The Current State of Privacy Laws
Welcome to 2020, which is shaping up to be the year of reckoning when it comes to consumer data protection and privacy regulation.
The first big salvo actually came in 2018, with the EU’s General Data Protection Regulation (GDPR) becoming enforceable. That rule centered on informed consent, handling, and consumer access to data that is collected. Because GDPR technically applied to anyone “inside” the EEA regardless of their citizenship or the location of the data collector, it caused a global scramble for compliance. It was also the first regulation to view IP addresses as “personal information.”
In the US, there has been a long-standing battle over consumer data privacy, with various iterations of Federal law being suggested (and failing).
Nevada, Maine, and California have enacted laws with varied specifics, but all centered on transparency and consumer access to collected personal data.
There is also currently a US Congress privacy proposal working its way through the system, which focuses on data collection for ad targeting.
There seems to be consensus on curbing the power of Google, Facebook and other tech behemoths, but the jury is out on whether the remedy might crush smaller competitors along the way because compliance can be expensive.
NOTE: GDPR exempts companies with fewer than 250 employees from the record-keeping requirements, and California’s CCPA exempts any business that earns less than $25 million in revenue per year, sells fewer than 50,000 consumer records per year, or derives less than 50% of its annual revenue from selling personal information.
How Does Privacy Apply to Online Communities?
Trust is at the very core of community, and since the beginning, owned communities and forums have had a much more trustworthy relationship with their members than the large social networks.
Typically, the business model for online communities is direct monetization via premium memberships, contextual ads, or sponsorships, or indirect monetization as an asset for a business or organization. It’s usually clear where your profile information is going when you register for an owned community.
Community owners should adopt a consumer-privacy-forward philosophy, regardless of whether they’ve decided the regulations apply to them.
Here are some of the key considerations related to privacy laws specifically for community owners:
- Registration/sign up information for profiles - for each item, you may want to describe why you are asking for it and whether it will be used for marketing purposes.
- Member editing/deletion of their own account - offer a way for members to access, edit, and deactivate/delete their own account or give them a way to request deletion.
- Collection of IP addresses and setting of cookies - if you are collecting IP addresses and/or setting cookies, inform members and give them the chance to opt out. In many cases, opting out of cookies severely impacts platform features; you may want to clarify that in your policy. You may wish to inject a “cookie notice” popup in your header or footer.
- Policy surrounding account deletion - when a member requests deletion, do you delete their content or simply anonymize it? Deleting comments or replies can have a negative impact on readability. To date, we have not seen a definitive ruling on whether general forum posts are considered personal information, but we will continue monitoring the guidance from regulatory authorities.
- What happens to backed up data? How long before it’s truly purged? If you’re supporting account deletion, you may want to communicate that backup systems and logs will still be maintained (but inaccessible) for some period of time.
- Location of the data center - for communities that specifically serve an EU-based community, you may prefer to host the data in the EEA (although this is not a blanket requirement). You may want to ensure that your platform vendor is part of the EU-US Privacy Shield framework (Social Strata has certified).
- Agreement to notifications and emails - during new member onboarding, be clear about email notifications and communications coming from the community and show members how to adjust their preferences. In addition, if you plan to send marketing emails using the community member list or community information, you should make that clear.
- Access to TOS and ability to de-authorize - ensure that members can view the Terms of Service at any point and can withdraw their authorization. You can make membership contingent upon agreement to the TOS, so they lose access if they withdraw consent.
What Is a Consumer-Privacy-Forward Philosophy?
- Always collect the minimum amount of data necessary.
- Keep the data secure (limit access permissions for your community control panel).
- Let members know why you need the data, and where it’s going.
- Give members a way to view, edit and/or delete their personal data.
- If your community is public-facing, ensure that your members are aware that the information and posts they make are publicly visible and that they should not share any personally sensitive information.
If you’re a Social Strata customer using Hoop.la, you have access to tools that will support your privacy compliance efforts. We always stay abreast of new regulations and developments, and will consider enhancements to the feature set if necessary.
Remember that, if you feel GDPR, CCPA, or any other regulations apply to your organization, it’s always best to consult legal counsel. This blog post does not constitute legal advice.
Did I miss anything? Feel free to add your advice in the comments. As the regulations evolve, we should be having a lot more conversations on this topic!