Privacy Archives - Analytics Platform - Matomo

OCPA, FDBR and TDPSA – What you need to know about the US’s new privacy laws

daniel.crough — Mon, 22 Jul 2024 21:55:19 +0000

On July 1, 2024, new privacy laws took effect in Florida, Oregon, and Texas. People in these states now have more control over their personal data, signaling a shift in privacy policy in the United States. Here’s what you need to know about these laws and how privacy-focused analytics can help your business stay compliant.

Consumer rights are front and centre across all three laws

The Florida Digital Bill of Rights (FDBR), Oregon Consumer Privacy Act (OCPA), and Texas Data Privacy and Security Act (TDPSA) grant consumers similar rights.

Access: Consumers can access their personal data held by businesses.

Correction: Consumers can correct inaccurate data.

Deletion: Consumers may request data deletion.

Opt-Out: Consumers can opt-out of the sale of their personal data and targeted advertising.

Oregon Consumer Privacy Act (OCPA)

The Oregon Consumer Privacy Act (OCPA), signed into law on June 23, 2023, and effective as of July 1, 2024, grants Oregonians new rights regarding their personal data and imposes obligations on businesses. Starting July 1, 2025, authorities will enforce provisions that require data protection assessments, and businesses must recognize universal opt-out mechanisms by January 1, 2026. In Oregon, the OCPA applies to business that:

Either conduct business in Oregon or offer products and services to Oregon residents
Control or process the personal data of 100,000 consumers or more, or
Control or process the data of 25,000 or more consumers while receiving over 25% of their gross revenues from selling personal data.

Exemptions include public bodies like state and local governments, financial institutions, and insurers that operate under specific financial regulations. The law also excludes protected health information covered by HIPAA and other specific federal regulations.

Business obligations

Data Protection Assessments: Businesses must conduct data protection assessments for high-risk processing activities, such as those involving sensitive data or targeting children.

Consent for Sensitive Data: Businesses must secure explicit consent before collecting, processing, or selling sensitive personal data, such as racial or ethnic origin, religious beliefs, health information, biometric data, and geolocation.

Universal Opt-out: Starting January 1, 2025, businesses must acknowledge universal opt-out mechanisms, like the Global Privacy Control, that allow consumers to opt out of data collection and processing activities.

Enforcement

The Oregon Attorney General can issue fines up to $7,500 per violation. There is no private right of action.

Unique characteristics of the OCPA

The OCPA differs from other state privacy laws by requiring affirmative opt-in consent for processing sensitive and children’s data, and by including nonprofit organisations under its scope. It also requires global browser opt-out mechanisms starting in 2026.

Florida Digital Bill of Rights (FDBR)

The Florida Digital Bill of Rights (FDBR) became law on June 6, 2023, and it came into effect on July 1, 2024. This law targets businesses with substantial operations or revenues tied to digital activities and seeks to protect the personal data of Florida residents by granting them greater control over their information and imposing stricter obligations on businesses. It applies to entities that:

Conduct business in Florida or provide products or services targeting Florida residents,
Have annual global gross revenues exceeding $1 billion,
Receive 50% or more of their revenues from digital advertising or operate significant digital platforms such as app stores or smart speakers with virtual assistants.

Exemptions include governmental entities, nonprofits, financial institutions covered by the Gramm-Leach-Bliley Act, and entities covered by HIPAA.

Business obligations

Data Security Measures: Companies are required to implement reasonable data security measures to protect personal data from unauthorised access and breaches.

Handling Sensitive Data: Explicit consent is required for processing sensitive data, which includes information like racial or ethnic origin, religious beliefs, and biometric data.

Non-Discrimination: Entities must ensure they do not discriminate against consumers who exercise their privacy rights.

Data Minimisation: Businesses must collect only necessary data.

Vendor Management: Businesses must ensure that their processors and vendors also comply with the FDBR, regarding the secure handling and processing of personal data.

Enforcement

The Florida Attorney General can impose fines of up to $50,000 per violation, with higher penalties for intentional breaches.

Unique characteristics of the FDBR

Unlike broader privacy laws such as the California Consumer Privacy Act (CCPA), which apply to a wider range of businesses based on lower revenue thresholds and the volume of data processed, the FDBR distinguishes itself by targeting large-scale businesses with substantial revenues from digital advertising. The FDBR also emphasises specific consumer rights related to modern digital interactions, reflecting the evolving landscape of online privacy concerns.

Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA), signed into law on June 16, 2023, and effective as of July 1, 2024, enhances data protection for Texas residents. The TDPSA applies to entities that:

Conduct business in Texas or offer products or services to Texas residents.
Engage in processing or selling personal data.
Do not fall under the classification of small businesses according to the U.S. Small Business Administration’s criteria, which usually involve employee numbers or average annual receipts.

The law excludes state agencies, political subdivisions, financial institutions compliant with the Gramm-Leach-Bliley Act, and entities compliant with HIPAA.

Business obligations

Data Protection Assessments: Businesses must conduct data protection assessments for processing activities that pose a heightened risk of harm to consumers, such as processing for targeted advertising, selling personal data, or profiling.

Consent for Sensitive Data: Businesses must get explicit consent before collecting, processing, or selling sensitive personal data, such as racial or ethnic origin, religious beliefs, health information, biometric data, and geolocation.

Companies must have adequate data security practices based on the personal information they handle.

Data Subject Access Requests (DSARs): Businesses must respond to consumer requests regarding their personal data (e.g., access, correction, deletion) without undue delay, but no later than 45 days after receipt of the request.

Sale of Data: If businesses sell personal data, they must disclose these practices to consumers and provide them with an option to opt out.

Universal Opt-Out Compliance: Starting January 1, 2025, businesses must recognise universal opt-out mechanisms like the Global Privacy Control, enabling consumers to opt out of data collection and processing activities.

Enforcement

The Texas Attorney General can impose fines up to $25,000 per violation. There is no private right of action.

Unique characteristics of the TDPSA

The TDPSA stands out for its small business carve-out, lack of specific thresholds based on revenue or data volume, and requirements for recognising universal opt-out mechanisms starting in 2025. It also mandates consent for processing sensitive data and includes specific measures for data protection assessments and privacy notices.

Try Matomo for Free

Get the web insights you need, without compromising data accuracy.

No credit card required

Privacy notices across Florida, Oregon, and Texas

All three laws include a mandate for privacy notices, though there are subtle variations in their specific requirements. Here’s a breakdown of these differences:

FDBR privacy notice requirements

Clarity: Privacy notices must clearly explain the collection and use of personal data.

Disclosure: Notices must inform consumers about their rights, including the right to access, correct, delete their data, and opt-out of data sales and targeted advertising.

Specificity: Businesses must disclose if they sell personal data or use it for targeted advertising.

Security Practices: The notice should describe the data security measures in place.

OCPA privacy notice requirements

Comprehensive Information: Notices must provide information about the personal data collected, the purposes for processing, and any third parties that can access it.

Consumer Rights: Must plainly outline consumers’ rights to access, correct, delete their data, and opt-out of data sales, targeted advertising, and profiling.

Sensitive Data: To process sensitive data, businesses or entities must get explicit consent and communicate it.

Universal Opt-Out: Starting January 1, 2026, businesses must recognise and honour universal opt-out mechanisms.

TDPSA privacy notice requirements

Detailed Notices: Must provide clear and detailed information about data collection practices, including the data collected and the purposes for its use.

Consumer Rights: Must inform consumers of their rights to access, correct, delete their data, and opt-out of data sales and targeted advertising.

High-Risk Processing: Notices should include information about any high-risk processing activities and the safeguards in place.

Sensitive Data: To process sensitive data, entities and businesses must get explicit consent.

What these laws mean for your businesses

Businesses operating in Florida, Oregon, and Texas must now comply with these new data privacy laws. Here’s what you can do to avoid fines:

Understand the Laws: Familiarise yourself with the specific requirements of the FDBR, OCPA, and TDPSA, including consumer rights and business obligations.

Implement Data Protection Measures: Ensure you have robust data security measures in place. This includes conducting regular data protection assessments, especially for high-risk processing activities.

Update Privacy Policies: Provide clear and comprehensive privacy notices that inform consumers about their rights and how their data is processed.

Obtain Explicit Consent: For sensitive data, make sure you get explicit consent from consumers. This includes information like health, race, sexual orientation, and more.

Manage Requests Efficiently: Be prepared to handle requests from consumers to access, correct, delete their data, and opt-out of data sales and targeted advertising within the stipulated timeframes.

Recognise Opt-Out Mechanisms: For Oregon, businesses must be ready to implement and recognise universal opt-out mechanisms by January 1, 2026. In Texas, opt-out enforcement begins in 2026. In Florida, the specific opt-out provisions began on July 1, 2024.

Stay Updated: Keep abreast of any changes or updates to these laws to ensure ongoing compliance. Keep an eye on the Matomo blog or sign up for our newsletter to stay in the know.

Are we headed towards a more privacy-focused future in the United States?

Florida, Oregon, and Texas are joining states like California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, and Montana in strengthening consumer privacy protections. This trend could signify a shift in US policy towards a more privacy-focused internet, underlining the importance of consumer data rights and transparent business practices. Even if these laws do not apply to your business, considering updates to your data and privacy policies is wise. Fortunately, there are tools and solutions designed for privacy and compliance to help you navigate these changes.

Avoid fines and get better data with Matomo

Most analytics tools don’t prioritize safeguarding user data. At Matomo, we believe everyone has the right to data sovereignty, privacy and amazing analytics. Matomo offers a solution that meets privacy regulations while delivering incredible insights. With Matomo, you get:

100% Data Ownership: Keep full control over your data, ensuring it is used according to your privacy policies.

Privacy Protection: Built with privacy in mind, Matomo helps businesses comply with privacy laws.

Powerful Features: Gain insights with tools like heatmaps, session recordings, and A/B testing.

Open Source: Matomo’s is open-source and committed to transparency and customisation.

Flexibility: Choose to host Matomo on your servers or in the cloud for added security.

No Data Sampling: Ensure accurate and complete insights without data sampling.

Privacy Compliance: Easily meet GDPR and other requirements, with data stored securely and never sold or shared.

Your email address

Your website address

Your Analytics subdomain will be .matomo.cloud

Choose your analytics subdomain

.matomo.cloud

I accept the terms and conditions and data processing agreement (DPA)

Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.

Disclaimer: This content is provided for informational purposes only and is not intended as legal advice. While we strive to ensure the accuracy and timeliness of the information provided, the laws and regulations surrounding privacy are complex and subject to change. We recommend consulting with a qualified legal professional to address specific legal issues related to your circumstances.

A Guide to Ethical Web Analytics in 2024

Erin — Mon, 17 Jun 2024 23:45:47 +0000

User data is more valuable and sought after than ever.

Ninety-four percent of respondents in Cisco’s Data Privacy Benchmark Study said their customers wouldn’t buy from them if their data weren’t protected, with 95% saying privacy was a business imperative.

Unfortunately, the data collection practices of most businesses are far from acceptable and often put their customers’ privacy at risk.

But it doesn’t have to be this way. You can ethically collect valuable and insightful customer data—you just need the right tools.

In this article, we show you what an ethical web analytics solution can look like, why Google Analytics is a problem and how you can collect data without risking your customers’ privacy.

What is ethical web analytics?

Ethical web analytics put user privacy first. These platforms prioritise privacy and transparency by only collecting necessary data, avoiding implicit user identification and openly communicating data practices and tracking methods.

Ethical tools adhere to data protection laws like GDPR as standard (meaning businesses using these tools never have to worry about fines or disruptions). In other words, ethical web analytics refrain from exploiting and profiting from user behaviour and data.

Unfortunately, most traditional data solutions collect as much data as possible without users’ knowledge or consent.

Why does digital privacy matter?

Digital privacy matters because companies have repeatedly proven they will collect and use data for financial gain. It also presents security risks. Unsecured user data can lead to identity theft, cyberattacks and harassment.

Big tech companies like Google and Meta are often to blame for all this. These companies collect millions of user data points — like age, gender, income, political beliefs and location. Worse still, they share this information with interested third parties.

After public outrage over data breaches and other privacy scandals, consumers are taking active steps to disallow tracking where possible. IAPP’s Privacy and Consumer Trust Report finds that 68% of consumers across 19 countries are somewhat or very concerned about their digital privacy.

There’s no way around it: companies of all sizes and shapes need to consider how they handle and protect customers’ private information.

Why should you use an ethical web analytics tool?

When companies use ethical web analytics tools they can build customer trust, boost their brand reputation, improve data security practices and future proof their website tracking solution.

Boost brand reputation

The fallout from a data privacy scandal can be severe.

Just look at what happened to Facebook during the Cambridge Analytica data scandal. The eponymous consulting firm harvested 50 million Facebook profiles and used that information to target people with political messages. Due to the instant public backlash, Facebook’s stock tanked, and use of the “delete Facebook” hashtag increased by 423% in the following days.

That’s because consumers care about data privacy, according to Deloitte’s Connected Consumer Study:

Almost 90 percent agree they should be able to view and delete data companies collect
77 percent want the government to introduce stricter regulations
Half feel the benefits they get from online services outweigh data privacy concerns.

If you can prove you buck the trend by collecting data using ethical methods, it can boost your brand’s reputation.

Build trust with customers

At the same time, collecting data in an ethical way can help you build customer trust. You’ll go a long way to changing consumer perceptions, too. Almost half of consumers don’t like sharing data, and 57% believe companies sell their data.

This additional trust should generate a positive ROI for your business. According to Cisco’s Data Privacy Benchmark Study, the average company gains $180 for every $100 they invest in privacy.

Improve data security

According to IBM’s Cost of a Data Breach report, the average cost of a data breach is nearly $4.5 million. This kind of scenario becomes much less likely when you use an ethical tool that collects less data overall and anonymises the data you do collect.

Futureproof your web analytics solution

The obvious risk of not complying with privacy regulations is a fine — which can be up to €20 million, or 4% of worldwide annual revenue in the case of GDPR.

It’s not just fines and penalties you risk if you fail to comply with privacy regulations like GDPR. For some companies, especially larger ones, the biggest risk of non-compliance with privacy regulations is the potential sudden need to abandon Google Analytics and switch to an ethical alternative.

If Data Protection Authorities ban Google Analytics again, as has happened in Austria, France, and other countries, businesses will be forced to drop everything and make an immediate transition to a compliant web analytics solution.

When an organisation’s entire marketing operation relies on data, migrating to a new solution can be incredibly painful and time-consuming. So, the sooner you switch to an ethical tool, the less of a headache the process will be.

The problem with Google Analytics

Google Analytics (GA) is the most popular analytics platform in the world, but it’s a world away from being an ethical tool. Here’s why:

You don’t have data ownership

Google Analytics is attractive to businesses of all sizes because of its price. Everyone loves getting something for free, but there’s still a cost — your and your customers’ data.

That’s because Google combines the data you collect with information from the millions of other websites it tracks to inform its advertising efforts. It may also use your data to train large language models like Gemini.

It has a rocky history with GDPR laws

Google and EU regulators haven’t always got along. For example, the German Data Protection Authority is investigating 200,000 pending cases against websites using GA. The platform has also been banned and added back to the EU-US Data Privacy Framework several times over the past few years.

You can use GA to collect data about EU customers right now, but there’s no guarantee you’ll be able to do so in the future.

It requires a specific setup to remain compliant

While you can currently use GA in a GDPR-compliant way — owing to its inclusion in the EU-US Data Privacy Framework — you have to set it up in a very specific way. That’s because the platform’s compliance depends on what data you collect, how you inform users and the level of consent you acquire. You’ll still need to include an extensive privacy policy on your website.

What does ethical web analytics look like?

An ethical web analytics solution should put user privacy first, ensure compliance with regulations like GDPR, give businesses 100% control of the data they collect and be completely transparent about data collection and storage practices.

100% data ownership

You don’t fully control customer data when you use Google Analytics. The search giant uses your data for its own advertising purposes and may also use it to train large language models like Gemini.

When you choose an ethical web analytics alternative like Matomo, you can ensure you completely own your data.

Try Matomo for Free

Get the web insights you need, without compromising data accuracy.

No credit card required

Respects user privacy

It’s possible to track and measure user behaviour without collecting personally identifiable information (PII). Just look at the ethical web analytics tools we’ve reviewed below.

These platforms respect user privacy and conform to strict privacy regulations like GDPR, CCPA and HIPAA by incorporating some or all of the following features:

Opt-out mechanisms to let users refuse tracking
IP addresses anonymisation and other data anonymisation techniques
DoNotTrack options
Shorter expiration dates for tracking cookies

In Matomo’s case, it’s all of the above. Better still, you can check our privacy credentials yourself. Our software’s source code is open source on GitHub and accessible to anyone at any time.

Compliant with government regulations

While Google’s history with data regulations is tumultuous, an ethical web analytics platform should follow even the strictest privacy laws, including GDPR, HIPAA, CCPA, LGPD and PECR.

But why stop there? Matomo has been approved by the French Data Protection Authority (CNIL) as one of the few web analytics tools that French sites can use to collect data without tracking consent. So you don’t need an annoying consent banner popping up on your website anymore.

Try Matomo for Free

Get the web insights you need, without compromising data accuracy.

No credit card required

Complete transparency

Ethical web analytics tools will be upfront about their data collection practices, whether that’s in the U.S., EU, or on your own private servers. Look for a solution that refrains from collecting personally identifiable information, shows where data is stored, and lets you alter tracking methods to increase privacy even further.

Some solutions, like Matomo, will increase transparency further by providing open source software. Anyone can find our source code on GitHub to see exactly how our platform tracks and stores user data. This means our code is regularly examined and reviewed by a community of developers, making it more secure, too.

Ethical web analytics solutions

There are several options for an ethical web analytics tool. We list three of the best providers below.

Matomo

Matomo is an open source web analytics tool and privacy-focused Google Analytics alternative used by over one million sites globally.

Matomo is fully compliant with prominent global privacy regulations like GDPR, CCPA and HIPAA, meaning you never have to worry about collecting consent when tracking user behaviour.

The data you collect is completely accurate since Matomo doesn’t use data sampling and is 100% yours. We don’t share data with third parties but can prove it. Our product source code is publicly available on GitHub. As a community-led project, you can download and install it yourself for free.

With Matomo, you get a full range of web analytics capabilities and behavioural analytics. That includes your standard metrics (think visitors, traffic sources, bounce rates, etc.), advanced features to analyse user behaviour like A/B Testing, Form Analytics, Heatmaps and Session Recordings.

Migrating to Matomo is easy. You can even import historical Google Analytics data to generate meaningful insights immediately.

Try Matomo for Free

Get the web insights you need, without compromising data accuracy.

No credit card required

Fathom

Fathom Analytics is a lightweight privacy-focused analytics solution that launched in 2018. It aims to be an easy-to-use Google Analytics alternative that doesn’t compromise privacy.

Like Matomo, Fathom complies with all major privacy regulations, including GDPR and CCPA. It also provides 100% accurate, unsampled reports and doesn’t share your data with third parties.

While Fathom provides fairly comprehensive analytics reports, it doesn’t have some of Matomo’s more advanced features. That includes e-commerce tracking, heatmaps, session recordings, and more.

Plausible

Plausible Analytics is another open source Google Analytics alternative that was built and hosted in the EU.

Launched in 2019, Plausible is a newer player in the privacy-focused analytics market. Still, its ultra-lightweight script makes it an attractive option for organisations that prioritise speed over everything else.

Like Matomo and Fathom, Plausible is GDPR and CCPA-compliant by design. Nor is there any cap on the amount of data you collect or any debate over whether the data is accurate (Plausible doesn’t use data sampling) or who owns the data (you do).

Matomo makes it easy to migrate to an ethical web analytics alternative

There’s no reason to put your users’ privacy at risk, especially when there are so many benefits to choosing an ethical tool. Whether you want to avoid fines, build trust with your customers, or simply know you’re doing the right thing, choosing a privacy-focused, ethical solution like Matomo is taking a massive step in the right direction.

Making the switch is easy, too. Matomo is one of the few options that lets you import historical Google Analytics data, so starting from scratch is unnecessary.

Get started today by trying Matomo for free for 21-days. No credit card required.

Your email address

Your website address

Your Analytics subdomain will be .matomo.cloud

Choose your analytics subdomain

.matomo.cloud

I accept the terms and conditions and data processing agreement (DPA)

Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.

A Guide to GDPR Sensitive Personal Data

Erin — Mon, 13 May 2024 21:52:00 +0000

The General Data Protection Regulation (GDPR) is one of the world’s most stringent data protection laws. It provides a legal framework for collection and processing of the personal data of EU individuals.

The GDPR distinguishes between “special categories of personal data” (also referred to as “sensitive”) and other personal data and imposes stricter requirements on collection and processing of sensitive data. Understanding these differences will help your company comply with the requirements and avoid heavy penalties.

In this article, we’ll explain what personal data is considered “sensitive” according to the GDPR. We’ll also examine how a web analytics solution like Matomo can help you maintain compliance.

What is sensitive personal data?

The following categories of data are treated as sensitive:

1. Personal data revealing:
  - Racial or ethnic origin;
  - Political opinions;
  - Religious or philosophical beliefs;
  - Trade union membership;
2. Genetic and biometric data;
3. Data concerning a person’s:
  - Health; or
  - Sex life or sexual orientation.

Sensitive vs. non-sensitive personal data: What’s the difference?

While both categories include information about an individual, sensitive data is seen as more private, or requiring a greater protection.

Sensitive data often carries a higher degree of risk and harm to the data subject, if the data is exposed. For example, a data breach exposing health records could lead to discrimination for the individuals involved. An insurance company could use the information to increase premiums or deny coverage.

In contrast, personal data like name or gender is considered less sensitive because it doesn’t carry the same degree of harm as sensitive data.

Unauthorised access to someone’s name alone is less likely to harm them or infringe on their fundamental rights and freedoms than an unauthorised access to their health records or biometric data. Note that financial information (e.g. credit card details) does not fall into the special categories of data.

Legality of processing

Under the GDPR, both sensitive and nonsensitive personal data are protected. However, the rules and conditions for processing sensitive data are more stringent.

Article 6 deals with processing of non-sensitive data and it states that processing is lawful if one of the six lawful bases for processing applies.

In contrast, Art. 9 of the GDPR states that processing of sensitive data is prohibited as a rule, but provides ten exceptions.

It is important to note that the lawful bases in Art. 6 are not the same as exceptions in Art. 9. For example, while performance of a contract or legitimate interest of the controller are a lawful basis for processing non-sensitive personal data, they are not included as an exception in Art. 9. What follows is that controllers are not permitted to process sensitive data on the basis of contract or legitimate interest.

The exceptions where processing of sensitive personal data is permitted (subject to additional requirements) are:

Explicit consent: The individual has given explicit consent to processing their sensitive personal data for specified purpose(s), except where an EU member state prohibits such consent. See below for more information about explicit consent.
Employment, social security or social protection: Processing sensitive data is necessary to perform tasks under employment, social security or social protection law.
Vital interests: Processing sensitive data is necessary to protect the interests of a data subject or if the individual is physically or legally incapable of consenting.
Non-for-profit bodies: Foundations, associations or nonprofits with a political, philosophical, religious or trade union aim may process the sensitive data of their members or those they are in regular contact with, in connection with their purposes (and no disclosure of the data is permitted outside the organisation, without the data subject’s consent).
Made public: In some cases, it may be permissible to process the sensitive data of a data subject if the individual has already made it public and accessible.
Legal claims: Processing sensitive data is necessary to establish, exercise or defend legal claims, including legal or in court proceedings.
Public interest: Processing is necessary for reasons of substantial public interest, like preventing unlawful acts or protecting the public.
Health or social care: Processing special category data is necessary for: preventative or occupational medicine, providing health and social care, medical diagnosis or managing healthcare systems.
Public health: It is permissible to process sensitive data for public health reasons, like protecting against cross-border threats to health or ensuring the safety of medicinal products or medical devices.
Archiving, research and statistics: You may process sensitive data if it’s done for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

In addition, you must adhere to all data handling requirements set by the GDPR.

Important: Note that for any data sent that you are processing, you always need to identify a lawful basis under Art. 6. In addition, if the data sent contains sensitive data, you must comply with Art. 9.

Explicit consent

While consent is a valid lawful basis for processing non-sensitive personal data, controllers are permitted to process sensitive data only with an “explicit consent” of the data subject.

The GDPR does not define “explicit” consent, but it is accepted that it must meet all Art. 7 conditions for consent, at a higher threshold. To be “explicit” a consent requires a clear statement (oral or written) of the data subject. Consent inferred from the data subject’s actions does not meet the threshold.

The controller must retain records of the explicit consent and provide appropriate consent withdrawal method to allow the data subject to exercise their rights.

Examples of compliant and non-compliant sensitive data processing

Here are examples of when you can and can’t process sensitive data:

When you can process sensitive data: A doctor logs sensitive data about a patient, including their name, symptoms and medicine prescribed. The hospital can process this data to provide appropriate medical care to their patients. An IoT device and software manufacturer processes their customers’ health data based on explicit consent of each customer.
When you can’t process sensitive data: One example is when you don’t have explicit consent from a data subject. Another is when there’s no lawful basis for processing it or you are collecting personal data you simply do not need. For example, you don’t need your customer’s ethnic origin to fulfil an online order.

Other implications of processing sensitive data

If you process sensitive data, especially on a large scale, GDPR imposes additional requirements, such as having Data Privacy Impact Assessments, appointing Data Protection Officers and EU Representatives, if you are a controller based outside the EU.

Penalties for GDPR non-compliance

Mishandling sensitive data (or processing it when you’re not allowed to) can result in huge penalties. There are two tiers of GDPR fines:

€10 million or 2% of a company’s annual revenue for less severe infringements
€20 million or 4% of a company’s annual revenue for more severe infringements

In the first half of 2023 alone, fines imposed in the EU due to GDPR violations exceeded €1.6 billion, up from €73 million in 2019.

Examples of high-profile violations in the last few years include:

Amazon: The Luxembourg National Commission fined the retail giant with a massive $887 million fine in 2021 for not processing personal data per the GDPR.
Google: The National Data Protection Commission (CNIL) fined Google €50 million for not getting proper consent to display personalised ads.
H&M: The Hamburg Commissioner for Data Protection and Freedom of Information hit the multinational clothing company with a €35.3 million fine in 2020 for unlawfully gathering and storing employees’ data in its service centre.

One of the criteria that affects the severity of a fine is “data category” — the type of personal data being processed. Companies need to take extra precautions with sensitive data, or they risk receiving more severe penalties.

What’s more, GDPR violations can negatively affect your brand’s reputation and cause you to lose business opportunities from consumers concerned about your data practices. 76% of consumers indicated they wouldn’t buy from companies they don’t trust with their personal data.

Organisations should lay out their data practices in simple terms and make this information easily accessible so customers know how their data is being handled.

Get started with GDPR-compliant web analytics

The GDPR offers a framework for securing and protecting personal data. But it also distinguishes between sensitive and non-sensitive data. Understanding these differences and applying the lawful basis for processing this data type will help ensure compliance.

Looking for a GDPR-compliant web analytics solution?

At Matomo, we take data privacy seriously.

Our platform ensures 100% data ownership, putting you in complete control of your data. Unlike other web analytics solutions, your data remains solely yours and isn’t sold or auctioned off to advertisers.

Additionally, with Matomo, you can be confident in the accuracy of the insights you receive, as we provide reliable, unsampled data.

Matomo also fully complies with GDPR and other data privacy laws like CCPA, LGPD and more.

Start your 21-day free trial today; no credit card required.

Disclaimer

We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to GDPR. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.

Your email address

Your website address

Your Analytics subdomain will be .matomo.cloud

Choose your analytics subdomain

.matomo.cloud

I accept the terms and conditions and data processing agreement (DPA)

Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.

What Is Data Misuse & How to Prevent It? (With Examples)

Erin — Mon, 13 May 2024 21:44:28 +0000

Your data is everywhere. Every time you sign up for an email list, log in to Facebook or download a free app onto your smartphone, your data is being taken.

This can scare customers and users who fear their data will be misused.

While data can be a powerful asset for your business, it’s important you manage it well, or you could be in over your head.

In this guide, we break down what data misuse is, what the different types are, some examples of major data misuse and how you can prevent it so you can grow your brand sustainably.

What is data misuse?

Data is a good thing.

It helps analysts and marketers understand their customers better so they can serve them relevant information, products and services to improve their lives.

But it can quickly become a bad thing for both the customers and business owners when it’s mishandled and misused.

Data misuse is when a business uses data outside of the agreed-upon terms. When companies collect data, they need to legally communicate how that data is being used.

Who or what determines when data is being misused?

Several bodies:

User agreements
Data privacy laws
Corporate policies
Industry regulations

There are certain laws and regulations around how you can collect and use data. Failure to comply with these guidelines and rules can result in several consequences, including legal action.

Keep reading to discover the different types of data misuse and how to prevent it.

3 types of data misuse

There are a few different types of data misuse.

If you fail to understand them, you could face penalties, legal trouble and a poor brand reputation.

1. Commingling

When you collect data, you need to ensure you’re using it for the right purpose. Commingling is when an organisation collects data from a specific audience for a specific reason but then uses the data for another purpose.

One example of commingling is if a company shares sensitive customer data with another company. In many cases, sister companies will share data even if the terms of the data collection didn’t include that clause.

Another example is if someone collects data for academic purposes like research but then uses the data later on for marketing purposes to drive business growth in a for-profit company.

In either case, the company went wrong by not being clear on what the data would be used for. You must communicate with your audience exactly how the data will be used.

2. Personal benefit

The second common way data is misused in the workplace is through “personal benefit.” This is when someone with access to data abuses it for their own gain.

The most common example of personal benefit data muse is when an employee misuses internal data.

While this may sound like each instance of data misuse is caused by malicious intent, that’s not always the case. Data misuse can still exist even if an employee didn’t have any harmful intent behind their actions.

One of the most common examples is when an employee mistakenly moves data from a company device to personal devices for easier access.

3. Ambiguity

As mentioned above, when discussing commingling, a company must only use data how they say they will use it when they collect it.

A company can misuse data when they’re unclear on how the data is used. Ambiguity is when a company fails to disclose how user data is being collected and used.

This means communicating poorly on how the data will be used can be wrong and lead to misuse.

One of the most common ways this happens is when a company doesn’t know how to use the data, so they can’t give a specific reason. However, this is still considered misuse, as companies need to disclose exactly how they will use the data they collect from their customers.

Laws on data misuse you need to follow

Data misuse can lead to poor reputations and penalties from big tech companies. For example, if you step outside social media platforms’ guidelines, you could be suspended, banned or shadowbanned.

But what’s even more important is certain types of data misuse could mean you’re breaking laws worldwide. Here are some laws on data misuse you need to follow to avoid legal trouble:

General Data Protection Regulation (GDPR)

The GDPR, or General Data Protection Regulation, is a law within the European Union (EU) that went into effect in 2018.

The GDPR was implemented to set a standard and improve data protection in Europe. It was also established to increase accountability and transparency for data breaches within businesses and organisations.

The purpose of the GDPR is to protect residents within the European Union.

The penalties for breaking GDPR laws are fines up to 20 million Euros or 4% of global revenues (whatever the higher amount is).

The GDPR doesn’t just affect companies in Europe. You can break the GDPR’s laws regardless of where your organisation is located worldwide. As long as your company collects, processes or uses the personal data of any EU resident, you’re subject to the GDPR’s rules.

If you want to track user data to grow your business, you need to ensure you’re following international data laws. Tools like Matomo—the world’s leading privacy-friendly web analytics solution—can help you achieve GDPR compliance and maintain it.

With Matomo, you can confidently enhance your website’s performance, knowing that you’re adhering to data protection laws.

Try Matomo for Free

Get the web insights you need, without compromising data accuracy.

No credit card required

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is another important data law companies worldwide must follow.

Like GDPR, the CCPA is a data privacy law established to protect residents of a certain region — in this case, residents of California in the United States.

The CCPA was implemented in 2020, and businesses worldwide can be penalised for breaking the regulations. For example, if you’re found violating the CCPA, you could be fined $7,500 for each intentional violation.

If you have unintentional violations, you could still be fined, but at a lesser fee of $2,500.

The Gramm-Leach-Bliley Act (GLBA)

If your business is located within the United States, then you’re subject to a federal law implemented in 1999 called The Gramm-Leach-Bliley Act (GLB Act or GLBA).

The GLBA is also known as the Financial Modernization Act of 1999. Its purpose is to control the way American financial institutions handle consumer data.

In the GLBA, there are three sections:

The Financial Privacy Rule: regulates the collection and disclosure of private financial data.
Safeguards Rule: Financial institutions must establish security programs to protect financial data.
Pretexting Provisions: Prohibits accessing private data using false pretences.

The GLBA also requires financial institutions in the U.S. to give their customers written privacy policy communications that explain their data-sharing practices.

4 examples of data misuse in real life

If you want to see what data misuse looks like in real life, look no further.

Big tech is central to some of the biggest data misuses and scandals.

Here are a few examples of data misuse in real life you should take note of to avoid a similar scenario:

1. Facebook election interference

One of history’s most famous examples of data misuse is the Facebook and Cambridge Analytica scandal in 2018.

During the 2018 U.S. midterm elections, Cambridge Analytica, a political consulting firm, acquired personal data from Facebook users that was said to have been collected for academic research.

Instead, Cambridge Analytica used data from roughly 87 million Facebook users.

This is a prime example of commingling.

The result? Cambridge Analytica was left bankrupt and dissolved, and Facebook was fined $5 billion by the Federal Trade Commission (FTC).

2. Uber “God View” tracking

Another big tech company, Uber, was caught misusing data a decade ago.

Why?

Uber implemented a new feature for its employees in 2014 called “God View.”

The tool enabled Uber employees to track riders using their app. The problem was that they were watching them without the users’ permission. “God View” lets Uber spy on their riders to see their movements and locations.

The FTC ended up slapping them with a major lawsuit, and as part of their settlement agreement, Uber agreed to have an outside firm audit their privacy practices between 2014 and 2034.

3. Twitter targeted ads overstep

In 2019, Twitter was found guilty of allowing advertisers to access its users’ personal data to improve advertisement targeting.

Advertisers were given access to user email addresses and phone numbers without explicit permission from the users. The result was that Twitter ad buyers could use this contact information to cross-reference with Twitter’s data to serve ads to them.

Twitter stated that the data leak was an internal error.

4. Google location tracking

In 2020, Google was found guilty of not explicitly disclosing how it’s using its users’ personal data, which is an example of ambiguity.

The result?

The French data protection authority fined Google $57 million.

8 ways to prevent data misuse in your company

Now that you know the dangers of data misuse and its associated penalties, it’s time to understand how you can prevent it in your company.

Here are eight ways you can prevent data misuse:

1. Track data with an ethical web analytics solution

You can’t get by in today’s business world without tracking data. The question is whether you’re tracking it safely or not.

If you want to ensure you aren’t getting into legal trouble with data misuse, then you need to use an ethical web analytics solution like Matomo.

With it, you can track and improve your website performance while remaining GDPR-compliant and respecting user privacy. Unlike other web analytics solutions that monetise your data and auction it off to advertisers, with Matomo, you own your data.

Try Matomo for Free

Get the web insights you need, without compromising data accuracy.

No credit card required

2. Don’t share data with big tech

As the data misuse examples above show, big tech companies often violate data privacy laws.

And while most of these companies, like Google, appear to be convenient, they’re often inconvenient (and much worse), especially regarding data leaks, privacy breaches and the sale of your data to advertisers.

Have you ever heard the phrase: “You are the product?” When it comes to big tech, chances are if you’re getting it for free, you (and your data) are the products they’re selling.

The best way to stop sharing data with big tech is to stop using platforms like Google. For more ideas on different Google product alternatives, check out this list of Google alternatives.

3. Identity verification

Data misuse typically isn’t a company-wide ploy. Often, it’s the lack of security structure and systems within your company.

An important place to start is to ensure proper identity verification for anyone with access to your data.

4. Access management

After establishing identity verification, you should ensure you have proper access management set up. For example, you should only give specific access to specific roles in your company to prevent data misuse.

5. Activity logs and monitoring

One way to track data misuse or breaches is by setting up activity logs to ensure you can see who is accessing certain types of data and when they’re accessing it.

You should ensure you have a team dedicated to continuously monitoring these logs to catch anything quickly.

6. Behaviour alerts

While manually monitoring data is important, it’s also good to set up automatic alerts if there is unusual activity around your data centres. You should set up behaviour alerts and notifications in case threats or compromising events occur.

7. Onboarding, training, education

One way to ensure quality data management is to keep your employees up to speed on data security. You should ensure data security is a part of your employee onboarding. Also, you should have regular training and education to keep people informed on protecting company and customer data.

8. Create data protocols and processes

To ensure long-term data security, you should establish data protocols and processes.

To protect your user data, set up rules and systems within your organisation that people can reference and follow continuously to prevent data misuse.

Leverage data ethically with Matomo

Data is everything in business.

But it’s not something to be taken lightly. Mishandling user data can break customer trust, lead to penalties from organisations and even create legal trouble and massive fines.

You should only use privacy-first tools to ensure you’re handling data responsibly.

Matomo is a privacy-friendly web analytics tool that collects, stores and tracks data across your website without breaking privacy laws.

With over 1 million websites using Matomo, you can track and improve website performance with:

Accurate data (no data sampling)
Privacy-friendly and compliant with privacy regulations like GDPR, CCPA and more
Advanced features like heatmaps, session recordings, A/B testing and more

Try Matomo free for 21-days. No credit card required.

Your email address

Your website address

Your Analytics subdomain will be .matomo.cloud

Choose your analytics subdomain

.matomo.cloud

I accept the terms and conditions and data processing agreement (DPA)

Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.

Data Privacy Issues to Be Aware of and How to Overcome Them

Erin — Thu, 09 May 2024 22:52:09 +0000

Data privacy issues are a significant concern for users globally.

Around 76% of US consumers report that they would not buy from a company they do not trust with their data. In the European Union, a 2021 study found that around 53% of EU internet users refused to let companies access their data for advertising purposes.

These findings send a clear message: if companies want to build consumer trust, they must honour users’ data privacy concerns. The best way to do this is by adopting transparent, ethical data collection practices — which also supports the simultaneous goal of maintaining compliance with regional data privacy acts.

So what exactly is data privacy?

Data privacy refers to the protections that govern how personal data is collected and used, especially with respect to an individual’s control over when, where and what information they share with others.

Data privacy also refers to the extent to which organisations and governments go to protect the personal data that they collect. Different parts of the world have different data privacy acts. These regulations outline the measures organisations must take to safeguard the data they collect from their consumers and residents. They also outline the rights of data subjects, such as the right to opt out of a data collection strategy and correct false data.

As more organisations rely on personal data to provide services, people have become increasingly concerned about data privacy, particularly the level of control they have over their data and what organisations and governments do with their data.

Why should organisations take data privacy issues seriously?

Organisations should take data privacy seriously because consumer trust depends on it and because they have a legal obligation to do so. Doing so also helps organisations prevent threat actors from illegally accessing consumer data. Strong data privacy helps you:

Comply with data protection acts

Organisations that fail to comply with regional data protection acts could face severe penalties. For example, consider the General Data Protection Regulation (GDPR), which is the primary data protection action for the European Union. The penalty system for GDPR fines consists of two tiers:

Less severe infringements — Which can lead to fines of up to €10 million (or 2% of an organisation’s worldwide annual revenue from the last financial year) per infringement.
More severe infringements — This can lead to fines of up to €20 million (or 4% of an organisation’s worldwide annual revenue from the last financial year) per infringement.

The monetary value of these penalties is significant, so it is in the best interest of all organisations to be GDPR compliant. Other data protection acts have similar penalty systems to the GDPR. In Brazil, organisations non-compliant with the Lei Geral de Proteção de Dados Pessoais (LGPD) could be fined up to 50 million reals (USD 10 million) or 2% of their worldwide annual revenue from the last financial year.

Improve brand reputation

Research shows that 81% of consumers feel that how an organisation treats their data reflects how they treat them as a consumer. This means a strong correlation exists between how people perceive an organisation’s data collection practices and their other business activities.

Data breaches can have a significant impact on an organisation, especially their reputation and level of consumer trust. In 2022, hackers stole customer data from the Australian private health insurance company, Medibank, and released the data onto the dark web. Optus was also affected by a cyberattack, which compromised the information of current and former customers. Following these events, a study by Nature revealed that 83 percent of Australians were concerned about the security of their data, particularly in the hands of their service providers.

Protect consumer data

Protecting consumer data is essential to preventing data breaches. Unfortunately, cybersecurity attacks are becoming increasingly sophisticated. In 2023 alone, organisations like T-Mobile and Sony have been compromised and their data stolen.

One way to protect consumer data is to retain 100% data ownership. This means that no external parties can see your data. You can achieve this with the web analytics platform, Matomo. With Matomo, you can store your own data on-premises (your own servers) or in the Cloud. Under both arrangements, you retain full ownership of your data.

Try Matomo for Free

Get the web insights you need, while respecting user privacy.

No credit card required

What are the most pressing data privacy issues that organisations are facing today?

Today’s most pressing data privacy challenges organisations face are complying with new data protection acts, maintaining consumer trust, and choosing the right web analytics platform. Here is a detailed breakdown of what these challenges mean for businesses.

Complying with new and emerging data protection laws

Ever since the European Union introduced the GDPR in 2018, other regions have enacted similar data protection acts. In the United States, California (CCPA), Virginia (VCDPA) and Colorado have their own state-level data protection acts. Meanwhile, Brazil and China have the General Data Protection Law (LGPD) and the Personal Information Protection Law (PIPL), respectively.

For global organisations, complying with multiple data protection acts can be tough, as each act interprets the GDPR model differently. They each have their own provisions, terminology (or different interpretations of the same terminology), and penalties.

A web analytics platform like Matomo can help your organisation comply with the GDPR and similar data protection acts. It has a range of privacy-friendly features including data anonymisation, IP anonymisation, and first-party cookies by default. You can also create and publish custom opt-out forms and let visitors view your collected data.

Complying with new and emerging data protection laws

Try Matomo for Free

Get the web insights you need, while respecting user privacy.

No credit card required

Maintaining consumer trust

Building (and maintaining) consumer trust is a major hurdle for organisations. Stories about data breaches and data scandals — notably the Cambridge Analytical scandal — instil fear into the public’s hearts. After a while, people wonder, “Which company is next?”

One way to build and maintain trust is to be transparent about your data collection practices. Be open and honest about what data you collect (and why), where you store the data (and for how long), how you protect the data and whether you share data with third parties.

You should also prepare and publish your cyber incident response plan. Outline the steps you will take to contain, assess and manage a data breach.

Choosing the right web analytics platform

Organisations use web analytics to track and monitor web traffic, manage advertising campaigns and identify potential revenue streams. The most widely used web analytics platform is Google Analytics; however, many users have raised concerns about privacy issues.

When searching for a Google Analytics alternative, consider a web analytics platform that takes data privacy seriously. Features like cookieless tracking, data anonymisation and IP anonymisation will let you track user activity without collecting personal data. Custom opt-out forms will let your web visitors enforce their data subject rights.

What data protection acts exist right now?

As time goes on and more countries introduce their own data privacy laws, it becomes harder for organisations to adapt. Understanding the basics of each act can help streamline compliance. Here is what you need to know about the latest data protection acts.

General Data Protection Regulation (GDPR)

The GDPR is a data protection act created by the European Parliament and Council of the European Union. It comprises 11 chapters covering the general provisions, principles, data subject rights, penalties and other relevant information.

The GDPR established a framework for organisations and governments to follow regarding the collection, processing, storing, transferring and deletion of personal data. Since coming into effect on 25 May 2018, other countries have used the GDPR as a model to enact similar data protection acts.

General Data Protection Law (LGPD)

The LGPD is Brazil’s main data protection act. The Federal Republic of Brazil signed the act on August 14, 2018, and it officially commenced on August 16, 2020. The act aimed to unify the 40 Brazilian laws that previously governed the country’s approach to processing personal data.

Like the GDPR, the LGPD serves as a legal framework to regulate the collection and usage of personal data. It also outlines the duties of the national data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), which is responsible for enforcing the LGPD.

Privacy Amendment (Notifiable Data Breaches) for the Privacy Act 1988

Established by the Australian House of Representatives, the Privacy Act 1988 outlines how organisations and governments must manage personal data. The federal government has amended the Privacy Act 1988 twice — once in 2000, and again in 2014 — and is committing to a significant overhaul.

The new proposals will make it easier for individuals to opt out of data collection, organisations will have to destroy collected data after a reasonable period, and small businesses will no longer be exempt from the Privacy Act.

United States

The United States does not have a federally mandated data protection act. Instead, each state has been gradually introducing its data protection acts, with the first being California, followed by Virginia and Colorado. Over a dozen other states are following suit, too.

California — The then-Governor of California Jerry Brown signed the California Consumer Privacy Act (CCPA) into law on June 28, 2018. The act applies to organisations with gross annual revenue of more than USD 25 million, and that buy or sell products and services to 100,000 or more households or consumers.
Virginia — The Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023. It applies to organisations that process (or control) the personal data of 100,000 or more consumers in a financial year. It also applies to organisations that process (or control) the personal data of 25,000 or more consumers and gain more than 50% of gross revenue by selling that data.
Colorado — Colorado Governor Jared Polis signed the Colorado Privacy Act (ColoPA) into law in July 2021. The act applies to organisations that process (or control) the personal data of 100,000 or more Colorado residents annually. It also applies to organisations that earn revenue from the sale of personal data of at least 25,000 Colorado residents.

Because the US regulations are a patchwork of differing legal acts, compliance can be a complicated endeavour for organisations operating across multiple jurisdictions.

How can organisations comply with data protection acts?

One way to ensure compliance is to keep up with the latest data protection acts. But that is a very time-consuming task.

Over 16 US states are in the process of signing new acts. And countries like China, Turkey and Australia are about to overhaul — in a big way — their own data privacy protection acts.

Knowledge is power. But you also have a business to run, right?

That’s where Matomo comes in.

Streamline data privacy compliance with Matomo

Although data privacy is a major concern for individuals and companies operating in multiple parts of the world — as they must comply with new, conflicting data protection laws — it is possible to overcome the biggest data privacy issues.

Matomo enables your visitors to take back control of their data. You can choose where you store your data on-premises and in the Cloud (EU-based). You can use various features, retain 100% data ownership, protect visitor privacy and ensure compliance.

Try the 21-day free trial of Matomo today, start your free analytics trial. No credit card required.

Your email address

Your website address

Your Analytics subdomain will be .matomo.cloud

Choose your analytics subdomain

.matomo.cloud

I accept the terms and conditions and data processing agreement (DPA)

Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.

What Is Data Ethics & Why Is It Important in Business?

Erin — Thu, 09 May 2024 21:49:00 +0000

Data is powerful — every business on earth uses data. But some are leveraging it more than others.

The problem?

Not all businesses are using data ethically.

You need to collect, store, and analyse data to grow your business. But, if you aren’t careful, you could be crossing the line with your data usage into unethical territories.

In a society where data is more valuable than ever, it’s crucial you perform ethical practices.

In this article, we break down what data ethics is, why it’s important in business and how you can implement proper data ethics to ensure you stay compliant while growing your business.

What is data ethics?

Data ethics are how a business collects, protects and uses data.

It’s one field of ethics focused on organisations’ moral obligation to collect, track, analyse and interpret data correctly.

Data ethics analyses multiple ways we use data:

Collecting data
Generating data
Tracking data
Analysing data
Interpreting data
Implementing activities based on data

Data ethics is a field that asks, “Is this right or wrong?”

And it also asks, “Can we use data for good?”

If businesses use data unethically, they could get into serious hot water with their customers and even with the law.

You need to use data to ensure you grow your business to the best of your ability. But, to maintain a clean slate in the eyes of your customers and authorities, you need to ensure you have strong data ethics.

Why you need to follow data ethics principles

In 2018, hackers broke into British Airways’ website by inserting harmful code, leading website visitors to a fraudulent site.

The result?

British Airways customers gave their information to the hackers without realising it: credit cards, personal information, login information, addresses and more.

While this was a malicious attack, the reality is that data is an integral part of everyday life. Businesses need to do everything they can to protect their customers’ data and use it ethically.

Data ethics is crucial to understand as it sets the standard for what’s right and wrong for businesses. Without a clear grasp of data ethics, companies will willingly or neglectfully misuse data.

With a firm foundation of data ethics, businesses worldwide can make a collective effort to function smoothly, protect their customers, and, of course, protect their own reputation.

3 benefits of leaning into data ethics

We’re currently transitioning to a new world led by artificial intelligence.

While AI presents endless opportunities for innovation in the business world, there are also countless risks at play, and it’s never been more important to develop trust with your customers and stakeholders.

With an influx of data being created and tracked daily, you need to ensure your business is prioritising data ethics to ensure you maintain trust with your customers moving forward.

Here are three benefits of data ethics that will help you develop trust, maintain a solid reputation and stay compliant to continue growing your business:

1. Compliance with data privacy

Privacy is everything.

In a world where our data is being collected nonstop, and we live more public lives than ever with social media, AI and an influx of recording and tracking in everyday life, you need to protect the privacy of your customers.

One crucial way to protect that privacy is by complying with major data privacy regulations.

Some of the most common regulations you need to remain compliant with include:

General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
Health Insurance Portability and Accountability Act (HIPAA)
General Personal Data Protection Law (LGPD)
Privacy and Electronic Communications (EC Directive) Regulations (PECR)

While these regulations don’t directly address ethics, there’s a core overlap between privacy requirements like accountability, lawfulness and AI ethics.

Matomo ensures you protect the privacy of your web and app users so you can track and improve your website performance with peace of mind.

2. Maintain a good reputation

While data ethics can help you maintain data privacy compliance, it can also help you maintain a good reputation online and offline.

All it takes is one bad event like the British Airways breach for your company’s reputation to be ruined.

If you want to keep a solid reputation and maintain trust with your stakeholders, customers and lawmakers, then you need to focus on developing strong data ethics.

Businesses that invest time in establishing proper data ethics set the right foundation to protect their reputation, develop trust with stakeholders and create goodwill and loyalty.

3. Increased trust means greater revenue

What happens when you establish proper data ethics?

You’ll gain the trust of your customers, maintain a solid reputation and increase your brand image.

Customers who trust you to protect their privacy and data want to keep doing business with you.

So, what’s the end result for a business that values data ethics?

You’ll generate more revenue in the long run. Trust is one thing you should never put on the back burner if you have plans to keep growing your business. By leaning more into data ethics, you’ll be able to build that brand reputation that helps people feel comfortable buying your products and services on repeat.

While spending time and money on data ethics may seem like an annoyance, the reality is that it’s a business investment that will pay dividends for years to come.

5 core data ethics principles

So, what exactly is involved in data ethics?

For most people, data ethics is a pretty broad and vague term. If you’re curious about the core pillars of data ethics, then keep reading.

Here are five core data ethical principles you need to follow to ensure you’re protecting your customers’ data and maintaining trust:

1. Data ownership

The individual owns the data, not you. This is the first principle of data ethics. You don’t have control over someone else’s data. It’s theirs, and they have full ownership over it.

Just as stealing a TV from an electronics store is a crime, stealing (or collecting) someone’s personal data without their consent is considered unlawful and unethical.

Consent is the only way to ethically “own” someone’s data.

How can you collect someone’s data ethically?

Digital privacy policies
Signed, written agreements
Popups with checkboxes that allow you to track users’ behaviour

Essentially, anytime you’re collecting data from your website or app users, you need to ensure you’re asking permission for that data.

You should never assume a website visitor or customer is okay with you collecting your data automatically. Instead, ask permission to collect, track and use their data to avoid legal and ethical issues.

2. Transparency

The second core principle of data ethics within business is transparency. This means you need to be fully transparent on when, where and how you:

Collect data
Store data
Use data

In other words, you need to allow your customers and website visitors to have a window inside your data activities.

They need to be able to see exactly how you plan on using the data you’re collecting from them.

For example, imagine you implemented a new initiative to personalise the website experience for each user based on individual behaviour. To do this, you’ll need to track cookies. In this case, you’d need to write up a new policy stating how this behavioural data is going to be collected, tracked and used.

It’s within your website visitors’ rights to access this information so they can choose whether or not they want to accept or decline your website’s cookies.

With any new data collection or tracking, you need to be 100% clear about how you’re going to use the data. You can’t be deceptive, misleading, or withholding any information on how you will use the data, as this is unethical and, in many cases, unlawful.

3. Privacy

Another important branch of ethics is privacy. The ethical implications of this should be obvious.

When your users, visitors, or customers enter your sphere of influence and you begin collecting data on them, you are responsible for keeping that data private.

When someone accepts the terms of your data usage, they’re not agreeing to have their data released to the public. They’re agreeing to let you leverage that data as their trusted business provider to better serve them. They expect you to maintain privacy.

You can’t spread private information to third parties. You can’t blast this data to the public.

This is especially important if someone allows you to collect and use their personally identifiable information (PII), such as:

First and last name
Email address
Date of birth
Home address
Phone number

To protect your audience’s data, you should only store it in a secure database.

For example, Matomo’s web analytics solution guarantees the privacy of both your users and analytics data.

With Matomo, you have complete ownership of your data. Unlike other web analytics solutions that exploit your data for advertising purposes, Matomo users can use analytics with confidence, knowing that their data won’t be sold to advertisers.

Learn more about data privacy with Matomo here.

Try Matomo for Free

Get the web insights you need, while respecting user privacy.

No credit card required

4. Intention

When you collect and store data, you need to tell your users why you’re collecting their data. But there’s another principle of data ethics that goes beyond the reason you give your customers.

Intention is the reason you give yourself for collecting and using the data.

Before you start collecting and storing data, you should ask yourself the following:

Why you need it
What you’ll gain from it
What changes you’ll be able to make after you analyse the data

If your intention is wrong in any way, it’s unethical to collect the data:

You’re collecting data to hurt others
You’re collecting data to profit from your users’ weaknesses
You’re collecting data for any other malicious reason

When you collect data, you need to have the right intentions to maintain proper data ethics; otherwise, you could harm your brand, break trust and ruin your reputation.

5. Outcomes

You may have the best intentions, but sometimes, there are negative outcomes from data use.

For example, British Airways’ intention was not to allow hackers to gain access and harm their users. But the reality is that their customers’ data was stolen and used for malicious purposes. While this isn’t technically unlawful, the outcome of collecting data ended badly.

To ensure proper data ethics, you must have good standing with your data. This means protecting your users at all costs, maintaining a good reputation and ensuring proper privacy measures are set up.

How to implement data ethics as a business leader

As a business leader, CTO or CEO, it’s your responsibility to implement data ethics within your organisation. Here are some tips to implement data ethics based on the size and stage of your organisation:

Startups

If you’re a startup, you need to be mindful of which technology and tools you use to collect, store and use data to help you grow your business.

It can be a real challenge to juggle all the moving parts of a startup since things can change so quickly. However, it’s crucial to establish a leader and allow easy access to ethical analysis resources to maintain proper data ethics early on.

Small and medium-sized businesses

As you begin scaling, you’ll likely be using even more technology. With each new business technique you implement, there will be new ways you’ll be collecting user data.

One of the key processes involved in managing data as you grow is to hire engineers who build out different technologies. You must have protocols, best practices and management overseeing the new technologies being built to ensure proper data ethics.

Global businesses

Have you scaled internationally?

There will be even more rules, laws, regulations and organisations to answer to if you start managing data unethically.

You should have established teams or departments to ensure you follow proper privacy and data protocols worldwide. When you have a large organisation, you have more money and vast amounts of data. This makes you a bigger target for leaks, ransomware and hackers.

You should ensure you have cross-departmental groups working to establish ongoing protocols and training to keep your data management in good standing.

Leverage data ethically with Matomo

Data is powerful.

It’s a crucial point of leverage that’s required to stay competitive.

However, improper use and management of data can give you a bad reputation, break trust and even cause you legal trouble.

That’s why you must maintain good data ethics within your organisation.

One of the most important places to set up proper data ethics and privacy measures is with your website analytics.

Matomo is the leading, privacy-friendly web analytics solution in the world. It automatically collects, stores, and tracks data across your website ethically.

With over 1 million websites using Matomo, you get to take full control over your website performance with:

Accurate data (no data sampling)
Privacy-friendly and GDPR-compliant analytics
Open-source for transparency and to create a custom solution for you

Try Matomo free for 21-days. No credit card required.

Your email address

Your website address

Your Analytics subdomain will be .matomo.cloud

Choose your analytics subdomain

.matomo.cloud

I accept the terms and conditions and data processing agreement (DPA)

Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.

Virginia Consumer Data Protection Act (VCDPA) Guide

Erin — Wed, 27 Sep 2023 04:07:12 +0000

Do you run a for-profit organisation in the United States that processes personal and sensitive consumer data? If so, you may be concerned about the growing number of data privacy laws cropping up from state to state.

Ever since the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, four other US states — Connecticut, Colorado, Utah and Virginia — have passed their own data privacy laws. Each law uses the CCPA as a foundation but slightly deviates from the formula. This is a problem for US organisations, as they cannot apply the same CCPA compliance framework everywhere else.

In this article, you’ll learn what makes the Virginia Consumer Data Protection Act (VCDPA) unique and how to ensure compliance.

What is the VCDPA?

Signed by Governor Ralph Northam on 2 March 2021, and brought into effect on 1 January 2023, the VCDPA is a new data privacy law. It gives Virginia residents certain rights regarding how organisations process their personal and sensitive consumer data.

The law contains several provisions, which define:

Who must follow the VCDPA
Who is exempt from the VCDPA
The consumer rights of data subjects
Relevant terms, such as “consumers,” “personal data,” “sensitive data” and the “sale of personal data”
The rights and responsibilities of data controllers
What applicable organisations must do to ensure VCDPA compliance

These guidelines define the data collection practices that VCDPA-compliant organisations must comply with. The practices are designed to protect the rights of Virginia residents who have their personal or sensitive data collected.

What are the consumer rights of VCDPA data subjects?

There are seven consumer rights that protect residents who fit the definition of “data subjects” under the new Virginia data privacy law.

A data subject is an “identified or identifiable natural person” who has their information collected. Personally identifiable information includes a person’s name, address, date of birth, religious beliefs, immigration status, status of child protection assessments, ethnic origin and more.

Below is a detailed breakdown of each VCDPA consumer right:

Right to know, access and confirm personal data: Data subjects have the right to know that their data is being collected, the right to access their data and the right to confirm that the data being collected is accurate and up to date.
Right to delete personal data: Data subjects have the right to request that their collected personal or sensitive consumer data be deleted.
Right to correct inaccurate personal data: Data subjects have the right to request that their collected data be corrected.
Right to data portability: Data subjects have the right to obtain their collected data and, when reasonable and possible, request that their collected data be transferred from one data controller to another.
Right to opt out of data processing activity: Data subjects have the right to opt out of having their personal or sensitive data collected.
Right to opt out of the sale of personal and sensitive consumer data: Data subjects have the right to opt out of having their collected data sold to third parties.

Right to not be discriminated against for exercising one’s rights: Data subjects have the right to not be discriminated against for exercising their right to not have their personal or sensitive consumer data collected, processed and sold to third parties for targeted advertising or other purposes.

Who must comply with the VCDPA?

The VCDPA applies to for-profit organisations. Specifically, those that operate and offer products or services in the state of Virginia.

Additionally, for-profit organisations that fit under either of these two categories must comply with the VCDPA:

Collect and process the personal data of at least 100,000 Virginia residents within a financial year or
Collect and process the personal data of at least 25,000 Virginia residents and receive at least 50% of gross revenue by selling personal or sensitive data.

If a for-profit organisation resides out of the state of Virginia and falls into one of the categories above, they must comply with the VCDPA. Eligibility requirements also apply, regardless of the revenue threshold of the organisation in question. Large organisations can avoid VCDPA compliance if they don’t meet either of the above two eligibility requirements.

What types of consumer data does the VCDPA protect?

The two main types of data that apply to the VCDPA are personal and sensitive data.

Personal data is either identified or personally identifiable information, such as home address, date of birth or phone number. Information that is publicly available or has been de-identified (dissociated with a natural person or entity) is not considered personal data.

Sensitive data is a category of personal data. It’s data that’s either the collected data of a known child or data that can be used to form an opinion about a natural person or individual. Examples of sensitive data include information about a person’s ethnicity, religion, political beliefs and sexual orientation.

It’s important that VCDPA-compliant organisations understand the difference between the two data types, as failure to do so could result in penalties of up to $7,500 per violation. For instance, if an organisation wants to collect sensitive data (and they have a valid reason to do so), they must first ask for consent from consumers. If the organisation in question fails to do so, then they’ll be in violation of the VCDPA, and may be subject to multiple penalties — equal to however many violations they incur.

A 5-step VCDPA compliance framework

Getting up to speed with the terms of the VCDPA can be challenging, especially if this is your first time encountering such a law. That said, even organisations that have experience with data privacy laws should still take the time to understand the VCDPA.

Here’s a simple 5-step VCDPA compliance framework to follow.

1. Assess data

First off, take the time to become familiar with the Virginia Consumer Data Protection Act (VCDPA). Then, read the content from the ‘Who does the VCDPA apply to’ section of this article, and use this information to determine if the law applies to your organisation.

How do you know if you reach the data subject threshold? Easy. Use a web analytics platform like Matomo to see where your web visitors are, how many of them (from that specific region) are visiting your website and how many of them you’re collecting personal or sensitive data from.

To do this in Matomo, simply open the dashboard, look at the “Locations” section and use the information on display to see how many Virginia residents are visiting your website.

Using the dashboard will help you determine if the VCDPA applies to your company.

2. Evaluate your privacy practices

Review your existing privacy policies and practices and update them to comply with the VCDPA. Ensure your data collection practices protect the confidentiality, integrity and accessibility of your visitors.

One way to do this is to automatically anonymise visitor IPs, which you can do in Matomo — in fact, the feature is automatically set to default.

Another great thing about IP anonymisation is that after a visitor leaves your website, any evidence of them ever visiting is gone, and such information cannot be tracked by anyone else.

3. Inform data subjects of their rights

To ensure VCDPA compliance in your organisation, you must inform your data subjects of their rights, including their right to access their data, their right to transfer their data to another controller and their right to opt out of your data collection efforts.

That last point is one of the most important, and to ensure that you’re ready to respond to consumer rights requests, you should prepare an opt-out form in advance. If a visitor wants to opt out from tracking, they’ll be able to do so quickly and easily. Not only will this help you be VCDPA compliant, but your visitors will also appreciate the fact that you take their privacy seriously.

To create an opt-out form in Matomo, visit the privacy settings section (click on the cog icon in the top menu) and click on the “Users opt-out” menu item under the Privacy section. After creating the form, you can then customise and publish the form as a snippet of HTML code that you can place on the pages of your website.

4. Review vendor contracts

Depending on the nature of your organisation, you may have vendor contracts with a third-party business associate. These are individuals or organisations, separate from your own, that contribute to the successful delivery of your products and services.

You may also engage with third parties that process the data you collect, as is the case for many website owners that use Google Analytics (to which there are many alternatives) to convert visitor data into insights.

Financial institutions, such as stock exchange companies, also rely on third-party data for trading. If this is the case for you, then you likely have a Data Processing Agreement (DPA) in place — a legally binding document between you (the data controller, who dictates how and why the collected data is used) and the data processor (who processes the data you provide to them).

To ensure that your DPA is VCDPA compliant, make sure it contains the following items:

Definition of terms
Instructions for processing data
Limits of use (explain what all parties can and cannot do with the collected data)
Physical data security practices (e.g., potential risks, risk of harm and control measures)
Data subject rights
Consumer request policies (i.e., must respond within 45 days of receipt)
Privacy notices and policies

5. Seek expert legal advice

To ensure your organisation is fully VCDPA compliant, consider speaking to a data and privacy lawyer. They can help you better understand the specifics of the law, advise you on where you fall short of compliance and what you must do to become VCDPA compliant.

Data privacy lawyers can also help you draft a meaningful privacy notice, which may be useful in modifying your existing DPAs or creating new ones. If needed, they can also advise you on areas of compliance with other state-specific data protection acts, such as the CCPA and newly released laws in Colorado, Connecticut and Utah.

How does the VCDPA differ from the CCPA?

Although the VCDPA has many similarities to the CCPA, the two laws still have their own approach to applying the law.

Here’s a quick breakdown of the main differences that set these laws apart.

Definition of a consumer

Under the VCDPA, a consumer is a “natural person who is a Virginia resident acting in an individual or household context.” Meanwhile, under the CCPA, a consumer is a “natural person who is a California resident acting in an individual or household context.” However, the VCDPA omits people in employment contexts, while the CCPA doesn’t. Hence, organisations don’t need to consider employee data.

Sale of personal data

The VCDPA defines the “sale of personal data” as an exchange “for monetary consideration” by the data controller to a data processor or third party. This means that, under the VCDPA, an act is only considered a “sale of personal data” if there is monetary value attached to the transaction.

This contrasts with the CCPA, where that law also counts “other valuable considerations” as a factor when determining if the sale of personal data has occurred.

Right to opt out

Just like the CCPA, the VCDPA clearly outlines that organisations must respond to a user request to opt out of tracking. However, unlike the CCPA, the VCDPA does not give organisations any exceptions to such a right. This means that, even if the organisation believes that the request is impractical or hard to pull off, it must comply with the request under any circumstances, even in instances of hardship.

Ensure VCDPA compliance with Matomo

The VCDPA, like many other data privacy laws in the US, is designed to enhance the rights of Virginia consumers who have their personal or sensitive data collected and processed. Fortunately, this is where platforms like Matomo can help.

Matomo is a powerful web analytics platform that has built-in features to help you comply with the VCDPA. These include options like:

Cookie-less tracking
Creating consumer consent and opt-out forms
Giving consumers access to their personal data

Try out the free 21-day Matomo trial today. No credit card required.

LGPD: Demystifying Brazil’s New Data Protection Law

Erin — Thu, 31 Aug 2023 04:03:02 +0000

The General Personal Data Protection Law (LGPD or Lei Geral de Proteção de Dados Pessoais) is a relatively new legislation passed by the Brazilian government in 2018. The law officially took effect on September 18, 2020, but was not enforced until August 1, 2021, due to complications from the COVID-19 pandemic.

For organisations that do business in Brazil and collect personal data, the LGPD has far-reaching implications, with 65 separate articles that outline how organisations must collect, process, disclose and erase personal data.

In this article, you’ll learn what the LGPD is, including its contents and how a legal entity can be compliant.

What is the LGPD?

The LGPD is a new data protection and privacy law passed by the Federal Brazilian Government on May 29, 2018. The purpose of the law is to unify the 40 previous Brazilian laws that regulated the processing of personal data.

Many of the older laws have been either updated or removed to accommodate this change. The LGPD comprises 65 separate articles, and each covers a different area of the legislation, such as the rights of data subjects and the legal bases on which personal data may be collected. It also sets out the responsibilities of the National Data Protection Authority (ANPD), a newly created agency responsible for the guidance, supervision and enforcement of the LGPD.

LGPD compliance is essential for organisations wishing to operate in Brazil and collect personal data for commercial purposes, whether online or offline. However, understanding the different rules and regulations and even figuring out if the LGPD applies to you can be challenging.

Fortunately, the LGPD is relatively easy to understand and shares many similarities with the General Data Protection Regulation (GDPR), the data protection law implemented on May 25, 2018, by the European Union. This may help you better understand why the LGPD was enacted, the policies it contains and the goals it hopes to achieve. Both laws are very similar, but some items are unique to Brazil, such as what qualifies as a legal basis for collecting personal data.

For these reasons, organisations should not apply a one-size-fits-all approach to GDPR and LGPD compliance, for they are different laws with different guiding principles and requirements.

Who does the LGPD apply to, and who is exempt?

The LGPD applies to any natural person, public entity and private entity that collects, processes and stores personal data for commercial purposes within the national territory of Brazil. The same also applies to those who process the personal data of Brazilian and non-Brazilian citizens within the national territory of Brazil, even if the data processor is outside of Brazil. It also applies to those who process personal data collected from the national territory of Brazil.

So, what does this all mean?

Regardless of your location, if you conduct any personal data processing activities in Brazil or you process data that was collected from Brazil, then there is a high possibility that the LGPD applies to you. This is especially true if the data processing is for commercial purposes; or, to be more precise, for the offering or provision of goods or services. It also means that subjects whose personal data is collected under these conditions are protected by the nine data subject rights.

There are exceptions where the LGPD does not apply to data processors. These include if you process personal data for private or non-commercial reasons; for artistic, journalistic and select academic purposes; and for the purpose of state security, public safety, national defence and activities related to the investigation and prosecution of criminal offenders. Also, if the processed data originates from a country with similar data protection laws to Brazil, such as any country in the European Union (where the GDPR applies), then the LGPD will not apply to that individual or organisation.

For these reasons, it is vital that you are familiar with the LGPD so that your data processing activities comply with the new standards. This is also important for the future, as an estimated 75% of the global population’s personal data will be protected by a privacy regulation. Getting things right now will make life easier moving forward.

What are the nine LGPD data subject rights?

The LGPD has nine data subject rights. These protect the rights and freedoms of subjects, regardless of their political opinion and religious belief.

These rights, listed under Article 19 of the LGPD, confirm that a data subject has the right to:

Confirm the processing of their data.
Access their data.
Correct data that is incomplete, not accurate and out of date.
Anonymize, block and delete data that is excessive, unnecessary and was not processed in compliance with the law.
Move their data to a different service provider or product provider by special request.
Delete or stop using personal data under certain circumstances.
Gain information about who the data processor has shared the processed data with, including private and public entities.
Be informed as to what the consequences may be for denying consent to the collection of personal data.
Revoke consent to have their personal data processed under certain conditions.

Many of these data subject rights are like the GDPR. For example, both the GDPR and LGPD give data subjects the right to be informed, the right to access, the right to data portability and the right to rectify false data. However, while the LGPD has nine data subject rights, the GDPR has only eight. What is the extra data subject right? The right to gain information on who a data processor has shared your data with.

There are other slight differences between the GDPR and LGPD with regard to data subject rights. For instance, the GDPR has a clear right to restrict certain data processing activities, such as those related to automation. The LGPD has this, too. But the subject of data collection automation is under Article 20, separate from all the data subject rights listed under Article 19.

Under what conditions can personal data in Brazil be processed?

There are various conditions under which organisations can legally conduct personal data processing in Brazil. The aim of these conditions is to give data subjects confidence — that their personal data is processed for only safe, legal and ethical reasons. Also, the conditions help data processors, both individuals and organisations, determine if they have a legal basis for processing personal data in or in relation to Brazil.

According to Article 7 of the LGPD, data processing may only be carried out if done:

With consent by the data subject.
To comply with a legal or regulatory obligation.
By public authorities to assist with the execution of a public policy, one established by law or regulation.
To help research entities carry out studies; granted, when possible, subjects can anonymize their data.
To carry out a contract or preliminary procedure, in particular, one related to a contract where the data subject is a party.
To exercise the right of an arbitration, administration or judicial procedure.
To protect the physical safety or life of someone
To protect the health of someone about to undergo a procedure performed by health entities
To fulfill the legitimate interests of a data processor, unless doing so would compromise a data subject’s fundamental rights and liberties.
To protect one’s credit score.

Much like the nine data subject rights, there are key differences between the LGPD and GDPR. The GDPR has six lawful bases for data processing, while the LGPD has ten. One notable addition to the LGPD is for the protection of one’s credit score, which is not covered by the GDPR. Another reason to ensure compliance with both data protection laws separately.

LGPD vs. GDPR: How do they differ?

The LGPD was modeled closely on the GDPR, so it’s no surprise the two are similar.

Both laws ensure a high level of protection for the rights and freedoms of data subjects. They outline the legal justifications for data processing, establish the responsibilities of a data protection authority and lay out the penalties for non-compliance. That said, there are key differences between them.

First, data subject rights; the LGPD has nine, while the GDPR has eight. The GDPR gives data subjects the right to request a human review of automated decision-making, while the LGPD does not. Second, the legal bases for processing; the LGPD has ten, while the GDPR has six. The four legal bases unique to the LGPD are: for protection of credit, for protection of health, for protection of life and for research entities carrying out studies.

Both the LGPD and GDPR have different non-compliance penalties. The maximum fine for an infraction under the GDPR is up to €20 million (or 4% of the offender’s annual global revenue, whichever is higher). The maximum fine for an LGPD infraction is up to 50 million reais (around €9.2 million), or up to 2% of an offender’s revenue in Brazil, whichever is higher.

6 steps to LGPD compliance with Matomo

Below are steps you can follow to ensure your organisation is LGPD compliant. You’ll also learn how Matomo can help you comply quickly and easily.

Let’s dive in.

1. Appoint a DPO

A DPO is a person, group, or organisation that communicates with data processors, data subjects, and the ANDP.

Curiously, the LGPD lets you appoint your own DPO — even if they reside out of Brazil. So if the LGPD applies to you, you can appoint someone in your organisation to be a DPO. Just make sure that the nominated person has the understanding and capacity to perform the role’s duties.

2. Assess your data

Once you’re familiar with the LGPD and confirm your eligibility for LGPD compliance, take the time to assess your data. If you plan to collect data within the territory of Brazil, you’ll need to confirm the exact location of your data subjects.

To do this in Matomo, simply go to the previous year’s calendar. Then click on visitors, go to locations, and look for Brazil under the “Region” section. This will tell you how many of your web visitors are located in Brazil.

3. Review privacy practices

Review your existing privacy policies and practices, as there’s a good chance they’ll need to be updated to comply with the LGPD. Also, review your data sharing and third-party agreements, as you may need to communicate these new policies to partners that you rely on to deliver your services.

Lastly, review your procedures for tracking personal data and Personally Identifiable Information (PII). You may need to modify the type of data that you track to comply with the LGPD. You may even be tracking this data without your knowledge.

4. Anonymize tracking data

Data subjects under the LGPD have the right to request data anonymity. Therefore, to be LGPD compliant, your organisation must be able to accommodate for such a request.

Fortunately, Matomo has various data anonymization techniques that help you protect your data subject’s privacy and comply with the LGPD. These techniques include the ability to anonymize previously tracked raw data, anonymize visitor IP addresses, and anonymize relevant geo-location data such as regions, cities and countries.

You can find these features and more under the Anonymize data tab within the Privacy menu on the Matomo Settings page. Learn more about how to configure privacy settings in Matomo.

5. Comply with LGPD consent laws without cookies

By using Matomo to anonymize the data of your data subjects, this enables you to comply with LGPD consent laws and remove the need to display cookie consent banners on your website. This is made possible by the fact that Matomo is a cookieless tracking web analytics platform.

Unlike other web analytics platforms like Google Analytics, which collect and use third-party cookies (persistent data that remains on your device, until that data expires or until you manually delete it) for their “own purposes,” Matomo is different. We use alternative means to identify web visitors, such as count the number of unique IP addresses and perform browser fingerprinting, neither of which involve the collection of personal data.

As a result, you don’t have to display cookie consent banners on your website, and you can track your web visitors even if they disable cookies.

6. Give users the right to opt-out

Under the LGPD, data subjects have the right to opt-out of your data collection procedures. For this reason, make sure that your web visitors can do this on your website.

You can do this in Matomo by adding an opt-out from tracking form to your website. To do this, click on the cog icon in the top menu, load the settings page, and click on the Users opt-out menu item in the Privacy section. Then follow the instructions to customise and publish the Matomo opt-out form.

Achieve LGPD compliance with Matomo

Like GDPR for Europe, the LGPD will impact organisations doing business in Brazil. And while they both share much of the same definitions and data subject rights, they differ on what qualifies as a legal basis for processing sensitive data. Complying with the GDPR and LGPD separately is non-negotiable and essential to avoiding maximum fines of €20 million and €9.2 million, respectively.

As a web analytics platform with LGPD compliance, Matomo prioritises data privacy without compromising performance. Switch to a powerful LGPD-compliant web analytics platform that respects users’ privacy.

Get a 21-day free trial of Matomo today. No credit card required.

Disclaimer

We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to LGPD. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.

How to ensure CCPA compliance in 2024

Erin — Fri, 18 Aug 2023 02:35:11 +0000

The California Consumer Privacy Act (CCPA) is a state law that enhances privacy rights and consumer protection for residents of California.

It grants consumers six rights, like the right to know what personal information is being collected about them by businesses and others.

CCPA also requires businesses to provide notice of data collection practices. Consumers can choose to opt out of the sale of their data.

In this article, we’ll learn more about the scope of CCPA, the penalties for non-compliance and how our web analytics tool, Matomo, can help you create a CCPA-compliant framework.

What is the CCPA?

CCPA was implemented on January 1, 2020. It ensures that businesses securely handle individuals’ personal information and respect their privacy in the digital ecosystem.

CCPA addresses the growing concerns over privacy and data protection; 40% of US consumers share that they’re worried about digital privacy. With the increasing amount of personal information being collected and shared by businesses, there was a need to establish regulations to provide individuals with more control and transparency over their data.

CCPA aims to protect consumer privacy rights and promote greater accountability from businesses when handling personal information.

Scope of CCPA

The scope of CCPA includes for-profit businesses that collect personal information from California residents, regardless of where you run the business from.

It defines three thresholds that determine the inclusion criteria for businesses subject to CCPA regulations.

Businesses need to abide by CCPA if they meet any of the three options:

Revenue threshold: Have an annual gross revenue of over $25 million.
Consumer threshold: Businesses that purchase, sell or distribute the personal information of 100,000 or more consumers, households or devices.
Data threshold: Businesses that earn at least half of their revenue annually from selling the personal information of California residents.

What are the six consumer rights under the CCPA?

Here’s a short description of the six consumer rights.

Right to know: Under this right, you can ask a business to disclose specific personal information they collect about you and the categories of sources of the information. You can also know the purpose of collection and to which third-party the business will disclose this info. This allows consumers to understand what information is being held and how it is used. You can request this info for free twice a year.
Right to delete: Consumers can request the deletion of their personal information. Companies must comply with some exceptions.
Right to opt-out: Consumers can deny the sale of their personal information. Companies must provide a link on their homepage for users to exercise this right. After you choose this, companies can’t sell your data unless you authorise them to do so later.
Right to non-discrimination: Consumers cannot be discriminated against for exercising their CCPA rights. For instance, a company cannot charge different prices, provide a different quality of service or deny services.
Right to correct: Consumers can request to correct inaccurate personal information.
Right to limit use: Consumers can specify how they want the businesses to use their sensitive personal information. This includes social security numbers, financial account details, precise geolocation data or genetic data. Consumers can direct businesses to use this sensitive information only for specific purposes, such as providing the requested services.

Penalties for CCPA non-compliance

52% of organisations have yet to adopt CCPA principles as of 2022. Non-compliance can attract penalties.

Section 1798.155 of the CCPA states that any business that doesn’t comply with CCPA’s terms can face penalties based on the consumer’s private right to action. Consumers can directly take the company to the civil court and don’t need prosecutors’ interventions.

Businesses get a chance of 30 days to make amends for their actions.

If that’s also not possible, the business may receive a civil penalty of up to $2,500 per violation. Violations can be of any kind, even accidental. An intentional violation can attract a fine of $7,500.

Consumers can also initiate private lawsuits to claim damages that range from $100 to $750, or actual damages (whichever is higher), for each occurrence of their unredacted and unencrypted data being breached on a business’s server.

CCPA vs. GDPR

Both CCPA and GDPR aim to enhance individuals’ control over their personal information and provide transparency about how their data is collected, used and shared. The comparison between the CCPA and GDPR is crucial in understanding the regulatory framework of data protection laws.

Here’s how CCPA and GDPR differ:

Scope

CCPA is for businesses that meet specific criteria and collect personal information from California residents.
GDPR (General Data Protection Regulation) applies to businesses that process the personal data of citizens and residents of the European Union.

Definition of personal information

CCPA includes personal information broadly, including identifiers such as IP addresses and households. Examples include name, email id, location and browsing history. However, it excludes HIPAA-protected medical data, clinical trial data and other personal information from government records.
GDPR covers any personal data relating to an identified or identifiable individual, excluding households. Examples include the phone number, email address and personal identification number. It excludes anonymous and deceased person’s data.

Consent

Under the CCPA, consumers can opt out of the sale of their personal information.
GDPR states that organisations should obtain explicit consent from individuals for processing their personal data.

Rights

CCPA grants the right to know what personal information is being collected and the right to request deletion of their personal information.
GDPR also gives individuals various rights, such as the right to access and rectify their personal data, the right to erasure (also known as the right to be forgotten) and also the right to data portability.

Enforcement

For CCPA, businesses may have to pay $7,500 for each violation.
GDPR has stricter penalties for non-compliance, with fines of up to 4% of the global annual revenue of a company or €20 million, whichever is higher.

A 5-step CCPA compliance framework

Here’s a simple framework you can follow to ensure compliance with CCPA. Alongside this, we’ll also share how Matomo can help.

Matomo is an open-source web analytics platform trusted by organisations like the United Nations, NASA and more. It provides valuable insights into website traffic, visitor behaviour and marketing effectiveness. More than 1 million websites and apps (approximately 1% of the internet!) use our solution, and it’s available in 50+ languages. Below, we’ll share how you can use Matomo to be CCPA compliant.

1. Assess data

First, familiarise yourself with the California Consumer Privacy Act and check your eligibility for CCPA compliance.

For example, as mentioned earlier, one threshold is: purchases, receives or sells the personal data of 100,000 or more individuals or households.

But how do you know if you have crossed 100K? With Matomo!

Go to last year’s calendar, select visitors, then go to locations and under the “Region” option, check for California. If you’ve crossed 100K visitors, you know you have to become CCPA compliant.

Identify and assess the personal information you collect with Matomo.

2. Evaluate privacy practices

Review the current state of your privacy policies and practices. Conduct a thorough assessment of data sharing and third-party agreements. Then, update policies and procedures to align with CCPA requirements.

For example, you can anonymise IP addresses with Matomo to ensure that user data collected for web analytics purposes cannot be used to trace back to specific individuals.

If you have a consent management solution to honour user requests for data privacy, you can also integrate Matomo with it.

3. Communicate

Inform consumers about their CCPA rights and how you handle their data.

Establish procedures for handling consumer requests and obtaining consent. For example, you can add an opt-out form on your website with Matomo. Or you can also use Matomo to disable cookies from your website.

Documenting your compliance efforts, including consumer requests and how you responded to them, is a good idea. Finally, educate staff on CCPA compliance and their responsibilities to work collaboratively.

4. Review vendor contracts

Assessing vendor contracts allows you to determine if they include necessary data processing agreements. You can also identify if vendors are sharing personal information with third parties, which could pose a compliance risk. Verify if vendors have adequate security measures in place to protect the personal data they handle.

That’s why you can review and update agreements to include provisions for data protection, privacy and CCPA requirements.

Establish procedures to monitor and review vendor compliance with CCPA regularly. This may include conducting audits, requesting certifications and implementing controls to mitigate risks associated with vendors handling personal data.

5. Engage legal counsel

Consider consulting with legal counsel to ensure complete understanding and compliance with CCPA regulations.

Finally, stay updated on any changes or developments related to CCPA and adjust your compliance efforts accordingly.

Matomo and CCPA compliance

There’s an increasing emphasis on privacy regulations like CCPA. Matomo offers a robust solution that allows businesses to be CCPA-compliant without sacrificing the ability to track and analyse crucial data.

You can gain in-depth insights into user behaviour and website performance — all while prioritising data protection and privacy.

Request a demo or sign up for a free 21-day trial to get started with our powerful CCPA-compliant web analytics platform — no credit card required.

Disclaimer

We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to CCPA. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.

Data Privacy in Business: A Risk Leading to Major Opportunities

Erin — Tue, 09 Aug 2022 21:27:34 +0000

Data privacy in business is a contentious issue.

Claims that “big data is the new oil of the digital economy” and strong links between “data-driven personalisation and customer experience” encourage leaders to set up massive data collection programmes.

However, many of these conversations downplay the magnitude of security, compliance and ethical risks companies face when betting too much on customer data collection.

In this post, we discuss the double-edged nature of privacy issues in business — the risk-ridden and the opportunity-driven.

3 Major Risks of Ignoring Data Privacy in Business

As the old adage goes: Just because everyone else is doing it doesn’t make it right.

Easy data accessibility and ubiquity of analytics tools make data consumer collection and processing sound like a “given”. But the decision to do so opens your business to a spectrum of risks.

1. Compliance and Legal Risks

Data collection and customer privacy are protected by a host of international laws including GDPR, CCPA, and regional regulations. Only 15% of countries (mostly developing ones) don’t have dedicated laws for protecting consumer privacy.

Global legislature includes provisions on:

Collectible data types
Allowed uses of obtained data
Consent to data collection and online tracking
Rights to request data removal

Personally identifiable information (PII) processing is prohibited or strictly regulated in most jurisdictions. Yet businesses repeatedly circumnavigate existing rules and break them on occasion.

In Australia, for example, only 2% of brands use logos, icons or messages to transparently call out online tracking, data sharing or other specific uses of data at the sign-up stage. In Europe, around half of small businesses are still not fully GDPR-compliant — and Big Tech companies like Google, Amazon and Facebook can’t get a grip on their data collection practices even when pressed with horrendous fines.

Although the media mostly reports on compliance fines for “big names”, smaller businesses are increasingly receiving more scrutiny.

As Max Schrems, an Austrian privacy activist and founder of noyb NGO, explained in a Matomo webinar:

“In Austria, my home country, there are a lot of €5,000 fines going out there as well [to smaller businesses]. Most of the time, they are just not reported. They just happen below the surface. [GDPR fines] are already a reality.”

In April 2022, the EU Court of Justice ruled that consumer groups can autonomously sue businesses for breaches of data protection — and nonprofit organisations like noyb enable more people to do so.

Finally, new data privacy legislation is underway across the globe. In the US, Colorado, Connecticut, Virginia and Utah have data protection acts at different stages of approval. South African authorities are working on the Protection of Personal Information Act (POPI) act and Brazil is working on a local General Data Protection Law (LGPD).

Re-thinking your stance on user privacy and data protection now can significantly reduce the compliance burden in the future.

2. Security Risks

Data collection also mandates data protection for businesses. Yet, many organisations focus on the former and forget about the latter.

Lenient attitudes to consumer data protection resulted in a major spike in data breaches.

Check Point research found that cyberattacks increased 50% year-over-year, with each organisation facing 925 cyberattacks per week globally.

Many of these attacks end up being successful due to poor data security in place. As a result, billions of stolen consumer records become publicly available or get sold on dark web marketplaces.

What’s even more troublesome is that stolen consumer records are often purchased by marketing firms or companies, specialising in spam campaigns. Buyers can also use stolen emails to distribute malware, stage phishing and other social engineering attacks – and harvest even more data for sale.

One business’s negligence creates a snowball effect of negative changes down the line with customers carrying the brunt of it all.

In 2020, hackers successfully targeted a Finnish psychotherapy practice. They managed to steal hundreds of patient records — and then demanded a ransom both from the firm and its patients for not exposing information about their mental health issues. Many patients refused to pay hackers and some 300 records ended up being posted online as Associated Press reported.

Not only did the practice have to deal with the cyber-breach aftermath, but it also faced vocal regulatory and patient criticisms for failing to properly protect such sensitive information.

Security negligence can carry both direct (heavy data breach fines) and indirect losses in the form of reputational damages. An overwhelming 90% of consumers say they wouldn’t buy from a business if it doesn’t adequately protect their data. This brings us to the last point.

3. Reputational Risks

Trust is the new currency. Data negligence and consumer privacy violations are the two fastest ways to lose it.

Globally, consumers are concerned about how businesses collect, use, and protect their data.

According to Forrester, 47% of UK adults actively limit the amount of data they share with websites and apps. 49% of Italians express willingness to ask companies to delete their personal data. 36% of Germans use privacy and security tools to minimise online tracking of their activities.
A GDMA survey also notes that globally, 82% of consumers want more control over their personal information, shared with companies. 77% also expect brands to be transparent about how their data is collected and used.

When businesses fail to hold their end of the bargain — collect just the right amount of data and use it with integrity — consumers are fast to cut ties.

Once the information about privacy violations becomes public, companies lose:

Brand equity
Market share
Competitive positioning

An AON report estimates that post-data breach companies can lose as much as 25% of their initial value. In some cases, the losses can be even higher.

In 2015, British telecom TalkTalk suffered from a major data breach. Over 150,000 customer records were stolen by hackers. To contain the issue, TalkTalk had to throw between $60-$70 million into containment efforts. Still, they lost over 100,000 customers in a matter of months and one-third of their company value, equivalent to $1.4 billion, by the end of the year.

Fresher data from Infosys gives the following maximum cost estimates of brand damage, companies could experience after a data breach (accidental or malicious).

3 Major Advantages of Privacy in Business

Despite all the industry mishaps, a reassuring 77% of CEOs now recognise that their companies must fundamentally change their approaches to customer engagement, in particular when it comes to ensuring data privacy.

Many organisations take proactive steps to cultivate a privacy-centred culture and implement transparent data collection policies.

Here’s why gaining the “privacy advantage” pays off.

1. Market Competitiveness

There’s a reason why privacy-focused companies are booming.

Consumers’ mounting concerns and frustrations over the lack of online privacy, prompt many to look for alternative privacy-centred products and services.

The following B2C and B2B products are moving from the industry margins to the mainstream:

Private search engines (Duckduckgo)
Password managers (1password, Dashlane)
Online identity networks (id.me)
Web analytics solutions (Matomo)
And secure messaging apps (Signal) among others

Across the board, consumers express greater trust towards companies, protective of their privacy:

And as we well know: trust translates to higher engagement, loyalty, and – ultimately revenue.

By embedding privacy into the core of your product, you give users more reasons to select, stay and support your business.

2. Higher Operational Efficiency

Customer data protection isn’t just a policy – it’s a culture of collecting “just enough” data, protecting it and using it responsibly.

Sadly, that’s the area where most organisations trail behind. At present, some 90% of businesses admit to having amassed massive data silos.

Siloed data is expensive to maintain and operationalise. Moreover, when left unattended, it can evolve into a pressing compliance issue.

A recently leaked document from Facebook says the company has no idea where all of its first-party, third-party and sensitive categories data goes or how it is processed. Because of this, Facebook struggles to achieve GDPR compliance and remains under regulatory pressure.

Similarly, Google Analytics is riddled with privacy issues. Other company products were found to be collecting and operationalising consumer data without users’ knowledge or consent. Again, this creates valid grounds for regulatory investigations.

Smaller companies have a better chance of making things right at the onset.

By curbing customer data collection, you can:

Reduce data hosting and Cloud computation costs (aka trim your Cloud bill)
Improve data security practices (since you would have fewer assets to protect)
Make your staff more productive by consolidating essential data and making it easy and safe to access

Privacy-mindful companies also have an easier time when it comes to compliance and can meet new data regulations faster.

3. Better Marketing Campaigns

The biggest counter-argument to reducing customer data collection is marketing.

How can we effectively sell our products if we know nothing about our customers? – your team might be asking.

This might sound counterintuitive, but minimising data collection and usage can lead to better marketing outcomes.

Limiting the types of data that can be used encourages your people to become more creative and productive by focusing on fewer metrics that are more important.

Think of it this way: Every other business uses the same targeting parameters on Facebook or Google for running paid ad campaigns on Facebook. As a result, we see ads everywhere — and people grow unresponsive to them or choose to limit exposure by using ad blocking software, private browsers and VPNs. Your ad budgets get wasted on chasing mirage metrics instead of actual prospects.

Case in point: In 2017 Marc Pritchard of Procter & Gamble decided to first cut the company’s digital advertising budget by 6% (or $200 million). Unilever made an even bolder move and reduced its ad budget by 30% in 2018.

Guess what happened?

P&G saw a 7.5% increase in organic sales and Unilever had a 3.8% gain as HBR reports. So how come both companies became more successful by spending less on advertising?

They found that overexposure to online ads led to diminishing returns and annoyances among loyal customers. By minimising ad exposure and adopting alternative marketing strategies, the two companies managed to market better to new and existing customers.

The takeaway: There are more ways to engage consumers aside from pestering them with repetitive retargeting messages or creepy personalisation.

You can collect first-party data with consent to incrementally improve your product — and educate them on the benefits of your solution in transparent terms.

Final Thoughts

The definitive advantage of privacy is consumers’ trust.

You can’t buy it, you can’t fake it, you can only cultivate it by aligning your external appearances with internal practices.

Because when you fail to address privacy internally, your mishaps will quickly become apparent either as social media call-outs or worse — as a security incident, a data breach or a legal investigation.

By choosing to treat consumer data with respect, you build an extra layer of protection around your business, plus draw in some banging benefits too.

Get one step closer to becoming a privacy-centred company by choosing Matomo as your web analytics solution. We offer robust privacy controls for ensuring ethical, compliant, privacy-friendly and secure website tracking.