Is your site USA compliant?

Boyd Tiffin Uncategorized Leave a Comment

Changes in 2018

Just in case you own a website and rely on other people to keep you informed of regulations and legal impacts (BAD IDEA), we thought we would walk through a few key items that are already or coming down the road that will impact you as a website owner.

  • SSL Certificates (July 2018)
  • GDPR Regulations (May 2018)

SSL Certificates and HTTPS Protocals

This is an easy one to explain, even if you do not know anything about the technical side of websites. Remember when you made a purchase online and when you got the checkout page, you saw the green padlock telling you the site was safe to put your credit card info into?

Now, Google has made changes over the last 18 months that all come together in July with the new release of Chrome.

Here is the new rule:
Any webpage that is not secured with HTTPS will receive a full page warning.

Do you really think users are going to click the advanced button and then agree to go to your site anyway?

THEY ARE NOT GOING TO!

As of this posting, you have less than 2 months to get your site secured. Securing it is easy, but depending on the hosting plan you currently have, may or may not be available at your current price. We are seeing many hosts up-charging ALOT to fix this issue.

At The Sparks Solution, all of our sites are hosted with free SSL certificates or upgraded certs if they are needed. We also moved all existing sites without an SSL cert over to HTTPS without charging for that work. Reach out if you need to talk through hosting options to ensure your site stays available to the public.

GDPR - This impacts YOU

GDPR is the new privacy policy regulations that the EU has enabled and goes into effect on 5/24/2018.

If you have a website and are collecting email addresses for a newsletter, you MUST comply with this new regulation.

We have spoken to a ton of companies that thought they were not impacted because they do not do business in the EU, but this new regulation must be met if you collect any personal info from users who live in the EU, regardless of where your company resides.

There is no cheatsheet, or checklist as every company will have to comply differently based on the information they are collecting. You need to consult your attorney to ensure privacy policies are updated.

Example: Twitter's updated privacy policy went from 3800 words, to 8890 words, over 5000 added just for GDPR compliance.

Potential Fines: 2% - 4% of your worldwide annual revenue!

Direct from the GDPR...

Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a non-compliant firm:

  • Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
  • Intention: whether the infringement is intentional or negligent
  • Mitigation: actions taken to mitigate damage to data subjects
  • Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
  • History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
  • Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
  • Data type: what types of data the infringement impacts; see special categories of personal data
  • Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
  • Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
  • Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
Amount

If a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision. (83.3)

However, the above may not offer much relief considering the amount of fines possible:

Lower level

Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

  • Controllers and processors under Articles 8, 11, 25-39, 42, 43
  • Certification body under Articles 42, 43
  • Monitoring body under Article 41(4)
Upper level

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

  • The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
  • The data subjects’ rights under Articles 12-22
  • The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
  • Any obligations pursuant to Member State law adopted under Chapter IX
  • Any non-compliance with an order by a supervisory authority (83.6)