Consumer Privacy Regulations Part 2
In our previous GA4 blog, we briefly mentioned new security features being implemented to focus on improving data security. Now, we want to give a more detailed overview of these consumer rights that all businesses should be aware of.
Google Analytics 4 will be implementing more security features that align with regulations such as the (soon-to-be) CPRA and the GDPR. These regulations protect the consumer's privacy, which may restrict a business’s or organization's ability to collect and process personal data. This week, we’ll introduce you to the GDPR.
The General Data Protection Regulation is the toughest data privacy and security law in the world. GDPR is an EU-based regulation that essentially controls how businesses, organizations, and websites are allowed to handle an individual's personal data.
This Law Applies To
Businesses and organizations anywhere that target or collect data related to people in the EU; involving activities related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behavior as far as their behavior takes place within the Union
To put in simpler terms, if you are collecting personal data of EU citizens or residents, or marketing goods or services to them, the GDPR applies to you even if you’re not located in the EU. This can range from eCommerce businesses to websites for non-profit organizations or public institutions.
Processing Data
In order to process data, the GDPR states that one of the following must apply:
data subject has given specific consent to process data (more on that below)
processing is necessary to enter into a contract to which the data subject is a party
processing is necessary in order to comply with a legal obligation
processing is necessary to save someone’s life
processing is necessary to perform a task in the public interest or carry out an official function
there is a legitimate interest to process someone's personal data
Receiving Consent
In most cases, processing data will be dependent on receiving consent. That being said, there are some requirements:
consent must be “freely given, specific, informed, and unambiguous”
requests for consent must be clearly distinguishable from the other matters, using clear and plain language
the data subject must have the right to withdraw his or her consent at any time
you will need to keep documentary evidence of consent
Data Subject Rights
In summary, the GDPR provides the following [EU] consumer rights:
right to be informed
right of access
right to rectification
right to erasure (deletion)
right to restrict processing
right to data portability
right to object
rights in relation to automated decision-making and profiling
Potential Penalties
If you violate these regulations, GDPR has some hefty fines depending on the case and severity of the violation. For less severe violations, fines can be up to 10 million euros, or, up to 2% of its global turnover of the preceding fiscal year. For more severe violations, fines can be up to 20 million euros, or, up to 4% of its global turnover of the preceding fiscal year.
Moving Forward
If GDPR applies to you, here’s what you should provide when requesting consent:
who is processing the data
why you’re collecting the data
what you’re doing with the data
easy withdrawal of consent
While Google is not fully GDPR compliant yet, we look forward to having more of these security features available to us with the transition to GA4.
PK Information is a FileMaker-certified development agency serving the Tampa Bay and Knoxville regions. We believe that great software can change everything. Would your database benefit from a process review? Contact us today!