In the wild west of Web 3.0, user data is oil. Liquid gold! Unfortunately… there will be blood. But you don’t have to become Daniel Plainview. As a digital-first entrepreneur, you rely on user data. But if you treat it without the respect it deserves you could be finished. (Hopefully not with a bowling pin.)
Still scarred from abuses like the Nazi’s use of personal information to identify Jews and other minority groups, Europe has become a leader in privacy law. As far back as 1995, the EU enacted the EU Data Protection Directive to regulate the processing of personal data. This has since been superseded by the General Data Protection Regulation (or GDPR), which was enacted in 2018. Today, the GDPR is the gold standard of data protection around the world.
The GDPR requires that websites disclose their collection and processing of user information and creates rights that users can choose to exercise. The fundamental principle underlying the GDPR is idea that personal data may only be processed lawfully, fairly, and transparently. From this principle has emerged a framework where proper notice and consent—or some equivalent—must be obtained before any substantial processing of user data may occur.
So, how do you give proper notice before collecting and processing user data? How do you tell a user—the “data subject”—about her rights (as required by the GDPR)? How do you get a user’s informed consent?
But it’s not quite that easy.
Harkening back to the days of Oil!, the US has taken a more laissez faire approach to user data than the EU. The federal government has indicated an unwillingness to create a nationwide law requiring data privacy protection. Attempts have been made. But following Edward Snowden’s disclosure of the NSA’s privacy practices, the federal government perhaps hasn’t had the moral grounding to enact data legislation.
This has left data privacy in the hands of the states, acting with little coordination. The patchwork of limited-jurisdiction privacy laws has caused severe headaches for countless founders and CIOs. And no state has had nearly the impact of California. Since California is the 5th largest economy in the world, any business engaging in online commerce (that would be all of them) must abide California’s laws. And California knows it.
Several other states have begun to propose and enact legislation seeking to protect their citizens the same way California protects its own. Because while California law affects every online business—everyone has to comply—it really only protects the citizens of California. To give rights such as the right to be informed, the right to access, the right to opt-out, the right to correct information, and the right to not be discriminated against, each state must create legislation incorporating those rights and extending them to their own citizens. At this point there are a patchwork of privacy laws across the US, each with its own specific standards, rules, and requirements. But, still, most states don’t have any privacy laws at all. It’s a mess.
The short answer is, it’s not clear. The longer and more circumspect answer is that depending on how you collect, use, and process user data, as well as the industry that you operate in, it’s a good business practice to at least identify the information you’re collecting and processing. Better safe than sorry. In our view, you’d be wise to be proactive about this stuff as most, if not all, states will surely have their own requirements for data protection and user rights before too long.
The expanding patchwork of privacy laws may seem daunting. But as long as you ask permission before drinking our milkshake (and follow a few other rules), you’ll be in good shape.
Website Audit Package
We hope that this series on website terms has been appropriately terrifying because, boy!, do we have an offer for you!
If you’d like to learn more, reach out to email@example.com or anyone else on the team. Pricing starts at $5,000 for new and existing websites.