Manage and protect personal data on your website

Data privacy management refers to the handling of sensitive and/or personal information in a proactive and responsible manner.  

Organizations that collect or store such data must ensure they do it in a way that: 

1. Obtains the data in a legal and transparent way 
2. Ensures that the data is used and shared appropriately 
3. Is compliant with relevant local regulations 

For many organizations, the personal data that they collect and store is their key – if not their primary – asset. 

At the same time, it’s critical for these organizations to maintain customer trust. To retain this goodwill, they must demonstrate that their collecting, storing, and processing of sensitive or personal consumer data is handled with the utmost care.  

Organizations that are careless with this information risk losing money, business, and even their reputations. 

Legal concerns are another pressing reason to focus on good data privacy health. Many countries, particularly in the European Union and North America, are adopting increasingly stringent personal data and privacy regulations. Going forward, implementing robust data privacy management processes will be essential for staying compliant with the law. 

Data privacy mainly governs the handling of so-called “sensitive” data. Sensitive data tends to fall into the following categories: 

1. Personally identifiable data: Any piece of information that can be used to identify and track an individual, either directly (e.g. social security number) or indirectly (e.g. pseudonyms). 
2. Confidential data: This covers private information that is not intended for public dissemination. Confidential data includes certain financial figures, protected intellectual property information, and so on. 

There are some notable exceptions to the types of information that are subject to data privacy protection. The two broad exclusion areas are: 

1. Non-sensitive personally identifiable information: This refers to cases where personally identifiable information can be otherwise obtained from public sources like phone books, open internet forums, and business directories. 
2. Non-personally identifiable information: This is data that can’t be traced to a specific person. In the online context, this can be any anonymized and/or aggregated data like your users’ device usage, their browsers, or masked IP addresses. 

While there’s certainly some overlap between them, data privacy and data security are two different fields. 

Data security refers to how well you protect sensitive data from unauthorized access by external third parties or internal bad actors. This often involves the use of web security measures to prevent damaging data breaches or hacks. 

Data privacy, on the other hand, refers to the way your organization itself handles that data or shares it with others. It is about the internal processes you put in place, how you train your staff, and how transparent you are in collecting the data in the first place. 

When operating in the US, it’s important to keep in mind and comply with the following data privacy regulations. 

HIPAA for healthcare 

The Health Insurance Portability and Accountability Act (HIPAA) governs the way organizations use an individual’s health information. It’s relevant for the following types of companies: 

• Healthcare providers 
• Healthcare insurance companies 
• Healthcare clearinghouses 
• Any organization or person that comes in contact with sensitive health information as part of their work activities 

GLBA for financial institutions 

The Gramm-Leach-Bliley Act (GBLA) requires financial service providers that work with individuals to be explicit in explaining their data sharing practices to their customers. It states that organizations should take careful steps to protect sensitive data and decrees that they allow people to opt-out of sharing such data in the first place. It’s relevant for the following businesses: 

• Financial institutions like banks 
• Companies offering financial products or services like loans or insurance 
• Companies that provide finances-related consulting like investment advice 

GDPR for US businesses dealing with the EU  

The General Data Protection Regulation (GDPR) is the key piece of EU legislation that governs the way companies collect and process the data of EU citizens.  

The GDPR states that this data must be obtained with the individual’s informed consent and can only be used in a secure and confidential manner.  

This law applies to any entity that processes the data of EU citizens, regardless of whether that entity is itself located in the EU. This includes organizations using this data in the course of doing business with EU citizens, but it also covers any organization collecting such data for survey or analysis purposes. 

CCPA in California 

The California Consumer Privacy Act (CCPA) gives the residents of California additional privacy protection compared to the rest of the US. The law requires that a business actively informs customers in California about its data privacy practices. 

CCPA also grants Californians specific privacy rights, which include: 

• The ability to access and delete their personal information collected by a business 
• The right to opt-out of having their personal information sold 
• Protection from being discriminated against for exercising these CCPA rights  

Siteimprove Data Privacy can help you achieving CCPA compliance.