Protecting Data Privacy: Best Practices for Your Website

A woman wearing a green and white striped sweater.
By Mackenzie Pelletier

Data privacy laws are put in place to ensure that all individuals have control over what, how, when and to whom their personal identifiable information is shared or communicated. These regulations make the internet a safer place for all, but they aren’t always straightforward.

Privacy laws can vary by state and country, and some laws exist for specific industries, organizations and age groups. If you’re in the process of launching a new website, you’ll want to ensure you are taking the necessary steps to meet all regulatory and privacy requirements related to your business or target audience.

Four circular icons: a red map marker, a yellow magnifying glass, a teal envelope, and a shield with a lock. "Orbitmedia.com" is visible at the bottom right.

Note: Orbit Media is not an expert on data security or data privacy law, and this is not a comprehensive list of all regulations and policies. You should speak with an attorney for legal advice on data privacy regulations. 

Data privacy laws vary by state and country

Following data privacy laws can be complex, especially if you’re receiving traffic from users across the United States or internationally. This is because data privacy laws are focused on the collection and management of user data, who may be visiting your site from a different geographic location than where you’re based.

It’s important to speak with an attorney or data privacy expert to get a better understanding of what laws apply to you, so you can keep your website secure for all of your users.

Data privacy laws in the United States

There is not one blanket privacy law in the United States. There are many different federal and state-specific requirements that offer differing levels of privacy and protection for personal data. (Click here for a list of all U.S. states with data privacy laws) Here are a few common laws and regulations that impact a wide range of businesses and websites.

Here’s an example of a privacy policy notice on a web form:

A contact form with fields for first name, last name, work email, a project message box, a checkbox to opt-in for marketing emails, a privacy policy link, and a red "SEND MESSAGE" button.California Consumer Privacy Act (CCPA)  and California Privacy Rights Act (CPRA)

The California Consumer Privacy Act (CCPA) impacts any business or website that:

  • Collects data of California residents (i.e., ecommerce orders, web forms, blog comments, cookies, etc.)
  • Exceeds an annual gross revenue of $25 million or more
  • Buys, receives or sells the personal information of at least 50,000 California residents, consumers, households and/or devices per year
  • Generates at least 50% of annual revenue from “selling” California consumers’ personal information
  • Handles the personal information of more than 4 million consumers

To be compliant with CCPA, a website must:

  • Develop a privacy notice that is updated regularly and includes all relevant information outlined in the CCPA regulations
  • Disclose data use
  • Collect and store user consent
  • Securely maintain user records
  • Provide a clear option for users to opt out of the sale of their data
  • Ensure users are able to contact the business
  • Include an identity verification system for request submissions

Health Insurance Portability & Accountability Act (HIPAA)

HIPAA is a health portability and privacy act that covers the following:

  • The ability to retain or transfer health insurance coverage after a change in employment
  • Reducing healthcare fraud and abuse
  • Mandating industry-wide standards for health care information on electronic billing and other processes
  • Protecting and confidential handling of protected health information

HIPAA compliance is only required for websites that handle electronic protected health information (PHI), including collecting, displaying, storing or transmitting PHI.

There are many steps to make a website HIPAA compliant, including:

  • Obtaining a HIPAA-compliant hosting partner
  • Maintaining an SSL certificate
  • Encrypting all personal information that is being collected or transmitted
  • Creating access limitations

Illustration of a clipboard with a checklist showing three checked items in front of a blurred computer monitor displaying a spreadsheet or form.

Children’s Online Privacy Protection Rule (COPPA)

COPPA is a federal privacy act that protects the privacy of minors online. Any for-profit businesses that are directed to children under 13 years of age or have knowledge that they are collecting personal information from a child under 13 years of age.

COPPA ensures that any personal information or sensitive data, such as a first and last name, address, contact information and other sensitive information, is not obtained from a child without explicit authorization from a parent or guardian.

COPPA does not apply to all websites, but those who are collecting information from or appealing to minors likely do qualify, and should ensure they are complying with COPPA rules. This includes:

  • Implementing a process for obtaining parental consent
  • Creating a COPPA privacy policy

Gramm-Leach-Bliley Act (GLBA)

GLBA, also known as the Financial Services Modernization Act of 1999, is a federal policy that protects the personal data of customers utilizing financial institutions. This involves any institutions that offer financial products or services, including insurance, investment advice, loans, etc.

GLBA ensures that financial institutions protect client’s personal information, including personally identifiable information and transactional data. GLBA also ensures that all relevant institutions adhere to specific means of collecting, handling and disposing of customer information.

European Union GDPR

The General Data Protection Regulation (GDPR) is a regulation on data privacy protection in the European Union and European Economic Area.

The General Data Protection Regulation impacts your website if any of the following are true:

  • Your website receives traffic from EU visitors
  • Your website collects data of EU residents (i.e., ecommerce, web forms, blog comments, cookies, etc.)
  • Your business operates in the EU

View Orbit’s GDPR compliance page → 

Cookies and privacy

Cookies, also known as browser cookies or tracking cookies, are small text files that are created and stored in a browser when a user visits a website. These cookies are then attached to future requests, helping to personalize user experience and remember previous actions the user has taken online.

A yellow circle contains five smaller brown circles labeled password, device, cart info, address, and name. OrbitMedia's logo is in the bottom right corner.Cookies track your behavior on websites and share that information with web servers. Cookies also relate to website privacy, as cookies store and share information related to a user’s name, device, address, contact information, passwords and more.

There are regulations in place around the world to ensure websites are properly handling consumer data and cookies. Some include:

  • ePrivacy Directive (EU)
  • Data Protection Act (U.K.)
  • Lei Geral de Proteção de Dados Pessoais: LGPD (Brazil)
  • Personal Information Protection Act: PIPA (South Korea)
  • Personal Information Protection Law: PIPL (China)

There is currently no federal cookie law in the United States, though there are some regional laws, and some privacy laws, such as the CCPA, include regulations for the use of cookies. Even if your website and business are based in the United States, international cookie policies may apply to your website if you are handling any sensitive personal information from users abroad.

Generally, cookie laws require a consent management system that allows users to opt-out or customize what cookies are being stored and utilized.

Noncompliance can lead to large fines

Data privacy compliance instills trust in your users and ensures you are properly handling and protecting their information. Those who are non-compliant, however, often face hefty fines and a damaged reputation.

Penalties of noncompliance can vary from $2,500 to tens of thousands of dollars per violation. 

An infographic shows a clipboard with red X marks and arrows pointing to stacks of money bags, illustrating penalties for noncompliance ranging from $2,500 to tens of thousands of dollars per violation.

Some websites can help you draft your own privacy policy or cookie manager, though you should still consult with an attorney to ensure you are following all relevant privacy and security measures.

Here are some examples of privacy and cookie policies:

Data privacy impacts everyone

These important laws and regulations have been put in place to ensure users have control over how their information is collected and managed. As business owners, digital marketers and users of the World Wide Web, it’s important to learn about and follow all regulations protecting data privacy and website security.

Orbit has been making the internet better, one website at a time, since 2001. Our team of expert web designers, developers, strategists, SEOs and writers work together to create beautiful sites that rank highly and drive conversions. Tell us about your needs → 

Disclaimer: Orbit Media is not an expert on data security or data privacy laws. The information provided here is only a portion of website compliance for data privacy laws and isn’t sufficient to meet all compliance standards. You should always consult an attorney or data privacy expert before making any changes to your website.

There is more where this came from…

The best articles from this blog are available all in one place – our book. Now on it’s 6th edition.

Content Chemistry, The Illustrated Handbook for Content Marketing, is packed with practical tips, real-world examples, and expert insights. A must-read for anyone looking to build a content strategy that drives real business impact. Check out the reviews on Amazon.

Buy now direct $29.95