Website security and user privacy go hand-in-hand. By limiting the amount of data you collect from your site visitors and also making sure your site is secure, you significantly reduce the potential for a hacker to access sensitive information.
In this second post of our 3-part series looking at website privacy and security, we’ll talk more about how you can take measures to limit the amount of personal information you collect from your constituents. By doing so, you protect their data and you will also abide by laws and regulations that are designed to safeguard people’s info.
GDPR and CCPA
GDPR is the General Data Protection Regulation put in place by the EU. CCPA is the California Consumer Privacy Act. Your site needs to be compliant with both, because there may be people who are using your site that are protected by these regulations because they’re an EU citizen or California resident - even if they’re not currently in those locations.
In the most basic sense, with these regulations:
- You need to let users know how you’re going to use their data and for how long
- People can request a copy of the data you have about them at any time
- People can also request their data be deleted from your database
Just because your site is GDPR-compliant does not mean it’s automatically CCPA-compliant, and vice versa. You need to do the legwork to make sure your site hits all the points on both regulations. If your website violates these laws, you could be liable for hefty fines.
Because of the complexity of both GDPR and CCPA, it’s best to enlist the help of a professional who is well-versed in compliance in order to significantly reduce your chance of breaking these laws.
Make Your Forms Lean: Collect Limited Data
It’s important to minimize the amount of information you take from your website visitors whenever they fill out a form on your site. Recording extraneous data puts you and your supporters at a higher risk for no reason.
It’s also illegal to collect nonessential information per your privacy policy. Only take information from your website visitors if you have a good reason to record it—meaning that the information is needed for your business purpose.
This goes for all forms on your website: donation or otherwise. Don’t just collect data for the sake of collecting data. Not only does a leaner form provide a better user experience, but it also makes your site safer to use.
Opt Out of Using Trackers and Cookies Needlessly
Cookies and trackers can be helpful to your website visitors in that they can customize their experience by remembering their preferences. These will also help you understand how your supporters are using your site: what their path is, how long they spend on each page, and more.
The legal way to implement cookies and trackers is through explicit opt-in. Since GDPR came into effect in mid-2018, you’ve probably seen a rise in sites who are requesting consent to use cookies by asking their website visitors to accept the policy.
However, using cookies on your site without a true need can have real consequences, especially if that tracking information gets into the hands of hackers. Cookies can also invade privacy by making your IP address and browsing history public.
Turn Off PII Tracking for Google Analytics
Finally, if you use Google Analytics to track and report on your website visitors, you’ll want to enable anonymized traffic. You’ll still get helpful information on the behavior of the people who visit your website so you can make decisions, but you won’t be collecting PII (Personally Identifiable Information) on them such as their IP address.
Your website visitors are putting their sensitive data into your hands whenever they use your site. They are there to support your mission, not to put their information at risk. It’s your responsibility to protect their privacy and keep your website secure.
In the final post of the series, I’ll share how to combine all of the tips from these two articles in order for you to provide the safest experience for your supporters. Make sure to sign up for our newsletter below so you won’t miss out on next week’s post.
Obligatory note: I am not a lawyer or data compliance specialist. If you are among the organizations that must make sure you are compliant with GDPR or CCPA, please consult someone who has the legal authority to advise you, as I cannot.