy - Cookie Monster only wishes he created this one! Cookies are a type of tracking code that share information between websites. Some cookies are critical to the functionality of a website, while others are used for marketing and advertising. A cookie policy is one that defines all the cookies being used on the website and what their purpose is.

Disclaimer - A disclaimer is a formal notice that limits the liability of the website owner. It can also include specific rules for eCommerce stores regarding purchases and returns, and can also cite copyright information for the media being used on the website.

Terms of Service (ToS) - This is more of a legally binding document that governs how the website should be used. In most cases, a user accepts the ToS by default just by using the website.

Privacy Protection by State

Each state has different definitions of the terms defined in privacy protection. (So glad they made it easy! #sarcasm) The most important term to always be on the lookout for is Personally Identifiable Information (PII). Typically, this term includes unique identifiers which can range from their email address to social security number.

States with New or Updated Legislation Going Into Effect in 2023

Feel free to click on each state's bill to view the signed legislation. Just get comfy first because they're pretty... dry.

• California - The California Privacy Rights Act (CPRA) - Updates will go into effect on January 1, 2023
• Colorado - The Colorado Privacy Act (CPA) - Updates will go into effect on July 1, 2023
• Connecticut - The Connecticut Data Privacy Act (CDPA) - Laws will go into effect on July 1, 2023
• Delaware - Delaware Online Privacy and Protection Act
• Utah - Utah Consumer Privacy Act (UCPA) - Goes into effect on December 31, 2023
• Virginia - The Virginia Consumer Data Protection Act (VCDPA)

No surprise here, but our state of Missouri does not have one single bill introduced to address online privacy 🙃

If you're wanting to dig into specific legislation by state, you can download the PDF from iapp US State Privacy Legislation Tracker.

What are Opt-Out Requirements or Signal Preferences?

In short: you (the business) must make data collection optional for users in the required states. It could still be "turned on" by default, but you must honor an individual's request if they choose to opt-out of data tracking. You must also make it clear (1) how someone can opt-out, and (2) show their status of whether they're opted-in, or out, at any given time.

Each state has a specific timeline on how quickly you, as the business, must act when someone makes this request. For example, Virginia mandates a maximum of 45 days.

How Does Someone Opt-Out?

If you're using a third-party tool or plugin, as noted below, they'll generate a how-to section for the user that includes the business' primary point of contact for opting out. And then, once they've reached out and you've verified their identity, you'll need to delete ALL of their data.

But, this is also where it gets tricky. Removing every single instance of that user could pose other issues, like any guarantees or warranties from a purchase, or the ability to handle future customer service requests. To that regard, you as the business owner and operator have a tiny bit of wiggle room when it comes to data deletion. We recommend you call your lawyer to get legal guidance 😁

What are the Penalties for Non-Compliance?

Penalties will also vary by state. Essentially, it will be a fine per violation meaning that you'd pay a certain amount per number of users who visited your website while you were not in compliance. In Nevada, for example, this could be up to $5,000 per user.

You Probably Need a Privacy Policy

What Needs to Be Included?

As a general rule across all state privacy laws, here are the top items you must include:

1. What PII is collected
2. How that PII Is used
3. Who the PII is shared with
4. The starting/effective date of the policy
5. Who the user can contact if they want to opt-out (including their name, email, phone and address)

Most of these laws apply to "operators" with certain criteria, including:

1. Any business collecting what may be considered as PII from any of these states. This data could be as simple as asking for their email address so they can subscribe to a newsletter.
2. Business selling or purchasing user data, such as data brokers. According to CCPA, you'd need to have at least 50% of your annual revenue coming from selling PII data. (Ick! If you do this then we're judging you, at least a lil bit.)
3. Businesses making inferences on buying behavior for the purposes of advertising. As a small business, if you're creating buyer profiles that translate over to social media, then this would include you.

Who is Exempt from Compliance?

Again, it varies by state, but here's the generalized summary of who may be exempt"

• Businesses who adhere to HIPAA and already keep their patient's data private.
• Websites with less than 20,000 users per month. *This varies by state!
• Operators who make less than $25 million in annual revenue. *This varies by state!

How You Can Create Your Own Privacy Policy

We're going to be very blunt and say default website platform (e.g. WordPress, Shopify or Squarespace) privacy and cookie policy generators will not cut it. They are not up to date as new laws are passed, and they make generalizations that don't cover every state's guidelines.

Instead, we recommend using a premium tool to generate a policy, or combo of policies, specific to your business (listed in alphabetical order):

• Complianz
• Iubenda
• Termageddon
• Termly

The wonderful thing about paying for a premium, professional-level privacy policy generator means they'll scan your website to ensure you're in compliance, and help to keep you in compliance as these laws change and new legislation comes up.

Other Things to Remember

1. Your business does not have to be located in that state in order for these laws to apply to you!
2. These laws also only apply to the operator of the website, not the website designer or developer who hosts or manages the website. With that being said... We strongly recommend that all of our clients have some form of a privacy policy in place starting January 1, 2023. And, for any new website we build, we will automatically create (and enable) a basic policy by default to ensure the minimum compliance.

Giving Credit where Credit is Due

Our friends at Termageddon have put together SO MANY AMAZING resourceson each individual state’s laws and how to be in compliance. (This is also the software platform we choose to use to help keep our compliance up-to-date.) No, this is not a sponsored post. We just genuinely like their stuff!

iapp has a detailed resource center with lots of lovely data, including the nifty chart we included above. You can also use their tracking tools to monitor global privacy laws.

And s/o to Mine Privacy Ops for being one of the few who actually outlines how to handle data erasure.