Compliance Part 1: Privacy and Data Disclosure
Is this all nothing but a huge headache?Absolutely. But ignoring cookie laws can cost you money, customers, and lawsuits.
Here’s the no-BS breakdown you actually need.
TL;DR:
Fewer than 1% of my customers are currently in compliance with state, national, and global privacy disclosure laws. Just having a Privacy Policy page with some stuff thrown up on it is not enough. The law suits and fines are now a thing.
Here are some quick links:
Part 1: What’s the problem?
Part 2: Why should I care?
Part 3: What do I have to do?
Chris Foley
Founder & head honcho over here at PXLPOD Web StrategyOkay look. I’ve been putting this off for a while for a bunch of reasons. First, NOBODY out there wants to read about this. Nobody wants to deal with this. And I don’t particularly want to write about this. So we’re all in this together. At least there’s that.
A client emailed me today a message from Microsoft that spoke to this and reminded me that we need to get on it and fast.
Part One:
What is all this commotion?Stage One. The Wild Wild West.
In the beginning... it was the Wild West. We'll call this Stage One. Your website dropped cookies like a Henson Muppet and 99% of website owners didn't even know what cookies were or that their sites spit them out like bad money. The Wild West was good times. Some of you are still over here and are happy as little clams about it. Some of you remember what it was like to be served and added to a class action. This is when we knew Stage One had come to an end.
Stage Two. Disclosure happens.
"Okay fine, our site drops cookies all up in your browser and now I have to tell you about them."
This seems like a rather long time ago but it wasn't. This is like 2022 here. Post-COVID. Until then it was common to throw up some sort of boiler plate Privacy and Cookies Policy pages that you found online and leave it at that.
But that was not enough, good reader. Full disclosure means full disclosure. You have to tell people what kinds of cookies you're using, how you're using them, who has access to them, etc. etc. This is when I wrote that article about how not to get sued and started really pushing Termly.io on people. Many of you jumped on the Termly train and we got a few hundred sites protected. For a time...
This has accelerated so fast that Stage Three and Stage Four are happening simultaneously!
Stage Three. Power redistributes.
Stage Three is where we have to empower the visitor to choose which kinds of cookies they're willing to accept and which ones they want to reject completely. There's a huge problem with giving the visitor that power and it really comes down to this sad truth: modern websites require cookies to function. If you allow your visitors to reject all cookies your website simply won't function as it should. See, not all cookies are tracking or marketing cookies. Not all cookies are the ones that cause you to see vacuum cleaner ads over and over again across every platform you use simply because somebody in your home recently ordered a new Hepa filter.
You know that cool calendar widget you use to get bookings on your website? Yeah, that requires cookies to work. If I reject all cookies that doesn't load. That CRM integration on your site? Requires cookies to work. You have an online store and people need to be able to login and see their purchase history? Well, cookies are what tells the site whether your visitor is logged in or logged out so guess what? No cookies, your store no worky. Oh hey, how's about those FONTS that power all of the words on your site? Those fonts are coming in through Google's font API or Adobe's Typekit API. No cookies, no API calls, all of your specified fonts stop loading and there goes your expensive website design.
There's good news here in Stage Three though, and it's all around what's called "Implied Consent." We'll get into that later. Let's talk about Stage Four, which is also happening right now.
Before we get into Stage Four, I want to specify that Stage Three is where the USA is with regards to regulations and laws. Each US state has different laws - the strictest being California. If your business is based in the USA and you can reasonably expect 100% of your new important visitors to be in the States you only have to concern yourself with satisfying California's CCPA laws.
Optimize for the strictest state laws (California) and you'll also satisfy the other states' compliance laws.
Stage Four. GDRP really sucks.
Europe has the GDPR and it sucks. Like really really sucks. Where Stage Three required you put the decision in the hands of the visitor, Stage Four requires us to start each visit with ALL COOKIES turned off and then beg the visitor to please allow us to turn some of these cookies on so that the damned site will work and you can see our banners, our booking widget, the fonts, Google Analytics will load for us, and our CDN will allow all of our images to load.
Stage Four is a huge hassle. The GDPR is a huge hassle. If you are HQ'd in the USA and do business in Europe you've got to set up your site to deliver CCPA compliance for USA visitors and GDPR compliance for visitors coming to you from within the EU.
The good news is that Termly's system is smart enough to manage all of this - it just needs to be properly set up and that means you have to understand it, or we need to do it for you.
Part Two:
Why Should I Care About This Nonsense?Well, being fined is a drag. Also choice isn't always a good thing.
Compliance means that people can choose and if we give them too many choices they will experience what seems to them to be a broken site. This causes a significant drop in website conversions, which is everything every website owner losing sleep over already.
Non-compliance means getting sued. Fines. This is the law now. If you're selling products online you are required to publish your return and refunds policies. If you have content on your website you must publish a terms of use policy that governs how that content can be used. If you have a membership community there are all sorts of disclosures that have to be present that cover how you deal with ownership and damages (yes, damages) that result from your members sharing their own user-generated content with one another. This is all in the name of consumer protection. These are the consumer protection laws we all voted for, people.
In case you're still kind of languishing way over in Stage One and you rather like it there and don't want to deal with this - hey, I get it and I can relate. That said, some of my customers have... already... been... sued.
This isn't some abstract edge case. This is going down and it's going down now. So... Need some help?
Part Three:
What do I have to do?Congratulations! You're now at Section 3 where we talk about how to handle all of this.
First, those of you who have jumped on the Termly train, good on you! You're in a great position and you've already got your foot in the door. Unfortunately, just having it isn't good enough anymore. Just having the policies in your footer isn't enough. You now have to have all of the policies relevant to your website and your business, and you now have to have a Cookies Preference center and you have to display a Cookies Consent Banner upon first visit in order to comply with the CCPA (California Consumer Protection Act.)There's one decision you'll need to make: Do you need to be GDPR compliant?
PXLPOD has to be GDPR compliant. I have customers in the EU and up until the end of July my own website was only CCPA compliant. I had to make it GDPR compliant and that meant a lot of extra labor to get that all set up.
If you only do business in the USA, you only have to deal with getting the site up to CCPA compliance and that's a relief!
Here's the huge difference:
With CCPA compliance you can set it up to conform to an approach called Implied Consent. That means that all of your cookies start turned on. And then you throw up your Cookies Consent banner. People often click the x to get rid of it or they just ignore it and scroll past it to defeat it. If this happens you have just received "implied consent" and you can leave all of your cookies on. You will have to put a Cookies Preference feature into the footer so that your USA visitor can revisit their choices later and update them if they wish to. Also, you don't have to include a "Decline All Cookies" button on your Cookies Consent banner under CCPA rules. This is good - that one button is a killer.
If they visit your Cookies Preference Center and see them all broken out by category, the average visitor - sick and tired of having their privacy abused by insane billionaires over the past decade - might elect to turn off Social networking cookies, Advertising Cookies, but they will likely leave activated Performance and Functionality Cookies (because that sounds important) and they also usually leave active the Analytics and Customization Cookies. In this scenario your site continues to work. Your essential objects continue to load and integrate with your platforms. Your site still works. Google Analytics continues to collect data on that visitor and all is well.
Unlike the CCPA, GDPR does not allow for implied consent.
All of your cookies are turned off. All of them. The visitor arrives and cookies are off. They see the Cookies Consent banner and that banner has the dreaded "Decline All Cookies" button and you can already guess that most people will click on that button. Unless they know better. They don't. They don't know better.
And if they decline?
If your visitors decline all cookies you're sorta screwed. A bit. Your stuff only works if the visitor has already visited your objects' parent sites and has accepted their cookies. For instance, if your calendar widget is powered by Calendly and the visitor is already carrying a Calendly cookie that they got from Calendly's site or from their hair salon who uses Calendly, then okay your Calendly widget will load -- but what are the odds of that??
Additionally, with all cookies disabled Google Analytics won't pass any data back or forth. You'll see the entry visit but Google Analytics won't track that visitor through their Journey and won't track or log any Conversion Goals.
The workaround here is that if you need to be GDPR compliance you will want to convert your Google Analytics account to a Google Tag Manager (GTM) account, as I have done for my own business. If you're using Google Tag Manager it will still work with all cookies turned off. You won't get any of the valuable profiling data about the visitor that people use GTM for, but it will track the anonymized visitor through their page Journey and not all will be lost. Your CRM will still be blind to who the person is, where they're coming from, and all of the scoring you've come to rely on, but you'll still get the visit tracked.
Okay, here we go...
Now that I've scared the hell out of everybody, let's talk next steps.
Wait, are you still here? Wow. Kudos. Let's fix this.
Full Service Solutions:
We've put together two service packages to handle this. The first package is for CCPA level compliance setup and is configured to account for 2 hours of our labor. The second package is for GDPR level compliance setup, requires a Google Tag Manager conversion (we'll do it for you if you haven't already done it) and is configured to account for 3 hours of our labor. You'll also need to buy a Termly subscription if you haven't already. You can get it from us or you can get it from Termly directly. We're cheaper as we have a reseller partnership with them.
If you don't know if you already have Termly just go to your own website's footer and click on the Cookies or Privacy links there. If those pages seem pretty long you probably have it. If those pages seem really short you've probably got the Stage One boilerplate thing going on. If you have no privacy policy, cookies policy, or terms and conditions links in your footer you're not even in the game yet. You can also just reach out to me and I'll look at your site code and see if Termly is installed.
Those of you on our SecurePod CarePlan service tier do not have to worry about any of this.
We'll be rolling this out to you at the top of the queue for no charge. It's a bit above and beyond what you're paying us for but that's just how we roll for our VIPs. This is important.
In Closing... finally...
Feel free to contact me with any questions. Or just go to the contact page and schedule a 15-minute chat to discuss. If you're on one of our service tiers you already have your own meeting link you can use.
Otherwise, you can check out using one of the options above. Stay tuned for the next part in this (hopefully) two-part compliance series where we talk about how website owners (especially in California) are being sued for violating ADA compliance laws. Don't worry. We have a solution for that too. Ugh, long articles are the worst. Thanks for sticking it out.
~ Chris