Our goal at Enzuzo is to make data privacy simple for small businesses with simple and easy-to-use tools to get you started with data privacy best practices. In this guide, we will go over the data privacy basics you should know as a business owner.
Why should you care about data privacy?
Without capturing your customers’ personal information, such as their name, address and billing information, it’s impossible to run a successful online business. Surveys have shown that 57% of online shoppers prefer to keep their information private rather than have a personalized experience on your site.
This means your customers’ value trust, and want to know that you are protecting their personal information before they decide to do business with you.
What are the basics of a trustworthy website?
There are a few basic privacy resources every website needs to have to look like a trustworthy brand. Google looks for these items, on every site to establish the Google Trust Rank of a site, this affects how many people see your website on Google.
Your policy should answer the following questions:
What personal information do you collect from your customers?
How do you manage, store, share and secure that information?
Do you sell that information to anyone?
How long do you retain personal information?
Do you collect personal information from children?
Your customer data privacy rights, based on which country they live in
Contact information that your customers can use to make data privacy requests
Compliant policy language to specific regulations (GDPR, CCPA, LGPD, PIPEDA)
Terms of Service
The purpose of the Terms of Service, also known as a Terms and Conditions policy is to let your website visitors know what the rules are for using your website. This is important both for your protection in case there is the misuse of your website and your visitors' protection to make sure they trust your site.
The basics of website Terms of Service policy:
Who owns the content of your website
What are the rules for posting reviews on your site
What are prohibited activities on your site
Which governing law (country) will be used in case of disputes
Additionally, you may want to add eCommerce Terms of Service to your site if you sell digital or physical goods on your site.
Typically this part of the terms will cover:
Shipping and return policies
Product or Service Warranty
Cap on liability
Most countries have consumer protection laws that give consumers certain rights in order to protect them from online fraud and poor business practices. Your terms of service policy must reflect this.
Cookie Consent Manager
Data privacy regulations such as GDPR require your site to obtain consent to allow tracking cookies from all your visitors before those visitors are allowed to browse your site. A cookie banner and manager is a pop-up that lives on your website so customers can provide consent before using your website.
Additionally, your visitors should be able to select whether they accept different categories of cookies, such as strictly necessary cookies needed for the site to function or analytics cookies that track user behavior on your site.
In some countries, cookie consent is not required; therefore, some websites choose to only enable a cookie banner for countries where it's mandatory (European Union) while showing no cookie banner for non-EU visitors.
How to Handle Data Privacy Requests
Under specific data privacy regulations (GDPR, CCPA) your website visitors have the right to consent to what happens with their personal data; your customers and website visitors can ask you the following:
To delete all data, you have on them
To show all data you have on this person
To send them a digital copy of all their data
To correct their personal information if it's incorrect
Additionally, you may need to answer this data request within a specific period of time.
For European residents, you have 30 days to complete the request.
For California residents, you have 45 days to complete the request.
For Brazilian residents, you have 15 days to complete the request.
Authenticating the individual who submitted the request is also important to verify you have the correct person. You need to maintain a copy of this request for compliance reasons if you are audited or there is a future lawsuit related to the request.
💡 Manage Data Privacy Requests in one simple dashboard, including customer verification, due date reminders and automatic data deletion from a supported CRM and full compliance reporting.
Data Privacy Laws You need to Know
A website or an online merchant needs to be aware of every data privacy law covering countries where their website visitors come from or where their customers reside.
For example, if you operate an e-commerce site in the US, however, some of your customers are based in the EU, then you will need to be GDPR compliant for those European customers. In practice, this likely means treating all customer data under GDPR compliant practices.
There are several privacy laws in effect worldwide; below is a partial list. GDPR is considered the most comprehensive privacy law.
Enzuzo provides many guidelines within our solution to make sure you know different privacy law requirements. For example, if you get a data privacy request, we will figure out which data privacy law applies and how much time you have to complete the request.
GDPR: General Data Protection Regulation
GDPR is a data privacy law covering the European Union (EU) that came into effect on May 25, 2018. If you have website visitors or customers from the EU, this law applies to you.
Some relevant parts of the law that affect all websites and online merchants are:
The requirement to have a cookie consent banner on your website
The requirement to respond to all data privacy requests (such as delete all my data) within 30 days. Fines for not complying with this part of the law can range from 2,000 to 20,000 Euros.
💡 For more details about GDPR, see our Simple Guide to GDPR.
CCPA: California Consumer Privacy Act
The CCPA was introduced in January 2020, and while it is not as comprehensive as GDPR, it has some similarities. If you have customers or website visitors from California, CCPA could apply to you.
CCPA does not mandate cookie consent banners, however, it does require you to respond to data privacy requests (delete all my data) within 45 days.
💡 For more details about CCPA, see our Simple Guide to CCPA.
LGPD: Lei Geral de Protecao de Dados Pessoais
LGPD was introduced in 2020 in Brazil, and has many similarities to GDPR. This law could apply to you if you have customers or website visitors from Brazil.
LGPD requires you to respond to data privacy requests (such as delete all my data) within 15 days.
💡 For more details about LGPD, see our Simple Guide to LGPD.
PIPEDA: Personal Information Protection and Electronic Documents Act
PIPEDA was introduced in 2000 in Canada. It is an older law in effect long before GDPR, it does contain certain requirements for obtaining consent to process personal information.
💡 For more details about PIPEDA, see our Simple Guide to PIPEDA.
Basic Compliance Reporting (in case you are sued)
Data privacy laws expose all businesses that handle personal information to potentially large fines and lawsuits. For this reason, it is important to keep all your policies up to date and to keep detailed records and reports of all privacy-related matters.
For example, if your customers or website visitors submit a request to delete all their data, it is important to keep a record of that request so you can prove that you processed it correctly.
In some cases, if a business is exposed to a lawsuit or fine, this may be critical information to demonstrate your compliance and mitigate your financial risk.
💡 Enzuzo makes compliance reporting easy, we keep track of every data privacy request, and allow you to build reports with custom date ranges.