Many businesses think their websites, like a spacecraft following Newton’s laws of motion, should just keep going once established. What may be reasonable in deep space is not particularly safe in the galaxy of data privacy, which is choked with debris, asteroids, and radiation. This fall is as good a time as any to make sure your electronic presence is still on course—especially as more states come online with new laws and regulations in 2024. Consider three questions:
What is my site actually doing? Over time, websites tend to accumulate debris: unused cookies, pixels, trackers, and scripts. Unnecessary elements present potential regulatory disclosures (or violations). Laws and trends, however, provide compelling reasons to clean up your site:
- State privacy laws generally regard collecting and sharing (or allowing someone to collect) data for behavioral digital advertising, even if no money is exchanged, as a regulated transfer that a site owner must be able to disclose (via a privacy policy), stop (at the request of a consumer), or reverse (in response to a data subject request).
- As we noted previously, using pixels to collect personal data (whether on your own site or via placed ads on others) is being attacked in class actions under the federal VHS-era Video Privacy Protection Act.
- Many self-styled “service providers” give the impression that they work on a 1:1 confidential relationship that avoids regulated transfers of personal information—but have buried in their terms and conditions rights to repurpose data that trigger regulation.
Website clutter frequently results from a lack of continuity. Some sites are minimally maintained by a revolving door of employees unschooled in data privacy. Others are patched by successive vendors on a “keep it going” basis. At some point, you may just want to reboot a clean-sheet site with only the tools you want.
What am I doing with all these tools? “More” is not necessarily “better”—and there is a difference between “needs” and “nice to have” in site analytics and data collection. Hoarding can be seriously misguided. First, aside from the fact that analytics can have highly variable value, they present a regulatory burden that may be out of scale with their benefits. You have to be able to understand what a tool does, what data it generates, who sees that data and under what circumstances, and how it is handled from there.
Second, many analytics tools are detectable by third-party website scans, which means that regulators like the CPPA in California can see exactly what is going on and see what sites to target. If a regulator determines that a particular tool is suspect (for example, an analytics publisher is using results for its own purposes), it is easy to identify and challenge site owners who use it.
Finally, you should understand what of this data is identifiable with people, regardless of whether you see data that seems identifiable. The fact that you don’t receive what you think is identifiable personal information from a third-party tool does not mean that the provider doesn’t collect personal information in the first place or use that data to build profiles—and for regulation that becomes your headache. More fundamentally, “anonymous” or “de-identified” are legal terms of art that are frequently objective—not based on the ability of the particular collector/recipient to identify a piece of data with an individual.
What privacy policy do I need? In some states, you need a privacy policy to comply with requirements—and these policies tend to be robust and detailed. But even in states that do not have rigid disclosure requirements, it can be a good idea to have a privacy policy to (1) build trust with site visitors, (2) set expectations, especially where a site serves a clientele in a non-regulated jurisdiction or in a field where industry-specific data privacy law predominates (HIPAA, GLBA, etc.), and (3) where appropriate, make it clear you are not intentionally collecting the personal information of minors (COPPA). The same practices that lead to good privacy policies—data inventories, review of tools, and planning—serve other business purposes as well.
In sum, navigating the increasingly cluttered galaxy of data privacy law requires attention and periodic course correction. It is not enough to merely set a website in motion and leave it in motion.
Takeaways for 2024:
- Examine and clean up your website and remove elements that unnecessarily increase your “regulation surface.”
- Look at what you do with collected data to adjust tool usage and future planning.
- Publish a privacy policy appropriate to your data-related activities.