I am not the only person who has entered my personal information into a website that is later hacked. I wish I could say it’s only occurred once.
Because of that, I am acutely sensitive to where my info is captured. That sensitivity is why I want to share an article sent directly to me as a journalist-blogger from Widness & Wiggins PR (Salt Lake City, UT) for their client, WaiverSign.
I hope that by sharing, you will better understand how six new privacy laws (with more coming) may directly impact both how your personal information is collected and what steps your company website must take to protect your customers.
Here then is the complete article. Please let me know your thoughts and any personal anecdotes regarding misappropriation of your info.
A recent online Washington Post story (March 2023) headline reads: “Your therapist is on TikTok. Will your therapy session end up there too?”
This may be an extreme example of a potential invasion of privacy, says Brandon Lake, CEO of WaiverSign. His company is an established online waiver software provider serving a wide array of industries including tourism, fitness, health and beauty, and events.
“Ensuring our customers understand the privacy policies around the data they gather on waivers and similar agreements is extremely important to us,” adds Lake. “If companies and not-for-profits policies ignore privacy safeguards, such failures can result in fines starting at $2,500 per website visitor. So, this is a really big deal. I think it’s only going to get bigger and more complex as laws continue to change all the time.”
With six new privacy laws coming out at the start of this year and more to come, WaiverSign (https://www.waiversign.com/) recently hosted a webinar to help any business that collects personal information from website visitors, either through analytics, lead forms, registration, or by the signing of waivers, to address privacy concerns now.
The webinar generated several questions that are important for any business to consider. Although they were quick to point out that their answers are not legal advice, Donata Skillrud, an attorney licensed in Illinois, a certified information privacy professional and chair of the American Bar Association’s ePrivacy Committee, and her husband, Hans Stroink-Skillrud, share a lot of helpful material. Their software company, Termageddon, generates privacy policies for website owners. This platform automatically updates with new disclosures related to privacy policies that are currently legally required under multiple privacy laws.
Watch the webinar here or read a full transcript: https://www.waiversign.com/webinar/privacy-laws-how-to-avoid-fines-lawsuits
Here are a few of the questions highlighted from the webinar:
Q: Why are we talking about privacy laws now?
A: The Cambridge Analytica scandal woke people up when that company used for political advertising the “stolen” personal information of millions of Facebook users. There are federal privacy laws related to health information, and financial or children’s information. But to date, there is nothing federally to protect such personal information as names and emails of consumers online.
Q: How is this deficiency being addressed?
A: Some states are passing privacy laws. For example, the California Privacy Rights Act replaces the California Consumer Privacy Act. And there are new privacy laws in Virginia, Colorado, Utah, Connecticut, and in Quebec, Canada.
Q: What are the implications of these laws?
A: If the shoe fits, a business must wear it. This means that a business, no matter where it’s located, must have a compliant privacy policy with all the disclosures required by these privacy laws. These may include offering consumers certain privacy rights such as the right to delete their information and having restrictions on how personal information can be used.
Q: Do these laws protect consumers or businesses?
A: The laws are created to protect consumers — not businesses. So, consumers can go online and submit their personally identifiable information (PII) anywhere; you don’t have to be located in these states or in Quebec for a law to apply to you. A fine might be $7,500 per violation. Without a compliant privacy policy and multiplied by 100 visitors, a fine quickly becomes very large.
Q: What is personally identifiable information (PII)?
A: This is any data that could be used to identify an individual: people’s names, email addresses, phone numbers, physical and IP addresses. Even their signatures could be considered personal information.
Q: How exposed is an online consumer?
A: Any modern website is collecting personal information beyond the waivers that businesses use. When consumers submit names and emails on a contact form, the business often ends up sharing that data with their email service provider. Other examples include signing up for an email newsletter subscription or sending/receiving waiver completion confirmation emails. All these forms of information gathering are considered PII and are regulated to provide that information. From the moment a website collects PII, even without the intention to share, there needs to be a compliant privacy policy.
Q: What is a privacy policy?
A: This is an explanation of your privacy practices: what PII you’re collecting, what you do with that PII, with whom you share it, and more. A privacy policy is not a random disclosure but needs to be dictated by applicable privacy laws.
Q: What privacy laws are applicable?
A: Privacy laws apply to geographic locations where a company is doing business. Ask first whose PII are you collecting? Who is submitting their information to your forms? Where are they located? Where are your customers located? If doing business online, where do you ship? To whom do you offer goods or services? Where do you do business? And who do you track online through services such as Facebook Pixel, Analytics?
Q: What do privacy laws require?
A: Privacy laws have similar requirements as regards privacy policy requirements. First, they apply outside of the state in which they’re passed. If a business isn’t in any of these states that are listed, that does not mean a green light. Second, the laws require businesses to have a privacy policy that makes certain disclosures. Third, they provide certain privacy rights to consumers such as the right to delete, the right to opt out of direct marketing, the right to opt out of sales of PII.
Q: What are some repercussions of avoiding the laws?
A: Data obtained illegally can trigger privacy laws going to work to wipe out, for example, an email list of 50,000 people and create an environment whereby consumers can sue businesses directly.
Q: Is it enough to have a privacy policy that complies with today’s privacy laws?
A: No. What you also need as a strategy to keep your privacy policy up to date with new disclosures as new laws pass and as existing laws get amended; otherwise you run the risk of being non-compliant with changes in privacy laws.
Q: What should a privacy policy disclosure include?
A: Most important, the privacy policy depends on the privacy laws that apply to a specific business. Then the policy needs to address such issues as the effective date of the policy; whether you use cookies or other similar technologies; the use of analytics; how is PII collected then used and how long is it stored; how people can complain; and what are the terms of service.
For individuals and businesses wanting to discuss compliance with these new privacy laws and review the solutions recommended by WaiverSign please go online and submit this request form: https://www.waiversign.com/contact, or call 877.741.7705.
About WaiverSign
Founded in 2013, WaiverSign offers one of the most efficient, easy-to-use digital liability waivers and electronic liability release solutions available in today’s marketplace. An API (Application Programming Interface) allows other reservation and customer relationship databases to push and pull customer data directly to and from WaiverSign. This provides a simple and fool-proof way for collecting customer information in whatever reservation system being used. For more information, visit https://www.waiversign.com/ or call 877.741.7705.
Karen Kuzsel is a writer-editor based in the Orlando area who specializes in the hospitality, entertainment, meetings & events industries. She is an active member of International Live Events Association and Meeting Professionals International and is now serving on the 2022-2023 MPI Global Advisory Board for Small Business Owners. She is a member of the Society of Professional Journalists. Karen writes about food & wine, spas, destinations, venues, meetings & events in her blog, Hotel Happenings & Program Promotions. A career journalist, she has owned magazines, written for newspapers, trade publications, radio and TV. As her alter-ego, Natasha, The Psychic Lady, she is a featured entertainer for corporate and social events. Karen@KarenKuzsel.com; www.KarenKuzsel.com; www.ThePsychicLady.com; @karenkuzsel; @thepsychiclady.