Recherche avancée

Sur d’autres sites (6087)

• How to Choose a GDPR Compliant Web Analytics Solution

  2 mars 2022, par Matthieu Aubry — Privacy

  Since the launch of GDPR, one big question has lingered around with uncertainty – is Google Analytics GDPR compliant ? The current GDPR enforcement trend happening across the EU is certainly shedding some light on this question.

  Starting with the Austrian Data Protection Authority’s ruling on Google Analytics and more recently, CNIL (the French Data Protection Authority) has followed suit by also ruling Google Analytics illegal to use. Organisations with EU-based web visitors are now scrambling to find a compliant solution.

  The French Data Protection Authority (CNIL) has already started delivering formal notices to websites using Google Analytics, so now is the time to act. According to CNIL, organisations have two options :

  1. Ceasing use of the Google Analytics functionality (under the current conditions) 
  2. Use a compliant web analytics tool that does not transfer data outside the EU

  Getting started 

  For organisations considering migrating to a compliant web analytics tool, I’ve outlined below the things you need to consider when weighing up compliant web analytics tools. Once you’ve made a choice, I’ve also included a step-by-step guide to migrating away from Google Analytics. This guide is useful regardless of which GDPR compliant analytics provider you choose.

  Before getting started, I recommend that you document your findings against the following considerations while reviewing GDPR compliant Google Analytics alternatives. This document can then be shared with your Data Protection Officer (DPO) to get their final recommendation.

  10 key considerations when selecting a GDPR compliant web analytics tools

  Many tools will claim to be GDPR compliant so it’s important that you do your due diligence and review tools against the following considerations. 

  1. Where does the tool store data ? 

  The rulings in France and Austria were based on the fact that Google Analytics stores data in the US, which does not have an adequate level of data protection. Your safest option is to find a tool that legally stores data in the EU.

  You should be able to find out where the data is stored in the organisation’s privacy policy. Generally, data storage information can be found under sections titled “Subprocessors” and “Third-party services”. Check out the Matomo Privacy Policy as an example. 

  If you’re unable to easily find this information or it’s unclear, reach out to the organisation for more information.

  2. Does the tool offer anonymous tracking ?

  Anonymous tracking comes with many benefits, including :

  • The ability to track visitors without a cookie consent screen. Due to the privacy-respecting aspect of cookieless tracking, you don’t need to worry about the extra steps involved with compliant cookie banners.
  • More accurate data. When visitors deny tracking cookies, you lose out on valuable data. With anonymous tracking there is no data lost as you don’t need consent to track.
  • Simplified GDPR compliance. With this enabled, there are fewer steps you need to take to get GDPR compliant and stay GDPR compliant.

  For those reasons, it may be important for you to select a tool that offers anonymous tracking functionalities. The level of anonymous tracking you require will depend on your situation but you should look out for tools that allow you to :

  • Disable fingerprinting 
  • Disable user profiles 
  • Anonymise data
  • Cookieless tracking

  If you want to read more about data anonymization, check out this guide on data anonymization in web analytics.

  3. Does the tool integrate with my existing tech stack ?

  You’ll want to ensure that a new web analytics tool will play well with other tools in your tech stack including things like your CMS (content management system), eCommerce shop, etc. You should list out all the existing tools that currently integrate with your Google Analytics and check that the same integrations can be re-created with the new tool, via integrations or APIs.

  If not, it could become costly trying to connect your existing tech stack to a new solution.

  4. Does the tool offer the same features and insights you are currently using in Google Analytics ? Or more, if necessary ? 

  Just because you are moving to a new web analytics platform, doesn’t mean you have to give up the insights, reports and features you’ve grown accustomed to with Google Analytics. Ensuring that a new platform provides the same features and reports that you value the most will result in a smoother transition away from Google Analytics.

  It’s unlikely that a new tool will have all of the same features as Google Analytics, so I’d recommend listing out and prioritising your business-critical features and reports. 

  If I had to guess, you probably set up Google Analytics years ago because it was the default option. Now is your chance to make the most of this switch from Google Analytics and find a tool that offers additional reports and features that better aligns with your business. If time permits, I’d highly recommend that you consider other features or reports that you might have been missing out on while using Google Analytics.

  Check out this comparison of Google Analytics vs Matomo to see side-by-side feature comparison.

  5. Does the tool accept Google Analytics data imports ? 

  The historical data in Google Analytics is a critical asset for many businesses. Fortunately, some tools accept Google Analytics data imports so you don’t lose all of the data you’ve generated over time.

  However, it’s important to note that any data you import from Google Analytics to a new tool needs to be compliant data. I’ll cover this more below.

  6. Does the tool provide conversion tracking exports ? 

  Do you invest in paid advertising ? If you do, then tracking the conversions from people clicking on these paid ads is critical in assessing your return on investment. Since sending IP addresses or other personal information to the US is illegal under GDPR, we can only assume that this will also apply to advertising pixel/conversion tracking (e.g., Facebook pixel, Google Ads conversion tracking, etc). 

  As an example, Matomo offers conversion tracking exports so you can get a better understanding of ad performance while meeting privacy laws and without requiring consent from users. See how it works with Matomo’s conversion tracking exports. 

  7. How will you train up your in-house team ? Or can you hire a contractor ?

  This is a common concern of many, and rightfully so. You’ll want to confirm what resources are readily available so you can hit the ground running with your new web analytics tool. If you’d prefer to train up your in-house team, check the provider’s site for training resources, videos, guides, etc.

  If you’d rather hire an external contractor, we recommend heading to LinkedIn, reaching out to your community or asking the provider if they have any recommendations for contractors.

  In addition, check that the provider offers technical support or a forum, in case you have specific questions and need help.   

  8. Does the tool offer self-hosting ? (optional)

  For organisations that want full control over their data and storage location, an on-premise web analytics tool will be the preferred option. From a GDPR perspective, this is also the easiest option for compliance.

  Keep in mind that this requires resources, regular maintenance, technical knowledge and/or technical consultants. If you’re unsure which option is best for your organisation, check out our on-premise vs cloud web analytics comparison breakdown.

  Find out more about self-hosting Matomo.

  9. Is the tool approved by the CNIL for tracking without consent ?

  This is an important step for websites with French users. This step will help narrow down your selection of tools. The CNIL offers a programme to identify web analytics solutions that can be used without tracking consent. The CNIL’s list of recommended web analytics tools can act as your starting point for solutions to review.

  While this step is specific to sites with French users, it can also be helpful for websites with visitors from any other EU country.

  Benefits of consent-free tracking

  There are many benefits of tracking without consent.
  

  For one, it simplifies GDPR compliance and reduces the chances of GDPR breaches and fines. Cookie consent screens have recently been the target for EU Data Protection Authorities because many websites are unknowingly serving cookie consent screens that do not meet GDPR requirements. 

  Yet another benefit, and quite possibly the most important is more accurate data. Even if a website displays a user-friendly, lawful consent screen, the majority of users will either ignore or reject cookie consent. Legally website owners can’t track anything unless the visitor gives consent. So not having a cookie consent screen ensures that every visit is tracked and your web analytics data is 100% accurate. 

  Lastly, many visitors have grown fatigued and frustrated with invasive cookie consent screens. Not having one on your site creates a user-friendly experience, which will likely result in longer user sessions and lower bounce rates.

  10. Does the tool offer a Data Processing Agreement (DPA) ? 

  Technically, any GDPR compliant web analytics tool should offer a DPA but for the sake of completeness, I’ve added this as a consideration. Double check that any tools you are looking at provide this legally binding document. This should be located in the Privacy Policy of the web analytics provider, if not reach out to request it.

  As an example, here’s Matomo’s Data Processing Agreement which can be found in our Privacy Policy under Subprocessors. 

  That wraps up the key considerations. When it comes to compliance, privacy and customer data, Matomo leads the way. We are looking forward to helping you achieve GDPR compliance easily. Start your free 21-day trial of Matomo now – no credit card required.

  Try Matomo Cloud

  A step-by-step guide to migrating from Google Analytics

  Once you’ve identified a tool that suits your needs and your Data Protection Officer (DPO) has approved, you’re ready to get started. Here’s a simple step-by-step guide with all the important steps for you to follow :

  1. Before getting started, you should sign or download the Data Processing Agreement (DPA) offered by your new web analytics provider.

  2. Register for the new tool and configure it for compliance. The provider should offer guides on how to configure for GDPR compliance. This will include things like giving your users an easy way to opt-out of all tracking, turning on cookieless tracking or asking users for consent and anonymizing data and IP addresses, for instance.

  3. Inform your organisation about the change. Whether your colleagues use the tool or not, it’s important that you share information about the new tool with your staff. Let them know what the tool will be used for, who will use the tool and how it complies with GDPR. 

  4. Let your DPO know that you’ve removed Google Analytics and have implemented the new tool.

  5. Update your records of processing activities to include the new tool.

  6. Update your privacy policy. You’ll need to include details about the web analytics provider, where the data is stored, what data is being collected, how long the data will be stored and why the data is being collected. The web analytics tool should readily have this information for you.

  As an example, if you decide to use Matomo as your web analytics tool, we provide a Privacy Policy template for you to use on your site and a guide on how to complete your privacy policy under GDPR with Matomo. Note that these are only applicable if you are using Matomo.

  In addition, if the tool has an opt-out feature, you will also need to put the opt-out into the privacy policy (e.g., when using cookieless tracking).

  7. Now, the exciting part. Add the tracking code to your site by following the steps provided by the web analytics tool. 

  If you’re not comfortable with this step, the provider should offer steps to do this and you can share this with your web developer.

  8. Once added, login to your tool and check to see if traffic is being tracked.

  9. If your tool does not offer Google Analytics data imports or you do not need the historical data in your new tool, go to step 11. 

  To plan for your Google Analytics data migration, you’ll first need to establish what historical data is compliant with GDPR.

  For example, you shouldn’t import any data stored beyond the retention period established in your Privacy Policy or any personally identifiable information (PII) like IP addresses that aren’t anonymised. Discuss this further with your DPO.

  10. Once you’ve established what data you can legally import, then you can begin the import. Follow the steps provided by your new web analytics solution provider.

  11. Remove Google Analytics tracking code from your site. This will stop the collection of your visitors data by Google as well as slightly increase the page load speed.

  If you still haven’t made a choice yet, try Matomo free for 21-days and see why over 1 million websites choose Matomo. 

• What is PII ? Your introduction to personally identifiable information

  15 janvier 2020, par Joselyn Khor — Analytics Tips, Privacy, Security
  Most websites you visit collect information about you via tools like Google Analytics and Matomo – sometimes collecting personally identifiable information (PII).

  When it comes to PII, people are becoming more concerned about data privacy. Identifiable information can be used for illegal purposes like identity theft and fraud. 

  So how can you protect yourself as an innocent internet browser ? In the case of website owners – how do you protect users and your company from falling prey to privacy breaches ?

  

  As one of the most trusted analytics companies, we feel our readers would benefit from being as informed as possible about data privacy issues and PII. Learn what it means, and what you can do to keep yours or others’ information safe.

  Table of Contents

  What does PII stand for ?

  PII acronym

  PII is an acronym for personally identifiable information.

  PII definition

  Personally identifiable information (PII) is a term used predominantly in the United States.

  The appendix of OMB M-10-23 (Guidance for Agency Use of Third-Party Website and Applications) gives this definition for PII :

  “The term ‘personally identifiable information’ refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

  What can be considered personally identifiable information (PII) ? Some PII examples :

  • Full name/usernames
  • Home address/mailing address
  • Email address
  • Credit card numbers
  • Date of birth
  • Phone numbers
  • Login details

  • Precise locations
  • Account numbers
  • Passwords
  • Security codes (including biometric records)
  • Personal identification numbers
  • Driver license number
  • Get a more comprehensive list here

  What’s non-PII ?

  Anonymous information, or information that can’t be traced back to an individual, can be considered non-PII.

  Who is affected by the exploitation of PII ?

  Anyone can be affected by the exploitation of personal data, where you have identity theft, account fraud and account takeovers. When websites resort to illegally selling or sharing your data and compromising your privacy, the fear is falling victim to such fraudulent activity. 

  PII can also be an issue when employees have access to the database and the data is not encrypted. For example, anyone working in a bank can access your accounts ; anyone working at Facebook may be able to read your messages. This shows how privacy breaches can easily happen when employees have access to PII.

  Website owner’s responsibility for data privacy (PII and analytics)

  To respect your website visitor’s privacy, best practice is to avoid collecting PII whenever possible. If you work in an industry which requires people to disclose personal information (e.g. healthcare, security industries, public sector), then you must ensure this data is collected and handled securely. 

  

  The US National Institute of Standards and Technology states : “The likelihood of harm caused by a breach involving PII is greatly reduced if an organisation minimises the amount of PII it uses, collects, and stores. For example, an organisation should only request PII in a new form if the PII is absolutely necessary.” 

  How you’re held accountable remains up to the privacy laws of the country you’re doing business in. Make sure you are fully aware of the privacy and data protection laws that relate specifically to you. 

  To reduce the risk of privacy breaches, try collecting as little PII as you can ; purging it as soon as you can ; and making sure your IT security is updated and protected against security threats. 

  If you’re using data collection tools like web analytics, data may be tracked through features like User ID, custom variables, and custom dimensions. Sometimes they are also harder to identify when they are present, for example, in page URLs, page titles, or referrers URLs. So make sure you’re optimising your web analytics tools’ settings to ensure you’re asking your users for consent and respecting users’ privacy.

  If you’re using a GDPR compliant tool like Matomo, learn how you can stop processing such personal data

  PII, GDPR and businesses in the US/EU

  Because PII is broad, you may run into confusion when considering PII and GDPR (which applies in the EU). The General Data Protection Regulation (GDPR) provides more safeguards for user privacy.

  GDPR grants people in the EU more rights concerning their “personal data” (more on PII vs personal data below). In the EU the GDPR restricts the collection and processing of personal data. The repercussions are severe penalties and fines for privacy infringements. Businesses are required to handle this personal data carefully. You can be fined up to 4% of their yearly revenue for data breaches or non-compliance. 

  

  Although there isn’t an overarching data protection law in the US, there are hundreds of laws on both the federal and state levels to protect the personal data of US residents. US Congress has also enacted industry-specific statutes related to data privacy, and the state of California passed the California Consumer Privacy Act. 

  To be on the safe side, if you are using analytics, follow matters relating to “personal data” in the GDPR. It’s all-encompassing when it comes to protecting user privacy. GDPR rules still apply whenever an EU citizen visits any non EU site (that processes personal data).

  Personally identifiable information (PII) vs personal data

  PII and “personal data” aren’t used interchangeably. All personal data can be PII, but not all PII can be defined as personal data.

  The definition of “personal data” according to the GDPR :

  

  This means “personal data” encompasses a greater number of identifiers which include the online sphere. Examples include : IP addresses and URL names. As well as seemingly “innocent” data like height, job position, company etc. 

  What’s considered personal data depends on the context. If a piece of information can be combined with others to establish someone’s identity then that can be considered personal data. 

  Under GDPR, when processing personal data, you need explicit consent. You need to ensure you’re compliant according to GDPR definitions of “personal data” not just what’s considered “PII”.

  How Matomo deals with PII and personal data

  Although Matomo Analytics is a web analytics software that tracks user activity on your website, we take privacy and PII very seriously – on both our Cloud and On-Premise offerings. 

  If you’re using Matomo and would like to know how you can be fully GDPR compliant and protect user privacy, read more :
  

  • Learn how to not process any personally identifiable information – Anonymise IP addresses, user IDs, and order IDs
  • Matomo protects user privacy by talking the talk and walking the walk
  • Stay ahead of the GDPR with a privacy-respecting analytics platform
  • 11 ways Matomo helps you protect your visitor’s privacy

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to issues you may encounter when dealing with PII. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns. 

  Additional resources :

  • https://www.consumeraffairs.com/finance/identity-theft-statistics.html#identity-theft-trends-in-2019
  • https://ec.europa.eu/info/law/law-topic/data-protection_en
  • https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa
  • https://www.csoonline.com/article/3215864/how-to-protect-personally-identifiable-information-pii-under-gdpr.html
  • https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/

• Virginia Consumer Data Protection Act (VCDPA) Guide

  27 septembre 2023, par Erin — Privacy

  Do you run a for-profit organisation in the United States that processes personal and sensitive consumer data ? If so, you may be concerned about the growing number of data privacy laws cropping up from state to state.

  Ever since the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, four other US states — Connecticut, Colorado, Utah and Virginia — have passed their own data privacy laws. Each law uses the CCPA as a foundation but slightly deviates from the formula. This is a problem for US organisations, as they cannot apply the same CCPA compliance framework everywhere else.

  In this article, you’ll learn what makes the Virginia Consumer Data Protection Act (VCDPA) unique and how to ensure compliance.

  What is the VCDPA ?

  Signed by Governor Ralph Northam on 2 March 2021, and brought into effect on 1 January 2023, the VCDPA is a new data privacy law. It gives Virginia residents certain rights regarding how organisations process their personal and sensitive consumer data.

  

  The law contains several provisions, which define :

  • Who must follow the VCDPA
  • Who is exempt from the VCDPA
  • The consumer rights of data subjects
  • Relevant terms, such as “consumers,” “personal data,” “sensitive data” and the “sale of personal data”
  • The rights and responsibilities of data controllers
  • What applicable organisations must do to ensure VCDPA compliance

  These guidelines define the data collection practices that VCDPA-compliant organisations must comply with. The practices are designed to protect the rights of Virginia residents who have their personal or sensitive data collected.

  What are the consumer rights of VCDPA data subjects ?

  There are seven consumer rights that protect residents who fit the definition of “data subjects” under the new Virginia data privacy law. 

  

  A data subject is an “identified or identifiable natural person” who has their information collected. Personally identifiable information includes a person’s name, address, date of birth, religious beliefs, immigration status, status of child protection assessments, ethnic origin and more.

  Below is a detailed breakdown of each VCDPA consumer right :

  1. Right to know, access and confirm personal data : Data subjects have the right to know that their data is being collected, the right to access their data and the right to confirm that the data being collected is accurate and up to date.
  2. Right to delete personal data : Data subjects have the right to request that their collected personal or sensitive consumer data be deleted.
  3. Right to correct inaccurate personal data : Data subjects have the right to request that their collected data be corrected.
  4. Right to data portability : Data subjects have the right to obtain their collected data and, when reasonable and possible, request that their collected data be transferred from one data controller to another.
  5. Right to opt out of data processing activity : Data subjects have the right to opt out of having their personal or sensitive data collected.
  6. Right to opt out of the sale of personal and sensitive consumer data : Data subjects have the right to opt out of having their collected data sold to third parties.

  Right to not be discriminated against for exercising one’s rights : Data subjects have the right to not be discriminated against for exercising their right to not have their personal or sensitive consumer data collected, processed and sold to third parties for targeted advertising or other purposes.

  Who must comply with the VCDPA ?

  The VCDPA applies to for-profit organisations. Specifically, those that operate and offer products or services in the state of Virginia.

  

  Additionally, for-profit organisations that fit under either of these two categories must comply with the VCDPA :

  • Collect and process the personal data of at least 100,000 Virginia residents within a financial year or
  • Collect and process the personal data of at least 25,000 Virginia residents and receive at least 50% of gross revenue by selling personal or sensitive data.

  If a for-profit organisation resides out of the state of Virginia and falls into one of the categories above, they must comply with the VCDPA. Eligibility requirements also apply, regardless of the revenue threshold of the organisation in question. Large organisations can avoid VCDPA compliance if they don’t meet either of the above two eligibility requirements.

  What types of consumer data does the VCDPA protect ?

  The two main types of data that apply to the VCDPA are personal and sensitive data. 

  

  Personal data is either identified or personally identifiable information, such as home address, date of birth or phone number. Information that is publicly available or has been de-identified (dissociated with a natural person or entity) is not considered personal data.

  Sensitive data is a category of personal data. It’s data that’s either the collected data of a known child or data that can be used to form an opinion about a natural person or individual. Examples of sensitive data include information about a person’s ethnicity, religion, political beliefs and sexual orientation. 

  It’s important that VCDPA-compliant organisations understand the difference between the two data types, as failure to do so could result in penalties of up to $7,500 per violation. For instance, if an organisation wants to collect sensitive data (and they have a valid reason to do so), they must first ask for consent from consumers. If the organisation in question fails to do so, then they’ll be in violation of the VCDPA, and may be subject to multiple penalties — equal to however many violations they incur.

  A 5-step VCDPA compliance framework

  Getting up to speed with the terms of the VCDPA can be challenging, especially if this is your first time encountering such a law. That said, even organisations that have experience with data privacy laws should still take the time to understand the VCDPA.

  

  Here’s a simple 5-step VCDPA compliance framework to follow.

  1. Assess data

  First off, take the time to become familiar with the Virginia Consumer Data Protection Act (VCDPA). Then, read the content from the ‘Who does the VCDPA apply to’ section of this article, and use this information to determine if the law applies to your organisation.

  How do you know if you reach the data subject threshold ? Easy. Use a web analytics platform like Matomo to see where your web visitors are, how many of them (from that specific region) are visiting your website and how many of them you’re collecting personal or sensitive data from.

  To do this in Matomo, simply open the dashboard, look at the “Locations” section and use the information on display to see how many Virginia residents are visiting your website.

  

  Using the dashboard will help you determine if the VCDPA applies to your company.

  2. Evaluate your privacy practices

  Review your existing privacy policies and practices and update them to comply with the VCDPA. Ensure your data collection practices protect the confidentiality, integrity and accessibility of your visitors.

  One way to do this is to automatically anonymise visitor IPs, which you can do in Matomo — in fact, the feature is automatically set to default. 

  

  Another great thing about IP anonymisation is that after a visitor leaves your website, any evidence of them ever visiting is gone, and such information cannot be tracked by anyone else. 

  3. Inform data subjects of their rights

  To ensure VCDPA compliance in your organisation, you must inform your data subjects of their rights, including their right to access their data, their right to transfer their data to another controller and their right to opt out of your data collection efforts.

  That last point is one of the most important, and to ensure that you’re ready to respond to consumer rights requests, you should prepare an opt-out form in advance. If a visitor wants to opt out from tracking, they’ll be able to do so quickly and easily. Not only will this help you be VCDPA compliant, but your visitors will also appreciate the fact that you take their privacy seriously.

  

  To create an opt-out form in Matomo, visit the privacy settings section (click on the cog icon in the top menu) and click on the “Users opt-out” menu item under the Privacy section. After creating the form, you can then customise and publish the form as a snippet of HTML code that you can place on the pages of your website.

  4. Review vendor contracts

  Depending on the nature of your organisation, you may have vendor contracts with a third-party business associate. These are individuals or organisations, separate from your own, that contribute to the successful delivery of your products and services.

  You may also engage with third parties that process the data you collect, as is the case for many website owners that use Google Analytics (to which there are many alternatives) to convert visitor data into insights. 

  Financial institutions, such as stock exchange companies, also rely on third-party data for trading. If this is the case for you, then you likely have a Data Processing Agreement (DPA) in place — a legally binding document between you (the data controller, who dictates how and why the collected data is used) and the data processor (who processes the data you provide to them).

  To ensure that your DPA is VCDPA compliant, make sure it contains the following items :

  • Definition of terms
  • Instructions for processing data
  • Limits of use (explain what all parties can and cannot do with the collected data)
  • Physical data security practices (e.g., potential risks, risk of harm and control measures)
  • Data subject rights
  • Consumer request policies (i.e., must respond within 45 days of receipt)
  • Privacy notices and policies

  5. Seek expert legal advice

  To ensure your organisation is fully VCDPA compliant, consider speaking to a data and privacy lawyer. They can help you better understand the specifics of the law, advise you on where you fall short of compliance and what you must do to become VCDPA compliant.

  Data privacy lawyers can also help you draft a meaningful privacy notice, which may be useful in modifying your existing DPAs or creating new ones. If needed, they can also advise you on areas of compliance with other state-specific data protection acts, such as the CCPA and newly released laws in Colorado, Connecticut and Utah.

  How does the VCDPA differ from the CCPA ?

  Although the VCDPA has many similarities to the CCPA, the two laws still have their own approach to applying the law. 

  Here’s a quick breakdown of the main differences that set these laws apart.

  Definition of a consumer

  Under the VCDPA, a consumer is a “natural person who is a Virginia resident acting in an individual or household context.” Meanwhile, under the CCPA, a consumer is a “natural person who is a California resident acting in an individual or household context.” However, the VCDPA omits people in employment contexts, while the CCPA doesn’t. Hence, organisations don’t need to consider employee data.

  Sale of personal data

  The VCDPA defines the “sale of personal data” as an exchange “for monetary consideration” by the data controller to a data processor or third party. This means that, under the VCDPA, an act is only considered a “sale of personal data” if there is monetary value attached to the transaction.

  This contrasts with the CCPA, where that law also counts “other valuable considerations” as a factor when determining if the sale of personal data has occurred.

  Right to opt out

  Just like the CCPA, the VCDPA clearly outlines that organisations must respond to a user request to opt out of tracking. However, unlike the CCPA, the VCDPA does not give organisations any exceptions to such a right. This means that, even if the organisation believes that the request is impractical or hard to pull off, it must comply with the request under any circumstances, even in instances of hardship.

  Ensure VCDPA compliance with Matomo

  The VCDPA, like many other data privacy laws in the US, is designed to enhance the rights of Virginia consumers who have their personal or sensitive data collected and processed. Fortunately, this is where platforms like Matomo can help.

  Matomo is a powerful web analytics platform that has built-in features to help you comply with the VCDPA. These include options like :

  • Cookie-less tracking
  • Creating consumer consent and opt-out forms
  • Giving consumers access to their personal data

  Try out the free 21-day Matomo trial today. No credit card required.