There’s a strong likelihood that at some point today you’ve had to click on a button that said: “Allow all cookies.” Or maybe you didn't, maybe you happily chose “Reject all” and praised the GDPR gods for removing cookies from your life. But that would be worshiping a false idol. Those banners that now emblazon every site? Nothing to do with GDPR. And even when you reject them, you’ll still have a few cookies left.
A lot has changed in digital privacy in the last few years. New laws have been adopted, especially in the EU, to protect citizens' privacy and push companies to manage user data correctly. These are good things.
Here we want to go through three primary new laws–GDPR, ePrivacy, and HIPAA–showing simply what each cares about and how companies can act under these laws.
First though, let’s go through the different types of data they care about, and the different types of data you might have on each user.
PII, PHI, and the data collected about you
If a user signs up for your product, what data about them might you store? At the very minimum, you’ll need a username or email address. Sometimes you’ll want their full name as well. For business purposes, you might need an address or a telephone number.
All this is PII, Personal Identifiable Information. PII is data you collect that can be used to identify a specific individual. Names, emails, and addresses are tied to one individual. With this data, you can find out a lot more about that person. If this data is leaked it can be used for identity theft or other fraud.
There are other non-obvious data points that also come under PII. The ‘indirect identifiers’ are data points that can be used together to identify a single person. They could be gender or birth date or location. Individually, these can’t be used to identify one person, but, for example, women born December 13, 1989 in West Reading, Pennsylvania narrows it down to just one individual.
HIPAA, which we’ll learn more about below, lists 18 personal identifiers. Along with these more traditional ways of identifying someone, they also include IP addresses, URLs visited, and device IDs–all commonly stored as part of tracking initiatives.
HIPAA is concerned with the combination of PII and health information into PHI, Protected Health Information. PHI is your medical history, not just your “physical or mental health or condition,” but also any treatments or health care you’ve had, and any documentation related to that which can be individually identified. If you have a hospital bill or a treatment plan or a lab report tied to one of the 18 identifiers, that is all PHI.
Finally, there is non-PII. This is data like device type or browser or time zone that can’t be tracked to a single individual. But it is still data about an individual, so it’s also covered in the laws below.
As we go through the different rules governing this type of information, you’ll start to see how they coalesce. Health information, with the PII identifiers, can be extremely damaging–you need strict data protections if these two are stored together.
Non-PII data might be harmless on its own, but detrimental if combined with PII. For instance, a third-party cookie tracking which sites you visited might be OK on its own, but do you want that information leaked with your name attached?
There are a lot of laws that regulate how data is stored and processed, but these three are the most important from an analytics perspective:
GDPR
ePrivacy Directive
HIPAA Privacy Rule
Let’s look at how each covers a different aspect of data processing online.
GDPR protects EU citizen data around the world
Let’s say you’re a dentist in Hanover, PA. You provide excellent dental care to the citizens of Hanover and surrounding areas, and to make it easier for them to find you, you have a website set up. You want to know whether people are using your website, so you have a small tracking snippet installed.
One day, a German Hanoverian gets a little confused while dealing with a bad toothache and lands on your site. Herzliche Glückwünsche, you now fall under the scope of GDPR and EU law.
GDPR, the General Data Protection Regulation, is an EU law that went into effect in May 2018. It protects the data of EU citizens. If you are a US citizen, Canadian, Nigerian, Thai, or any other non-EU nation, GDPR does not apply. However, if you run a website or product in any country on earth that collects data from EU citizens, you are supposed to adhere to GDPR rules.
What are those rules? GDPR doesn’t stop you collecting data on EU citizens, instead it sets regulations on the how, what, where, why, and who (EU citizens) of the data you do collect.
Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes
Not processed further for other purposes
Limited to what is necessary for that purpose
Processed securely and protected against unauthorized processing
“Processing” here means pretty much anything you do with data, including transferring and storing your data. You also have to give users the right to access their data and the right to delete their data.
Data on EU citizens is also not supposed to be transferred out of the EU, unless there are corresponding safeguards in place in the third country. This is one of the reasons for the EU-US Privacy Shield–to allow US companies to show they have these safeguards in place and can move data from the EU to the US.
Now, are Europol about to kick down the door of our Pennsylvanian dentist? Extremely unlikely. GDPR really only applies if you are specifically providing a service to EU citizens. In this case, the dental site is clearly for Americans. But an American eCommerce company that shipped to the EU would absolutely be expected to adhere to GDPR. Or a general SaaS product that can be used anywhere in the world? Again, definitely should be GDPR-compliant.
US companies can be, and have been, sued for non-GDPR compliance even though it’s an EU regulation. Google is fined almost every year. Just one of their fines was $68 million. Marriott hotels were fined $23.8 million, and WhatsApp were fined $255 million in 2021 for non-compliance.
So how do you become GDPR compliant? It is difficult for US companies. If you aren’t part of the privacy shield program and data passes through US servers or data centers, you probably aren’t compliant.
Here are two things you can do to stay on the right side of GDPR if your company offers a product in the EU:
Store data in the EU where possible. If you can process your data in the EU, you can pass the big hurdle of transferring data. This can be a challenge, as you might then need a support team in the EU to deal with this data and these customers, specifically.
Offer user deletion. If you offer control over data to the end user, this helps you comply with a lot of rules of GDPR. In particular, if a customer in the EU asks for their data to be deleted, you should have a process in place to comply.
The ePrivacy Directive gives users control over first-party and third-party cookies
Back to those cookie banners. Cookies are files on your local computer that store information about the sites you visit. They can be broken down into two broad categories:
First-party cookies are cookies that are specific to that one site. First-party cookies can further be broken down into different subcategories. There are cookies that store authentication information so you don’t have to continually sign into a site, cookies that store analytics information for page and event tracking, and cookies that store preference information such as language and region.
Third-party cookies are cookies that share information across sites. These are usually used for marketing and advertising purposes, such as when you see ads on a site for another site you just visited. The ad services on these sites are sharing information about you via a cookie.
It’s mostly third-party cookies that everyone hates, but as first-party cookies are also collecting data, they can breach privacy and data collection rules. The ePrivacy Directive gives users control over all these types of cookies, apart from one's deemed ‘necessary.’ These are cookies that keep you logged in to a site, or keep items in your cart on an ecommerce site.
Here’s what you have to do to comply with the ePrivacy Directive:
Get users’ consent before you use any cookies except strictly necessary cookies.
Tell users about the data each cookie tracks before consent is received.
Allow users to access your service even if they reject cookies
Make it as easy for users to withdraw their consent
And from that we get the cookie banner.
Importantly, the ePrivacy Directive doesn’t have the same reach as GDPR. It isn’t extraterritorial, so non-EU companies don’t have to comply if they don’t have an entity in the EU.
But, though GDPR isn’t the reason for your cookie banner, cookies do come under GDPR because they can contain data about EU citizens, so if you don’t follow the ePrivacy Directive and do target EU customers, you can still be in breach of GDPR.
The HIPAA Privacy Rule stops companies sharing user medical data
So far, so EU. But the US government also likes to protect its citizens' data in some cases, one being health-related data.
The HIPAA Privacy Rule states:
“The Privacy Rule protects all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information ‘protected health information (PHI)’.”
PHI comprises health information and individual information, and how they work together. The Privacy Rule doesn’t cover health data on its own, so any aggregation of medical data for research, reporting, or statistical purposes isn’t covered if it can't be traced to an individual.
For companies and institutions with any online facing access to healthcare, to stay HIPAA compliant means protecting both the health information and the individual identifiers. It is the individual identifiers, the PII part, that can cause issues given how modern tracking works. These data points, such as IP addresses, URLs visited, and device IDs, are collected by default.
To be HIPAA compliant requires protecting these in the same way you would sensitive information. But as they are collected by default in most tracking technologies, some companies might not even realize they are collecting and storing these – nor realize they are sending them on to other vendors, such as data warehouses or marketing tools without authorization.
For these companies, there are four HIPAA tracking options:
Turn tracking off, but then you lose the ability to personalize, experiment, and improve your product through the insights tracking brings.
Build your own tracking systems so you know exactly the data captured. This takes up significant time and resources and is only really available as an option for larger companies.
Go with a traditional analytics provider. The problem here stems from whether the analytics provider can safely process and store this data. The latest HIPAA update explicitly called out the use of traditional tracking technologies as a probable violation.
Use tracking tech purpose-built for healthcare. Providers like Freshpaint give users total control over which data points are sent to which providers, and are blocked by default eliminating the risk of accidentally sending PHI. Using Freshpaint instead of non-compliant tracking technologies will make ad platforms like Facebook and analytics tools like Google Analytics HIPAA-compliant.
The future of data privacy
Privacy regulation is good. It gives users control over their data, means data fraud is less likely, and stops bad actors from pernicious data use.
It comes with costs, though. Some users will turn tracking off. Companies will have to put more thought into what data they process and how. But challenges lead to better solutions. If cookies can’t follow users around the web, marketers and advertisers will have to put more thought into using first-party data and finding people their products could genuinely help.
As governments push for more controls over data, more products like Freshpaint that take a strong stance on data privacy across specific verticals will be built.
Chameleon is another company that takes data privacy seriously. With the SOC 2 Type II certification received for the second consecutive year, it continuously stays compliant with all the data privacy laws. In other words, you can integrate Freshpaint and Chameleon to easily send data between all your tools without worrying about a privacy breach.
All this is going to look very different in a few years, perhaps even by the end of 2023. But users and companies will be better placed for it.