Everything You Need to Know About PII Protections, CCPA Compliance & GDPR Requirements

It is no secret that there is a lot of data tracked about what websites we visit and how we interact with those websites. Along with behavioral information providing details about what people do, plenty of personal information is tracked as well to explain who is using the website. Some of this personal information is generic (this user is male or female), while other personal information is specific (this user is Matthew Edgar who lives in Colorado). Google, Facebook, Apple and Amazon are the most well known for their collection of personal information—but smaller companies track this as well.

Not surprisingly, as the web and what can be tracked about usage on the web grows more sophisticated, privacy concerns arise. In response to this, new laws have been established. The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018. What exactly are these laws and how do they apply to your business (if at all)?

Two quick disclaimers. First, I am not a lawyer and none of this is legal advice. I strongly encourage every business to take privacy considerations seriously and discuss these issues with a lawyer. Hopefully this post can give you some ideas of what to discuss and what questions to consider. Second, because privacy involves the law, that means the issue is highly political—in case you hadn’t already figured that much out from the news. I have my views but won’t be getting into any personal opinions here. Whether you think laws like CCPA or GDPR are good steps in the right direction to curtail the power of tech giants or think these laws are an overreach by politicians who don’t know what they are talking about doesn’t really matter. Like it or not, good or bad, there are laws governing what we can and can’t do with data about the people using our websites.

What is Personally Identifiable Information (PII)?

Broadly speaking, there are two types of data you can collect on a website: behavioral data or personal data. Behavioral data tells you what people do—what do people click on, where do people scroll to, what pages do people visit, how many people place orders or complete lead generation forms, and similar. This data is incredibly useful to understand aggregate usage patterns on websites.

The other type of data, and the one of greater concern when it comes to privacy, is personally identifiable information, or PII. As the name suggests, PII is any kind of information that can connect back to a specific person, which is why PII protection is critically important. Different laws define this in different ways but as an example, think of an email address. If you have the email address of matthew@elementive.com, then you can easily link that back to me. Same would be true of a phone number, physical address, Social Security numbers, and more.

Of course, PII is incredibly important data and every business needs it. You can’t conduct business with your customer if you don’t have their personal information. And since you likely can’t memorize every customer’s name, phone, email, and other details, you need to store that information in some type of database. There are legitimate uses for this data—after all, customers want your business to reach out in specific circumstances as a part of doing business. As a result, the debate over PII isn’t so much “should it be collected” but “how much and in what way “? Determining what PII protections that companies need to provide have led to the creation of additional PII protection laws.

What is California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is an attempt to regulate what companies can do with PII. When it goes into effect, it requires, among other things, companies to tell customers what personal data is being collected and if their data is being sold and requires companies to give customers a chance to opt out by requesting the data can be deleted.

This won’t apply to all companies. Instead, it will apply to any company that does business in California with revenues in excess of $25M. In other words, it applies (directly) to the big companies and not the smaller businesses. (To be a bit cynical: it applies to Google and Facebook.) Although targeted at big companies, this law could indirectly impact on small companies and companies that aren’t “doing business” in California simply because companies like Google and Facebook affect nearly every business.

What could affect more companies is how something like targeted advertising or retargeting ads will be affected by CCPA. Google’s retargeting ads rely on PII data Google collects. If people opt out of sharing this type of data with Google and if Google faces new restrictions on what PII can be collected, then how you are supposed to use Google’s data to target potential customers? Maybe people won’t opt out of sharing data or maybe people will. But we just don’t know what will happen and how this new law will affect marketing efforts, like retargeting, that rely on third-party data.

Bottom line: if your business relies on ads that use targeting information from third-party ad networks, and if those types of advertisements are helping drive your business, then you need to have a plan for how to drive business without those kinds of advertisements. Now is the time to explore alternatives to prepare for a day when retargeting campaigns may no longer be viable.

What is General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a European Union law that, like CCPA, addresses what companies can and cannot do with certain types of data collected. Among other things, GDPR requires companies: ask for consent to collect personal data; tell an individual how data about them is being used when requested; delete data upon request; and provide an individual any personal data collected about them.

Unlike CCPA, there are no exceptions based on company size or revenue. This applies to anybody who does business with an EU citizen. Tech Republic sums this up well:

Put simply, if you have a customer from an EU country and you collect any data from that customer as a result of a business transaction, you are subject to the rules and regulations of the GDPR. There are no exceptions for enterprise size or scope, which means any business with an internet presence is potentially subject to this law.

One of other provisions of the law is that companies must report any data breach. One year into GDPR, that part of the law is proving to be the most effective. However, other parts of the law—like the application of hefty fines for non-compliance—seem to be not working as well as intended. More generally, and strictly from my own experience, GDPR has seemed to encourage companies to recognize what PII is, question what PII they collect about their customers, and consider how exactly they use PII in their organization.

What Do You Need to Do?

Whether these laws apply to you or not, you need to take privacy seriously at your organization. That means, you need to do the following.

  • Know what data you are collecting.You need to begin by reviewing each data point you collect in every type of data storage system you have—from Google Analytics to HotJar to your CRM. If you need help auditing your data to determine what you are collecting, please contact me as this is something Elementive can help you put together.
  • Know if any of that data includes PII.Once you know what data you are collecting, the next step is determining what type of data that is. Is the data strictly describing aggregate usage behaviors or does the data include PII? As well, check to make sure no PII has accidentally been tracked where it shouldn’t be.
  • Know why you are collecting each piece of data. Of all the data you are collecting, how much of it do you regularly use to help your business and help you customers? A good rule of thumb is if you haven’t used the data in 6-months, you can probably stop tracking it.
  • Check if GDPR or CCPA apply to you. If these laws, or other laws, apply to you given the nature of the data you are collecting, consult a lawyer to ensure you comply. If you aren’t in compliance, make all necessary changes.
    • If GDPR or CCPA don’t apply, still consider the best ways to handle PII data that your organization collects, including how much PII you really need to collect and for how long you really need to keep that PII. Do you really need to know the email, phone numbers, physical addresses, and full names of customers who haven’t worked with your company in over five years?
  • Have a privacy policy.The privacy policy is more than a page on your website. The privacy policy is your company’s approach to what data you collect, what you do with that data, and how transparent you are with customers about the data you’ve collected about them. As for the page on your website telling people what your policy is, it should be written in plain English and be easy for people to read.
  • Take this seriously.Too often companies copy and paste a privacy policy onto their website without giving it much thought. Or they have a lawyer right a whole bunch of legalese that nobody reads, let alone understands. But, as the web and data collection matures, and as laws begin to dictate how to handle PII data, we have to take privacy more seriously. Collecting the right types of data to help you understand your customers is important. Using that data to help your business grow is important. But, equally important, is handling that data, especially data that contains PII, responsibly.