In the US, we have mostly heard about the issue of data protection on websites in relation to Facebook and the role it played in making users' personal info available to Cambridge Analytica and Russian bots that spread bogus posts that favored Trump's campaign to beat Clinton.
Website designers, though, have been aware of the new regulations effecting websites in Europe or anywhere in the world that European citizens encounter. The General Data Protection Regulation (GDPR) went into effect in May 2018, and various states in the US have scrambled to put their own laws into force.
Why Should You Care?
Even if you are a local psychotherapist, naturopath, or attorney dealing with what you think of as local clients in the US, you could soon be obligated to post your online data protection policies on your website. If there is a possibility that you are attracting people who are European citizens living in your town, you are already required to have such a page on your website.
Note that, although there is some overlap, compliance with HIPAA law does not cover the aspects that are specifically at issue with websites. HIPAA covers people who are already your patients or clients. This data protection policy covers people who are just visiting your website, whether or not they ever become a paying client.
And for certain, if you are a coach, esoteric reader, or other solopreneur who aims to sell services to anyone anywhere, you are already liable to being fined in some jurisdictions where your clients are located if you don't have a data protection policy on your website.
Bottom line: it's the smart thing to do to get ahead of the curve and transparently post your data collection, storage, protection, and removal policies.
Your Website Designer's Role in CYA
Because this is a hot issue for website designers -- who, some argue, could be held partially liable for websites they design not having the required policies on their finished projects -- most of us take the responsibility to inform our clients of this requirement. Most of us also facilitate having this policy content on our clients' websites.
Some of us provide a skeleton, customized boilerplate rendition of applicable data protection policies for our website clients. DeWriteSites has done this for all clients since the GDPR came into effect. Although it needs some updating now, you can see one of my own policy pages here.
California in particular requires that websites must have a link to their Data Protection Policy in the footer of the website, and that that link must be slightly larger than nearby text. I believe the Data Protection Policy Page is also supposed to appear on the website menu, and not be a hidden page.
It wouldn't hurt for you to have your policy page checked by an attorney who is well-versed in internet law, rather than relying on the fact that I have taught Business Law twice at a business college in Seattle. The problem is that very few attorneys are trained in this, and the laws are still evolving. Don't let an unknowledgeable lawyer tell you this page on your website is unnecessary. They would be wrong to tell you that.
The 7 Things Your Policy MUST Address
The GDPR and various US state laws can be confusing and overwhelming. California has the most strict policy, and New York has a bill in their legislature that some say is even stronger than California's. In addition, at least 7 bills are floating around the federal house and senate, sponsored respectively by Rubio, Blackburn, Del Bene, Masto, Markey, Klobuchar and Kennedy, and Hawley .
The writing is on the wall. This is soon to be a law that will impact everyone in the US with a business website. The time for CYA is now.
In following both the GDPR and the California law, there are two basic parts you must have in your policies. One part is to explain how you gather personal data, why you want it, how and where you store it and for how long, how it is destroyed, and how people can request the removal of their data from your files.
The second part is to explain how cookies and other computer / analytics code may be installed into a visitor's computer and how their internet activities could be tracked or followed due to these cookies.
More specifically, you need language similar to the following:
Part One: Personal Data
1. Data Collection
Personal information including your name, email address, and phone number are gathered when you submit the contact form on this website to request an appointment or ask a question about information on the website.
2. Purpose of Data Collection
This business collects your name, email address, and phone number in order to communicate with you online or offline, to best serve your needs and answer your questions.
3. How Data is Stored and Maintained
Your submitted info is likely stored in a data base in our webhost account, and may also be stored offline in an Excel, Word, or paper file. this information is retained for the length of our work together, and may be kept for up to 1-5* years beyond the termination of our contract in case further work is requested.
4. How Data is Destroyed
Your personal data is destroyed when we have not worked together for more than 2* years. Digital data kept in my Wix account data base or in an Excel or Word file offline is wiped (erased), and paper files are shredded.
5. Your Right to Have Your Info Removed
It is your right to "be forgotten" -- that is, to have your personal info removed from any data base, offline computer file or paper file before the routine file removal period. To do this, just request this by email or phone, and your files along with your request for removal will be deleted.
Part Two: Cookies and Analytics Code
Cookies are bits of computer code automatically installed on your computer when browsing the internet. Each website visited adds these cookies to your computer via the browser you use. Cookies make the website run better so that it performs seemlessly, the way you'd like it to as you navigate around the site.
You can delete cookies by clearing your browser cache. Consult YouTube for videos on how to do this for your browser. If you use Chrome, you can also read this blog post
This website's sitemap may have been submitted to Google Search Console for site ranking purposes in Google's search engine. Google might place temporary or semi-permanent code on your computer which can ascertain your general location, computer IP address, and type of device used (desktop / laptop / cell phone / tablet) for the purpose of tracking internet use by the general public. However, that information is not monitored by this website owner, nor by this website's host or designer.
Your browser -- whether Google Chrome, Apple Safari, Mozilla FireFox, Microsoft Edge, etc -- may track your browsing history. Neither this website's owner nor host have access to your browser history. Temporary cookies are deleted when you leave this website.
* Obviously the language provided above must be edited to fit your own business, and the specific timelines for removal of data noted above will need to be changed to reflect your own administrative practices.
What is provided above is the bare minimum. What you need could be more detailed, depending on the services you sell.
2 Additional Issues to Specify in your Policies
The most common additional issue to address pertains to using a payment portal such as PayPal. If you collect payments via your website with a PayPal or Venmo button, or other cart system, the name of this 3rd party vendor should be noted in your policies. You should also say that you don't have access to the payee's financial information except for being notified when a payment is made and how much it is. Then provide a link to your payment portal's own data protection policy page.
Protection of Minors' and 3rd Party Data
If people under the age of 18 can request and pay for services via your website, you should have a policy that addresses the limits of privacy for them. When will parental permission be required? Likewise, will you have a different age limit for providing services about a minor to their parents without the minor's permission?
If you provide metaphysical services, you should also have a policy regarding when you will or won't do readings or distance healings for 3rd parties. Your client could be requesting a service or knowledge about a friend or family member who would object to having their personal boundaries invaded by you without their permission.