11 minute read

SHARE ME:

Privacy deep dive: understanding legal compliance for your business website

Table of Contents

Understanding where your site visitors are coming from, what private data your website and third-party tools might be collecting from them, and what happens to that data after it is collected is crucial to protecting your business and your website visitors.

When thinking about data privacy for your business website, local compliance is just part of the picture. If your business is in Australia, you likely already know that you need to comply with the Australian Privacy Act (although, interestingly, around half of companies don’t!). If your business is in the US, you will have heard of local state laws which are becoming increasingly privacy-aware (CCPA, CDPA & CPA, among a growing list). And if your business is in Europe, I don’t think I even need to mention the GDPR. But privacy compliance only where you are located is not compliance.

Did you know that your business is also required to comply with the privacy laws applicable to your clients — wherever they happen to be? So if your business is in Australia and your clients and website visitors are global — privacy laws across multiple jurisdictions apply.

Location matters when it comes to privacy. It matters in regard to where your website visitors are, where your website is hosted, where the tools connected to your website are hosted and from where and to where data is transferred. It matters how your client data is used by everyone who has access to it.

What data does your website collect from those who land on it?

Your business website is likely collecting visitor data in obvious and complicit ways via forms. But we all now know that data is also collected in the form of cookies.

Source lines of code - Wallpaper

What are cookies?

  • First-party cookies: these are fine — first-party cookies are the info needed by the site you’re on to know how you use the site itself. First-party cookies are useful for the site owner to determine where people are getting lost or where info might not be loading correctly. All stuff that helps serve clients better. First-party cookies are also collecting the data around your preferences in using the site. I.e., in websites where you choose to log in, this might be your timezone or language preferences. There are no legal requirements around the tracking of first-party cookies. These are cool. And in my opinion, as a business owner, these are the only cookies you need to collect to serve your clients well.
  • Third-party cookies: these cookies are collected by all of the third-party tools and plugins connected to your site.

Data your website may knowingly and unknowingly collect

Here’s a list of some (but by no means all) of the data that websites can collect from site visitors — either knowingly or unknowingly):

  • IP addresses
  • Location
  • Name, phone, email, home address
  • Financial information
  • Health information.

All of this data is subject to privacy laws. And the thing with website data (hello cookies) is that it’s not always easy to determine where it is collected or by what tool connected to your website.

How is personal data in the form of third-party cookies collected from your site visitors?

You may not even realise the ways in which your website collects data and for many business websites, the collection of this data is unintentional on the part of the business owner.

Here’s a list of some (but by no means all) of the ways many websites collect data from site visitors. Some of these will be obvious, but some may surprise you:

  • Contact forms. These can collect the info the site visitor chooses to share, as well as other info like an IP address.
  • Advertising tracking pixels. This will likely be obvious to most folks, but yeah, if you’re running Facebook ads, you will probably have Facebook Pixel code added to your website. That means Facebook is grabbing the data from every visitor who lands on your site.
  • Social Media plugins.
  • Analytics software, such as Google Analytics. Google Analytics is now illegal in the European Union.
  • Cloud-based fonts such as Google Fonts. Google Fonts has explicitly been declared non-compliant with the GDPR. To be honest, many web designers don’t fully understand how to securely use fonts online (there was a time when I didn’t!). It’s complex!
  • Chatbots.
  • Newsletter plugins.
  • Payment facilities.
  • In essence, literally, anything connected to your website could well be collecting data from your clients in ways that you aren’t fully aware of.

Penalties for non-compliance with data privacy laws

"Businesses need to consider how the Privacy Act 1988 (Cth) applies to any advertising they do. In particular, the Privacy Act will apply where the customer information is collected, used, stored or disclosed, where advertising is targeted via email or text, where online behavioural advertising is used and where there is any activity, which involves the use of personal information (as defined by the Privacy Act)."

Your website’s privacy policy should describe all of the methods in which site visitors’ personal information is acquired. If it doesn’t, you’re not in compliance. In Australia, this could land you with a fine of up to $2.1 million. In the EU, fines can be up to 20 million Euros.

The online advertising industry is obviously a key target for legal action, with IAB Europe recently found to be non-compliant with their cookie consent popups that gave website visitors options regarding how their data was used but actually did nothing. Anthony Bekker of Biztech Lawyers discusses privacy alongside the ins and outs of Compliance with Marketing and Advertising Law more broadly, which is definitely worth a look to be sure of your obligations beyond the scope of privacy alone.

And of course I’ve previously talked about recent non-compliance fines for businesses using Google Analytics and Google Fonts on their websites.

This is essential business risk mitigation to get this stuff sorted out.

Being privacy compliant is not just a legal requirement, it’s an ethical choice that your clients are demanding!

I for one am increasingly mindful of the way my personal data is tracked, used and stored online. I worry about where my data will go after filling in online forms. I wonder if my IP address is being stored by Google Analytics or other third party services attached to a site. And I absolutely cannot stand the stalkerish remarketing ads that follow me around the internet.

"Nine out of 10 Australians have serious privacy concerns about the collection, sharing and use of personal data by businesses."

We’re all so much more aware that if something seems free it’s actually not — here’s lookin’ at you, Facebook — we’re just paying with our data.

If I and you and loads of our mates feel this way then it stands to reason that most of your clients do too. They want to know that their information is being used in a way that they can trust, and by businesses that they feel are trustworthy. In an age where data breaches are becoming more common, it’s essential that your business is privacy-aware and has a privacy policy in place that demonstrates its commitment to safeguarding customer data.

The future of data privacy and how to prepare for it

Do you need to collect identifying data from your website visitors to make sales?

For many jurisdictions around the world, collecting identifying info from your site visitors is already illegal. But if you’re here in Australia, for example, browsing on an Australian website serving only Australian customers and only Australian site visitors (i.e. your site actively blocks visitors from the EU), then it’s not yet against the law to collect identifying information. But that doesn’t mean you should keep doing it.

Once upon a time, I’d have fallen for that remarketing tactic as it was intended — I’d see an ad everywhere, think it was more legit because of that, and finally agree to click and buy. These days I just hate feeling like I and my data are being used and abused. So if I get retargeted I instantly blacklist those companies and refuse to buy from them. And by ‘blacklist’, I mean my own personal grrr list! Of course, I can tell my browser not to follow the links I click to protect myself, and most browsers are getting better at giving us user-level control over the way our data is used.

Targeted data-based advertising isn’t just unethical, it’s no longer got enough of a business case to stay standing

There’s nothing new in this conversation. Except to look at the future for remarketing as a form of advertising. For one, users like you and me can see right through it and resent it. Add to that the data-blocking capabilities of browsers and user education around protecting our data, and these forms of advertising won’t be around for much longer.

Third-party cookies have been declining in popularity, and even Google is phasing out its dependence on third-party cookies across their ad platform. Advertising networks are all scrambling to change the way they use consumer data so they can still deliver a product to advertisers. In all likelihood tracking of any kind will be completely phased out with a more generic focus on behavioural groupings instead.

Remarketing and targeted data-based advertising are increasingly unsound from both a business and ethical perspective, as well as from a legal standpoint and certainly provide enough risk and grey area to be thinking twice about your strategy before investing in methods that could get you into trouble down the track.

What can you do to improve data privacy on your website?

Go over your site with a fine-tooth comb to work out exactly what data is being collected, who is collecting it and whether your privacy policy is communicating that to your site visitors.

There are a lot of privacy-friendly options out there, so if you are using third-party tools that feel a bit icky to you now in this more privacy-aware landscape, know that you aren’t stuck with those tools. This could be a good time to make some changes and set up your systems in a way that better aligns with your business values and your legal obligations.

The most common changes we at Studio Clvr make when improving the website compliance for our clients include:

  • Replace all cloud-based fonts with locally hosted versions.
  • Switch privacy-focussed analytics, usually from Google Analytics to Fathom Analytics.
  • Switch to privacy-focused form builders that don’t transfer your client data to their servers (often in other countries). Who knows where the data goes after that… Make sure you know exactly where all form data goes and have a process for deleting it.
  • Replace any on-site payment facilities with secure services like Stripe, that encrypt data and ensure it’s kept out of your website.
  • Drop the tracking pixels.
  • Replace the Privacy Policy and Website Terms with a new version supplied by your lawyer, or use a Privacy Policy generator like Termageddon that will continually manage updates for you (book a Clever Hour if you want us to get Termageddon setup for you, it’s a quick job).
  • Check if you need a cookie consent banner, and what autonomy it gives to your website users around how their data is used. Note that if you use privacy-focused tools, you don’t need a cookie consent banner because you aren’t collecting any cookies! Another easy vote for moving your business across to the privacy way of thinking — I don’t know anyone who doesn’t find those banners super annoying!!

Privacy compliance is legally and ethically essential to protect your business

With the rapid transformation of public opinion about online privacy, new laws are being enacted regularly, and each has specific demands for businesses to satisfy. It’s nearly impossible for a small or medium-sized firm to keep up with all of those standards.

At Studio Clvr we are now privacy-first in everything we do. We stay up-to-date on changing privacy laws around the world, with a particular eye on privacy within the Australian market. We talk with our clients about the privacy-focused tools best suited to their business needs to ensure that every website we build is respectful of our clients and theirs.

If you’d like to talk about how we can design and build a compliant website for your business, book a Clever Hour or a Website Strategy Session.

Note: the information in this article is not intended to be, and should not be, interpreted as legal advice. 

Web design - create

Hey, I’m Nic

I’m a digital design strategist on a mission to transform websites from ‘whatever’ to clever. I build websites that work harder for your business, make running a business easier, and give you more time to help your clients.

Like what you’re reading? Sign up to the Box Clever newsletter for fortnightly clever business tips, musings and related website wondery.

Need help?

NQDIY includes quick Q&A support. If you have any questions along the way, just get in touch!

Support is available specific to the setup of a simple starter site. If you need more in-depth help or custom advice via a dedicated face-to-face session, you can book a Clever Hour. Use the voucher code CLVR1022 for a 10% discount.

Shoot us a message and we'll get back to you asap.

Got it!

We’ve got your help request and it’s in the queue. We process help requests within office hours and in the order they come in, and are working as fast as we can to get to yours! We aim to answer all queries within 48 hours. You’ll get a real live human reply as soon as we get to your message.

Can’t wait?

Book the next one-hour call slot here: Clever Help (use code CLVR1022 for 10% off)