Recherche avancée

Sur d’autres sites (8363)

• Understanding Data Processing Agreements and How They Affect GDPR Compliance

  9 octobre 2023, par Erin — GDPR

  The General Data Protection Regulation (GDPR) impacts international organisations that conduct business or handle personal data in the European Union (EU), and they must know how to stay compliant.

  One way of ensuring GDPR compliance is through implementing a data processing agreement (DPA). Most businesses overlook DPAs when considering ways of maintaining user data security. So, what exactly is a DPA’s role in ensuring GDPR compliance ?

  In this article, we’ll discuss DPAs, their advantages, which data protection laws require them and the clauses that make up a DPA. We’ll also discuss the consequences of non-compliance and how you can maintain GDPR compliance using Matomo.

  What is a data processing agreement ?

  A data processing agreement, data protection agreement or data processing addendum is a contractual agreement between a data controller (a company) and a data processor (a third-party service provider.) It defines each party’s rights and obligations regarding data protection.

  A DPA also defines the responsibilities of the controller and the processor and sets out the terms they’ll use for data processing. For instance, when MHP/Team SI sought the services of Matomo (a data processor) to get reliable and compliant web analytics, a DPA helped to outline their responsibilities and liabilities.

  A DPA is one of the basic requirements for GDPR compliance. The GDPR is an EU regulation concerning personal data protection and security. The GDPR is binding on any company that actively collects data from EU residents or citizens, regardless of their location.

  As a business, you need to know what goes into a DPA to identify possible liabilities that may arise if you don’t comply with European data protection laws. For example, having a recurrent security incident can lead to data breaches as you process customer personal data.

  The average data breach cost for 2023 is $4.45 million. This amount includes regulatory fines, containment costs and business losses. As such, a DPA can help you assess the organisational security measures of your data processing methods and define the protocol for reporting a data breach.

  Why is a DPA essential for your business ?

  If your company processes personal data from your customers, such as contact details, you need a DPA to ensure compliance with data security laws like GDPR. You’ll also need a DPA to hire a third party to process your data, e.g., through web analytics or cloud storage.

  But what are the benefits of having a DPA in place ?

  

  A key benefit of signing a DPA is it outlines business terms with a third-party data processor and guarantees compliance with the relevant data privacy laws. A DPA also helps to create an accountability framework between you and your data processor by establishing contractual obligations.

  Additionally, a DPA helps to minimise the risk of unauthorised access to sensitive data. A DPA defines organisational measures that help protect the rights of individuals and safeguard personal data against unauthorised disclosure. Overall, before choosing a data processor, having a DPA ensures that they are capable, compliant and qualified.

  More than 120 countries have already adopted some form of international data protection laws to protect their citizens and their data better. Hence, knowing which laws require a DPA and how you can better ensure compliance is important.

  Which data protection laws require a DPA ?

  Regulatory bodies enact data protection laws to grant consumers greater control over their data and how businesses use it. These laws ensure transparency in data processing and compliance for businesses.

  

  The following are some of the relevant data privacy laws that require you to have a DPA :

  • UK GDPR
  • Brazil LGPD
  • EU GDPR
  • Dubai PDPA
  • Colorado CPA
  • California CCPA/CPRA
  • Virginia VCDPA
  • Connecticut DPA
  • South African POPIA
  • Thailand PDPA

  Companies that don’t adhere to these data protection obligations usually face liabilities such as fines and penalties. With a DPA, you can set clear expectations regarding data processing between you and your customers.

  Review and update any DPAs with third-party processors to ensure compliance with GDPR and the laws we mentioned above. Additionally, confirm that all the relevant clauses are present for compliance with relevant data privacy laws. 

  So, what key data processing clauses should you have in your DPA ? Let’s take a closer look in the next section.

  Key clauses in a data processing agreement

  GDPR provides some general recommendations for what you should state in a DPA.

  

  Here are the elements you should include :

  Data processing specifications

  Your DPA should address the specific business purposes for data processing, the duration of processing and the categories of data under processing. It should also clearly state the party responsible for maintaining GDPR compliance and who the data subjects are, including their location and nationality.

  Your DPA should also address the data processor and controller’s responsibilities concerning data deletion and contract termination.

  Role of processor

  Your DPA should clearly state what your data processor is responsible for and liable for. Some key responsibilities include record keeping, reporting breaches and maintaining data security.

  Other roles of your data processor include providing you with audit opportunities and cooperating with data protection authorities during inquiries. If you decide to end your contract, the data processor is responsible for deleting or returning data, depending on your agreement.

  Role of controller

  Your DPA should inform the responsibilities of the data controller, which typically include issuing processing instructions to the data processor and directing them on how to handle data processing.

  Your DPA should let you define the lawful data processes the data processor should follow and how you’ll uphold the data protection rights of individuals’ sensitive data.

  Organisational and technical specifications

  Your DPA should define specifications such as how third-party processors encrypt, access and test personal data. It should also include specifications on how the data processor and controller will maintain ongoing data security through various factors such as :

  • State of the technology : Do ‌third-party processors have reliable technology, and can they ensure data security within their systems ?
  • Costs of implementation : Does the data controller’s budget allow them to seek third-party services from industry-leading providers who can guarantee a certain level of security ?
  • Variances in users’ personal freedom : Are there privacy policies and opt-out forms for users to express how they want companies to use their sensitive data ?

  Moreover, your DPA should define how you and your data processor will ensure the confidentiality, availability and integrity of data processing services and systems.

  What are the penalties for DPA GDPR non-compliance ?

  Regulators use GDPR’s stiff fines to encourage data controllers and third-party processors to follow‌ best data security practices. One way of maintaining compliance is through drafting up a DPA with your data processor.

  The DPA should clearly outline the necessary legal requirements and include all the relevant clauses mentioned above. Understand what goes into this agreement since data protection authorities can hold your business accountable for a breach — even if a processor’s error caused it.

  Data protection authorities can issue penalties now that the GDPR is in place. For example, according to Article 83 of the GDPR, penalties for data or privacy breaches or non-compliance can amount to up to €20 million or 4% of your annual revenue.

  There are two tiers of fines : tier one and tier two. Violations related to data processors typically attract fines on the tier-one level. Tier one fines can cost your business €10 million or 2% of your company’s global revenue.

  Tier-two fines result from infringement of the right to forget and the right to privacy of your consumer. Tier-two fines can cost your business up to €20 million or 4% of your company’s global revenue.

  GDPR fines make non-compliance an expensive mistake for businesses of all sizes. As such, signing a DPA with any party that acts as a data processor for your business can help you remain GDPR-compliant.

  How a DPA can help your business remain GDPR compliant

  A DPA can help your business define and adhere to lawful data processes.

  

  So, in what other ways can a DPA help you to remain compliant with GDPR ? Let’s take a look !

  1. Assess data processor’s compliance

  Having a DPA helps ensure that the data processor you are working with is GDPR-compliant. You should check if they have a DPA and confirm the processor’s terms of service and legal basis.

  For example, if you want an alternative to Google Analytics that’s GDPR compliant, then you can opt for Matomo. Matomo features a DPA, which you can agree to when you sign up for web analytics services or later.

  2. Establish lawful data processes

  A DPA can also help you review your data processes to ensure they’re GDPR compliant. For example, by defining lawful data processes, you better understand personally identifiable information (PII) and how it relates to data privacy.

  Further, you can allow users to opt out of sharing their data. As such, Matomo can help you to enable Do Not Track preferences on your website.

  

  With this feature, users are given the option to opt in or out of tracking via a toggle in their respective browsers.

  Indeed, establishing lawful data processes helps you define the specific business purposes for collecting and processing personal data. By doing so, you get to notify your users why you need their data and get their consent to process it by including a GDPR-compliant privacy policy on your website.

  3. Anonymise your data

  Global privacy laws like GDPR and ePrivacy mandate companies to display cookie banners or seek consent before tracking visitors’ data. You can either include a cookie consent banner on your site or stop tracking cookies to follow the applicable regulations.

  Further, you can enable cookie-less tracking or easily let users opt out. For example, you can use Matomo without a cookie consent banner, exempting it from many countries’ privacy rules.

  Additionally, through a DPA, you can define organisational measures that define how you’ll anonymise all your users’ data. Matomo can help you anonymise IP addresses, and we recommend that you at least anonymise the last two bytes.

  

  As one of the few web analytics tools you can use to collect data without tracking consent, Matomo also has the French Data Protection Authority (CNIL) approval.

  4. Assess the processor’s bandwidth

  Having a DPA can help you implement data retention policies that show clear retention periods. Such policies are useful when ending a contract with a third-party service provider and determining how they should handle your data.

  A DPA also helps you ensure the processor has the necessary technology to store personal data securely. You can conduct an audit to understand possible vulnerabilities and your data processor’s technological capacity.

  5. Obtain legal counsel

  When drafting a DPA, it’s important to get a consultation on what is needed to ensure complete compliance. Obtaining legal counsel points you in the right direction so you don’t make any mistakes that may lead to non-compliance.

  Conclusion

  Businesses that process users’ data are subject to several DPA contract requirements under GDPR. One of the most important is having DPAs with every third-party provider that helps them perform data processing.

  It’s important to stay updated on GDPR requirements for compliance. As such, Matomo can help you maintain lawful data processes. Matomo gives you complete control over your data and complies with GDPR requirements.

  To get started with Matomo, you can sign up for a 21-day free trial. No credit card required.

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to GDPR. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.

• What is Behavioural Segmentation and Why is it Important ?

  28 septembre 2023, par Erin — Analytics Tips

  Amidst the dynamic landscape of web analytics, understanding customers has grown increasingly vital for businesses to thrive. While traditional demographic-focused strategies possess merit, they need to uncover the nuanced intricacies of individual online behaviours and preferences. As customer expectations evolve in the digital realm, enterprises must recalibrate their approaches to remain relevant and cultivate enduring digital relationships.

  In this context, the surge of technology and advanced data analysis ushers in a marketing revolution : behavioural segmentation. Businesses can unearth invaluable insights by meticulously scrutinising user actions, preferences and online interactions. These insights lay the foundation for precisely honed, high-performing, personalised campaigns. The era dominated by blanket, catch-all marketing strategies is yielding to an era of surgical precision and tailored engagement. 

  While the insights from user behaviours empower businesses to optimise customer experiences, it’s essential to strike a delicate balance between personalisation and respecting user privacy. Ethical use of behavioural data ensures that the power of segmentation is wielded responsibly and in compliance, safeguarding user trust while enabling businesses to thrive in the digital age.

  What is behavioural segmentation ?

  Behavioural segmentation is a crucial concept in web analytics and marketing. It involves categorising individuals or groups of users based on their online behaviour, actions and interactions with a website. This segmentation method focuses on understanding how users engage with a website, their preferences and their responses to various stimuli. Behavioural segmentation classifies users into distinct segments based on their online activities, such as the pages they visit, the products they view, the actions they take and the time they spend on a site.

  Behavioural segmentation plays a pivotal role in web analytics for several reasons :

  1. Enhanced personalisation :

  Understanding user behaviour enables businesses to personalise online experiences. This aids with delivering tailored content and recommendations to boost conversion, customer loyalty and customer satisfaction.

  2. Improved user experience :

  Behavioural segmentation optimises user interfaces (UI) and navigation by identifying user paths and pain points, enhancing the level of engagement and retention.

  3. Targeted marketing :

  Behavioural segmentation enhances marketing efficiency by tailoring campaigns to user behaviour. This increases the likelihood of interest in specific products or services.

  4. Conversion rate optimisation :

  Analysing behavioural data reveals factors influencing user decisions, enabling website optimisation for a streamlined purchasing process and higher conversion rates.

  5. Data-driven decision-making :

  Behavioural segmentation empowers data-driven decisions. It identifies trends, behavioural patterns and emerging opportunities, facilitating adaptation to changing user preferences and market dynamics.

  6. Ethical considerations :

  Behavioural segmentation provides valuable insights but raises ethical concerns. User data collection and use must prioritise transparency, privacy and responsible handling to protect individuals’ rights.

  The significance of ethical behavioural segmentation will be explored more deeply in a later section, where we will delve into the ethical considerations and best practices for collecting, storing and utilising behavioural data in web analytics. It’s essential to strike a balance between harnessing the power of behavioural segmentation for business benefits and safeguarding user privacy and data rights in the digital age.

  

  Different types of behavioural segments with examples

  1. Visit-based segments : These segments hinge on users’ visit patterns. Analyse visit patterns, compare first-time visitors to returning ones, or compare users landing on specific pages to those landing on others.
     • Example : The real estate website Zillow can analyse how first-time visitors and returning users behave differently. By understanding these patterns, Zillow can customise its website for each group. For example, they can highlight featured listings and provide navigation tips for first-time visitors while offering personalised recommendations and saved search options for returning users. This could enhance user satisfaction and boost the chances of conversion.
  2. Interaction-based segments : Segments can be created based on user interactions like special events or goals completed on the site.
     • Example : Airbnb might use this to understand if users who successfully book accommodations exhibit different behaviours than those who don’t. This insight could guide refinements in the booking process for improved conversion rates.
  3. Campaign-based segments : Beyond tracking visit numbers, delve into usage differences of visitors from specific sources or ad campaigns for deeper insights.
     • Example : Nike might analyse user purchase behaviour from various traffic sources (referral websites, organic, direct, social media and ads). This informs marketing segmentation adjustments, focusing on high-performance channels. It also customises the website experience for different traffic sources, optimising content, promotions and navigation. This data-driven approach could boost user experiences and maximise marketing impact for improved brand engagement and sales conversions.
  4. Ecommerce segments : Separate users based on purchases, even examining the frequency of visits linked to specific products. Segment heavy users versus light users. This helps uncover diverse customer types and browsing behaviours.
     • Example : Amazon could create segments to differentiate between visitors who made purchases and those who didn’t. This segmentation could reveal distinct usage patterns and preferences, aiding Amazon in tailoring its recommendations and product offerings.
  5. Demographic segments : Build segments based on browser language or geographic location, for instance, to comprehend how user attributes influence site interactions.
     • Example : Netflix can create user segments based on demographic factors like geographic location to gain insight into how a visitor’s location can influence content preferences and viewing behaviour. This approach could allow for a more personalised experience.
  6. Technographic segments : Segment users by devices or browsers, revealing variations in site experience and potential platform-specific issues or user attitudes.
     • Example : Google could create segments based on users’ devices (e.g., mobile, desktop) to identify potential issues in rendering its search results. This information could be used to guide Google in providing consistent experiences regardless of device.

  

  The importance of ethical behavioural segmentation

  Respecting user privacy and data protection is crucial. Matomo offers features that align with ethical segmentation practices. These include :

  • Anonymization : Matomo allows for data anonymization, safeguarding individual identities while providing valuable insights.
  • GDPR compliance : Matomo is GDPR compliant, ensuring that user data is handled following European data protection regulations.
  • Data retention and deletion : Matomo enables businesses to set data retention policies and delete user data when it’s no longer needed, reducing the risk of data misuse.
  • Secured data handling : Matomo employs robust security measures to protect user data, reducing the risk of data breaches.

  Real-world examples of ethical behavioural segmentation :

  1. Content publishing : A leading news website could utilise data anonymization tools to ethically monitor user engagement. This approach allows them to optimise content delivery based on reader preferences while ensuring the anonymity and privacy of their target audience.
  2. Non-profit organisations : A charity organisation could embrace granular user control features. This could be used to empower its donors to manage their data preferences, building trust and loyalty among supporters by giving them control over their personal information.

  

  Examples of effective behavioural segmentation

  Companies are constantly using behavioural insights to engage their audiences effectively. In this section, we’ll delve into real-world examples showcasing how top companies use behavioural segmentation to enhance their marketing efforts.

  

  1. Coca-Cola’s behavioural insights for marketing strategy : Coca-Cola employs behavioural segmentation to evaluate its advertising campaigns. Through analysing user engagement across TV commercials, social media promotions and influencer partnerships, Coca-Cola’s marketing team can discover that video ads shared by influencers generate the highest ROI and web traffic.

     This insight guides the reallocation of resources, leading to increased sales and a more effective advertising strategy.

  2. eBay’s custom conversion approach : eBay excels in conversion optimisation through behavioural segmentation. When users abandon carts, eBay’s dynamic system sends personalised email reminders featuring abandoned items and related recommendations tailored to user interests and past purchase decisions.

     This strategy revives sales, elevates conversion rates and sparks engagement. eBay’s adeptness in leveraging behavioural insights transforms user experience, steering a customer journey toward conversion.

  3. Sephora’s data-driven conversion enhancement : Data analysts can use Sephora’s behavioural segmentation strategy to fuel revenue growth through meticulous data analysis. By identifying a dedicated subset of loyal customers who exhibit a consistent preference for premium skincare products, data analysts enable Sephora to customise loyalty programs.

     These personalised rewards programs provide exclusive discounts and early access to luxury skincare releases, resulting in heightened customer engagement and loyalty. The data-driven precision of this approach directly contributes to amplified revenue from this specific customer segment.

  Examples of the do’s and don’ts of behavioural segmentation 

  

  Behavioural segmentation is a powerful marketing and data analysis tool, but its success hinges on ethical and responsible practices. In this section, we will explore real-world examples of the do’s and don’ts of behavioural segmentation, highlighting companies that have excelled in their approach and those that have faced challenges due to lapses in ethical considerations.

  Do’s of behavioural segmentation :

  • Personalised messaging :
    • Example : Spotify
      • Spotify’s success lies in its ability to use behavioural data to curate personalised playlists and user recommendations, enhancing its music streaming experience.
  • Transparency :
    • Example : Basecamp
      • Basecamp’s transparency in sharing how user data is used fosters trust. They openly communicate data practices, ensuring users are informed and comfortable.
  • Anonymization
    • Example : Matomo’s anonymization features
      • Matomo employs anonymization features to protect user identities while providing valuable insights, setting a standard for responsible data handling.
  • Purpose limitation :
    • Example : Proton Mail
      • Proton Mail strictly limits the use of user data to email-related purposes, showcasing the importance of purpose-driven data practices.
  • Dynamic content delivery : 
    • Example : LinkedIn
      • LinkedIn uses behavioural segmentation to dynamically deliver job recommendations, showcasing the potential for relevant content delivery.
  • Data security :
    • Example : Apple
      • Apple’s stringent data security measures protect user information, setting a high bar for safeguarding sensitive data.
  • Adherence to regulatory compliance : 
    • Example : Matomo’s regulatory compliance features
      • Matomo’s regulatory compliance features ensure that businesses using the platform adhere to data protection regulations, further promoting responsible data usage.

  Don’ts of behavioural segmentation :

  • Ignoring changing regulations
    • Example : Equifax
      • Equifax faced major repercussions for neglecting evolving regulations, resulting in a data breach that exposed the sensitive information of millions.
  • Sensitive attributes
    • Example : Twitter
      • Twitter faced criticism for allowing advertisers to target users based on sensitive attributes, sparking concerns about user privacy and data ethics.
  • Data sharing without consent
    • Example : Meta & Cambridge Analytica
      • The Cambridge Analytica scandal involving Meta (formerly Facebook) revealed the consequences of sharing user data without clear consent, leading to a breach of trust.
  • Lack of control
    • Example : Uber
      • Uber faced backlash for its poor data security practices and a lack of control over user data, resulting in a data breach and compromised user information.
  • Don’t be creepy with invasive personalisation
    • Example : Offer Moment
      • Offer Moment’s overly invasive personalisation tactics crossed ethical boundaries, unsettling users and eroding trust.

  These examples are valuable lessons, emphasising the importance of ethical and responsible behavioural segmentation practices to maintain user trust and regulatory compliance in an increasingly data-driven world.

  Continue the conversation

  Diving into customer behaviours, preferences and interactions empowers businesses to forge meaningful connections with their target audience through targeted marketing segmentation strategies. This approach drives growth and fosters exceptional customer experiences, as evident from the various common examples spanning diverse industries.

  In the realm of ethical behavioural segmentation and regulatory compliance, Matomo is a trusted partner. Committed to safeguarding user privacy and data integrity, our advanced web analytics solution empowers your business to harness the power of behavioral segmentation, all while upholding the highest standards of compliance with stringent privacy regulations.

  To gain deeper insight into your visitors and execute impactful marketing campaigns, explore how Matomo can elevate your efforts. Try Matomo free for 21-days, no credit card required. 

• Virginia Consumer Data Protection Act (VCDPA) Guide

  27 septembre 2023, par Erin — Privacy

  Do you run a for-profit organisation in the United States that processes personal and sensitive consumer data ? If so, you may be concerned about the growing number of data privacy laws cropping up from state to state.

  Ever since the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, four other US states — Connecticut, Colorado, Utah and Virginia — have passed their own data privacy laws. Each law uses the CCPA as a foundation but slightly deviates from the formula. This is a problem for US organisations, as they cannot apply the same CCPA compliance framework everywhere else.

  In this article, you’ll learn what makes the Virginia Consumer Data Protection Act (VCDPA) unique and how to ensure compliance.

  What is the VCDPA ?

  Signed by Governor Ralph Northam on 2 March 2021, and brought into effect on 1 January 2023, the VCDPA is a new data privacy law. It gives Virginia residents certain rights regarding how organisations process their personal and sensitive consumer data.

  

  The law contains several provisions, which define :

  • Who must follow the VCDPA
  • Who is exempt from the VCDPA
  • The consumer rights of data subjects
  • Relevant terms, such as “consumers,” “personal data,” “sensitive data” and the “sale of personal data”
  • The rights and responsibilities of data controllers
  • What applicable organisations must do to ensure VCDPA compliance

  These guidelines define the data collection practices that VCDPA-compliant organisations must comply with. The practices are designed to protect the rights of Virginia residents who have their personal or sensitive data collected.

  What are the consumer rights of VCDPA data subjects ?

  There are seven consumer rights that protect residents who fit the definition of “data subjects” under the new Virginia data privacy law. 

  

  A data subject is an “identified or identifiable natural person” who has their information collected. Personally identifiable information includes a person’s name, address, date of birth, religious beliefs, immigration status, status of child protection assessments, ethnic origin and more.

  Below is a detailed breakdown of each VCDPA consumer right :

  1. Right to know, access and confirm personal data : Data subjects have the right to know that their data is being collected, the right to access their data and the right to confirm that the data being collected is accurate and up to date.
  2. Right to delete personal data : Data subjects have the right to request that their collected personal or sensitive consumer data be deleted.
  3. Right to correct inaccurate personal data : Data subjects have the right to request that their collected data be corrected.
  4. Right to data portability : Data subjects have the right to obtain their collected data and, when reasonable and possible, request that their collected data be transferred from one data controller to another.
  5. Right to opt out of data processing activity : Data subjects have the right to opt out of having their personal or sensitive data collected.
  6. Right to opt out of the sale of personal and sensitive consumer data : Data subjects have the right to opt out of having their collected data sold to third parties.

  Right to not be discriminated against for exercising one’s rights : Data subjects have the right to not be discriminated against for exercising their right to not have their personal or sensitive consumer data collected, processed and sold to third parties for targeted advertising or other purposes.

  Who must comply with the VCDPA ?

  The VCDPA applies to for-profit organisations. Specifically, those that operate and offer products or services in the state of Virginia.

  

  Additionally, for-profit organisations that fit under either of these two categories must comply with the VCDPA :

  • Collect and process the personal data of at least 100,000 Virginia residents within a financial year or
  • Collect and process the personal data of at least 25,000 Virginia residents and receive at least 50% of gross revenue by selling personal or sensitive data.

  If a for-profit organisation resides out of the state of Virginia and falls into one of the categories above, they must comply with the VCDPA. Eligibility requirements also apply, regardless of the revenue threshold of the organisation in question. Large organisations can avoid VCDPA compliance if they don’t meet either of the above two eligibility requirements.

  What types of consumer data does the VCDPA protect ?

  The two main types of data that apply to the VCDPA are personal and sensitive data. 

  

  Personal data is either identified or personally identifiable information, such as home address, date of birth or phone number. Information that is publicly available or has been de-identified (dissociated with a natural person or entity) is not considered personal data.

  Sensitive data is a category of personal data. It’s data that’s either the collected data of a known child or data that can be used to form an opinion about a natural person or individual. Examples of sensitive data include information about a person’s ethnicity, religion, political beliefs and sexual orientation. 

  It’s important that VCDPA-compliant organisations understand the difference between the two data types, as failure to do so could result in penalties of up to $7,500 per violation. For instance, if an organisation wants to collect sensitive data (and they have a valid reason to do so), they must first ask for consent from consumers. If the organisation in question fails to do so, then they’ll be in violation of the VCDPA, and may be subject to multiple penalties — equal to however many violations they incur.

  A 5-step VCDPA compliance framework

  Getting up to speed with the terms of the VCDPA can be challenging, especially if this is your first time encountering such a law. That said, even organisations that have experience with data privacy laws should still take the time to understand the VCDPA.

  

  Here’s a simple 5-step VCDPA compliance framework to follow.

  1. Assess data

  First off, take the time to become familiar with the Virginia Consumer Data Protection Act (VCDPA). Then, read the content from the ‘Who does the VCDPA apply to’ section of this article, and use this information to determine if the law applies to your organisation.

  How do you know if you reach the data subject threshold ? Easy. Use a web analytics platform like Matomo to see where your web visitors are, how many of them (from that specific region) are visiting your website and how many of them you’re collecting personal or sensitive data from.

  To do this in Matomo, simply open the dashboard, look at the “Locations” section and use the information on display to see how many Virginia residents are visiting your website.

  

  Using the dashboard will help you determine if the VCDPA applies to your company.

  2. Evaluate your privacy practices

  Review your existing privacy policies and practices and update them to comply with the VCDPA. Ensure your data collection practices protect the confidentiality, integrity and accessibility of your visitors.

  One way to do this is to automatically anonymise visitor IPs, which you can do in Matomo — in fact, the feature is automatically set to default. 

  

  Another great thing about IP anonymisation is that after a visitor leaves your website, any evidence of them ever visiting is gone, and such information cannot be tracked by anyone else. 

  3. Inform data subjects of their rights

  To ensure VCDPA compliance in your organisation, you must inform your data subjects of their rights, including their right to access their data, their right to transfer their data to another controller and their right to opt out of your data collection efforts.

  That last point is one of the most important, and to ensure that you’re ready to respond to consumer rights requests, you should prepare an opt-out form in advance. If a visitor wants to opt out from tracking, they’ll be able to do so quickly and easily. Not only will this help you be VCDPA compliant, but your visitors will also appreciate the fact that you take their privacy seriously.

  

  To create an opt-out form in Matomo, visit the privacy settings section (click on the cog icon in the top menu) and click on the “Users opt-out” menu item under the Privacy section. After creating the form, you can then customise and publish the form as a snippet of HTML code that you can place on the pages of your website.

  4. Review vendor contracts

  Depending on the nature of your organisation, you may have vendor contracts with a third-party business associate. These are individuals or organisations, separate from your own, that contribute to the successful delivery of your products and services.

  You may also engage with third parties that process the data you collect, as is the case for many website owners that use Google Analytics (to which there are many alternatives) to convert visitor data into insights. 

  Financial institutions, such as stock exchange companies, also rely on third-party data for trading. If this is the case for you, then you likely have a Data Processing Agreement (DPA) in place — a legally binding document between you (the data controller, who dictates how and why the collected data is used) and the data processor (who processes the data you provide to them).

  To ensure that your DPA is VCDPA compliant, make sure it contains the following items :

  • Definition of terms
  • Instructions for processing data
  • Limits of use (explain what all parties can and cannot do with the collected data)
  • Physical data security practices (e.g., potential risks, risk of harm and control measures)
  • Data subject rights
  • Consumer request policies (i.e., must respond within 45 days of receipt)
  • Privacy notices and policies

  5. Seek expert legal advice

  To ensure your organisation is fully VCDPA compliant, consider speaking to a data and privacy lawyer. They can help you better understand the specifics of the law, advise you on where you fall short of compliance and what you must do to become VCDPA compliant.

  Data privacy lawyers can also help you draft a meaningful privacy notice, which may be useful in modifying your existing DPAs or creating new ones. If needed, they can also advise you on areas of compliance with other state-specific data protection acts, such as the CCPA and newly released laws in Colorado, Connecticut and Utah.

  How does the VCDPA differ from the CCPA ?

  Although the VCDPA has many similarities to the CCPA, the two laws still have their own approach to applying the law. 

  Here’s a quick breakdown of the main differences that set these laws apart.

  Definition of a consumer

  Under the VCDPA, a consumer is a “natural person who is a Virginia resident acting in an individual or household context.” Meanwhile, under the CCPA, a consumer is a “natural person who is a California resident acting in an individual or household context.” However, the VCDPA omits people in employment contexts, while the CCPA doesn’t. Hence, organisations don’t need to consider employee data.

  Sale of personal data

  The VCDPA defines the “sale of personal data” as an exchange “for monetary consideration” by the data controller to a data processor or third party. This means that, under the VCDPA, an act is only considered a “sale of personal data” if there is monetary value attached to the transaction.

  This contrasts with the CCPA, where that law also counts “other valuable considerations” as a factor when determining if the sale of personal data has occurred.

  Right to opt out

  Just like the CCPA, the VCDPA clearly outlines that organisations must respond to a user request to opt out of tracking. However, unlike the CCPA, the VCDPA does not give organisations any exceptions to such a right. This means that, even if the organisation believes that the request is impractical or hard to pull off, it must comply with the request under any circumstances, even in instances of hardship.

  Ensure VCDPA compliance with Matomo

  The VCDPA, like many other data privacy laws in the US, is designed to enhance the rights of Virginia consumers who have their personal or sensitive data collected and processed. Fortunately, this is where platforms like Matomo can help.

  Matomo is a powerful web analytics platform that has built-in features to help you comply with the VCDPA. These include options like :

  • Cookie-less tracking
  • Creating consumer consent and opt-out forms
  • Giving consumers access to their personal data

  Try out the free 21-day Matomo trial today. No credit card required.