Making Your Clients GDPR & CCPA Compliant | Digital Masters

Episode #25

Are you in charge of making your clients CCPA and GDPR Compliant?

web developer working on website privacy compliance

A couple weeks ago in a private group I’m in for web developers, a newer developer was complaining that she needed to provide “more direction” to her clients than she’d like. After all, those are their businesses! She wanted them to tell her exactly what they wanted and she’d build it.

Man, that sounds really easy right?

Unfortunately, if you’ve worked with more than 2 clients, you know that’s simply not how this game works. When you’re building a website for someone and their business, they trust that you’re the expert. That you know the questions to ask them. That you know the common pitfalls and things to look out for. They understand their business, sure, but they don’t necessarily know how to translate their business into the web.

While we’d all love to say that the clients we work with have to be more direct and tell us what they want/need, the reality is is that they’re not going to know.

There are certain things that we as website developers and designers will need to be able to direct and guide them on.

There are best practices that we’ll need to follow because that’s what’s best for the majority of our clients. You may not always understand the nuances of things and how it might differ from a small or large business, but if you make sure those rules apply across the board you’re usually doing what’s right for the majority.

And on that note of being the expert that someone connects and works with, what do you do about privacy compliance? Are you in charge of that or is your client? Today, we’re going to explore what exactly should be on your plate, 3 easy steps you can take to make a website compliant, and what your client can be responsible for, or at least help you out with.

Privacy Compliance

I’d be shocked if you haven’t heard about various privacy compliance laws around the world. It started with the GDPR in the EU a few years ago. That’s when you started getting some websites asking if you were OK with Cookies. We didn’t have to worry about it too much in the States, but if a business had any kind of international audience (or even the possibility of one), they needed to take some simple steps to be GDPR compliant.

Then in January 2020, the California Consumer Privacy Act started to affect more of us. While a business may not do business in California, if there’s even the possibility of their having website visitors from California (which believe me, is high if you’re a US-based business), this applied to them. The biggest shift you probably saw as someone who browses the internet is suddenly you were agreeing to Cookie Consents on pretty much every website.

There are now similar privacy laws in effect throughout the world, and most of them all boil down to one thing – being able to opt out of having our personal data and behavior being tracked across the internet. While many marketers are worried about losing data we deem essential, our customers are concerned about the sheer amount of information we have on them, their preferences, their browsing history, etc.

Consumers want to feel like they have some privacy left online. Honestly, while us marketers and website designers and developers are concerned about data loss (but my targeting options!!), we should be more concerned with providing great customer service. That includes allowing people to opt-out of being tracked. Making these shifts today, and allowing your browsers to have this level of control over their data, will only work to build their trust.

Or, to put it simply, start now so you don’t have to scramble later as more and more of these laws are passed.

Website Compliance as a Web Developer

Pretty simply, as a web developer or website builder, you’re likely going to have to implement some of the solutions that make a business CCPA and GDPR compliant. A business owner isn’t going to know which plugins to install, how to properly add Google Analytics and their Facebook Pixel, or the other methods to make the website actually compliant. So that, my friend, is 100% on you. Whether you should be the one making the choices and recommendations though? Well, that’s on how much you want to be a consultant who can charge more for websites than the average web designer or developer.

Making Websites CCPA Compliant

Before we dig in, I want to make sure that you understand that I am not an attorney and cannot tell you that the below will make a website 100% CCPA compliant. These steps are, however, ways to make simple changes to a website to help you be more compliant. If you’re working with a business that is doing most of its business in California, you should probably consult an attorney.

1. Add a Do Not Sell My Personal Information Link

The first time you visit my website, you have the option to control your personal information I collect alongside my Cookie Consent banner. This simple link should be available as soon as anyone lands on a website, even if you’re like me and don’t sell any of your customers’ information to third-parties. I’ve opted for a combined plugin to do this called GDPR Cookie Consent. It’s a free plugin that comes with a lot of features, or you could upgrade to the paid version. I’ve got the free installed myself, and it comes with everything I want, including giving a way for the browser to contact me if they would like to double check on their personal information that I gather. I include this as a link on every page of my website in my footer as well, just to make sure it’s clear.

The “Do Not Sell My Personal Information” link is the most important and unique piece that I’ve seen with the CCPA. The GDPR Cookie Consent plugin took me just a few minutes to set up and its well worth the time to do so.

2. Allow Users to Accept/Deny Cookies

This has been a need since the GDPR, so there are a lot of great plugins out there for this. For this, I’m able to use the GDPR Cookie Consent plugin again. It allows me to adjust branding colors, defaults to an Accept, but also gives the customer the ability to adjust in a Settings link. (You probably hit Accept without even thinking about it when you hit my website.) The important thing about this or any other Cookie plugin is that it disables your tracking codes (i.e. Google Analytics and Facebook Pixel) until the user hits Accept. When the user hits Accept, those are added to your site and start working automatically.

If they choose, however, they need to be able to actually turn those off. With my setup, I have a section for 3rd party plugins that discloses which trackers I use (Facebook Pixel and Google Analytics) and why. It then allows the browser to turn just those off. WordPress has its own set of cookies that help their sites perform better, so it’s fantastic that this plugin lets people segment out which cookies to disable or enable.

3. Update the Privacy Policy

Or, make sure you have one on your website. Like the Do Not Sell My Personal Information link, this should be linked in your footer on every page of your website. WordPress actually includes a generic privacy policy in new websites that you can update to your needs. Personally though, I’d recommend purchasing a Privacy Policy template that you can customize for your business. My favorite source is Solivagant Legal because they write policies specifically for online business owners, so that’s perfect for myself and many of my clients.

If you look at my privacy policy, you’ll see I have a section dedicated to Cookies, and I include which third-party company’s cookies I use and links to their own privacy policies. I also made sure to include that I do not sell private information in my privacy policy, and I adjust the date each time I update it. My privacy policy on this website was actually a template I purchased from Solivagant Legal and it took me less than 30 minutes to customize it for my brand (I also use her legal policies for each of my clients’ websites as an added benefit for them for working with me).

Pro tip: you cannot copy/paste a privacy policy from a similar business or competitor. Privacy policies, along with other website terms, are actually covered by copyright law and to do so is copyright infringement.

What is The Client’s Privacy Responsibility?

As  you can see, if you’re building a WordPress website especially, it’s super important for you as the website builder to know what you need to do to ensure that tracking scripts and other things won’t run if someone hasn’t consented to those cookies being tracked.

The business owner, in these cases, is really just responsible for providing you a few things –

  • A Privacy Policy and other website terms for their business (though you can do that by purchasing a bulk website terms license from a source like Solivagant Legal and add that in as an upsell or added bonus)
  • What tracking codes they want on their website, i.e. Google Analytics, Facebook Pixel
  • Follow the steps in Facebook Business Manager to start the verification for their domain (now a need after iOS 14)
  • A basic understanding that this is important and not negotiable for their online presence

Want to know the funny thing though? Most business owners won’t necessarily know they need these things.

Here’s how I break it down for my clients:

  • Every website needs to have a basic privacy policy, but not every business needs to have one written specifically for them by an attorney. This is where customizable templates are great.
  • Every business should have a Google Analytics tag, or Google Tag Manager with Google Analytics connected, to track basic visitor data. If they run Google Ads, they’ll likely need to tie that into Google Tag Manager, too, to track conversions.
  • If the business runs or wants to run Facebook/Instagram ads, they’ll need the Facebook Pixel.
  • Pinterest, TikTok, and other platforms will provide their own tracking codes as well.
  • Not following the CCPA now can actually kick you off of Facebook Ads; they made it a blanket necessity to make their lives easier back in 2020.

So while yes, the client should and can be responsible for many of these things, they’re not always going to understand the why or that they should.

That’s where you need to come in with your newly gained expertise and help them.

It would be great if the website-creation world meant that we could just build and develop websites. There are days that I truly wish all I had to do was code. But unfortunately, as the world changes and grows, there are simply a few things we as web designers and developers need to stay on top of. And let me tell you – privacy compliance is only going to grow as an industry standard. Don’t let you or your clients get left behind.

Join the Conversation!