We are not lawyers, and this is not legal advice. If you need current, accurate advice to base your decisions on, contact a lawyer who can provide that. Use of this information is entirely at your own risk.
Sygnal's perspective on how to best align our work with the GDPR and other privacy initiatives ( CCPA, CPRA, COPPA, HIPPA ... ) is continually evolving.
That said, here's my take on the impact of these changes, and how it affects my agency Sygnal and our clients.
Our four zones of website projects
Based on current legislation, we loosely organize projects into one of four zones. Each zone progressively adds design, technical, legal, and planning requirements on top of the previous zone.
These classifications affect certain decisions regarding data capture, cookies, privacy policies, data processing, and the design and messaging of forms on the site.
They also give us a common ground for dialogue and planning with our clients and technical team. This ensures that all of the pieces - legal, design, technical, and budget planning, are clearly communicated and usefully organized.
Zone 1 - The "NZ" zone
- No cookie consent dialogs requires, so we avoid them to allow for a cleaner and less intrusive UX.
- Clear, easy-to-fine, easy-to-understand privacy policy. Clear communication of how data will be used.
- Good data security.
- Breach notification, if customer data is ever exposed- either in private internal databases, in Webflow's own forms-data-storage, or in online services like Salesforce, Zapier, Stripe...
Zone 2 - The "California" zone
All of the above, plus...
- Customer opt-out ability regarding customer data resale ( if this is relevant )
- Inclusion of a delete-my-data page and process.
- Specific privacy policy to cover CCPA / CPRA regulations.
Zone 3 - The "GDPR" zone
All of the above, plus...
- Cookie consent.
- Specific requirements on form messaging and behavior.
- Specific privacy policy to cover GDPR regulations.
Zone 4 - The "Germany" zone
All of the above, plus...
- Data sovereignty. Significant changes need to be made regarding hosting and data storage, especially regarding access to third party resources ( Google fonts, Google maps... ) tracking, and storage of form data.
Which countries are where?
Good luck figuring that out. Our approach to date is;
- NZ clients are zone 1. We don't usually include cookie consent, since it impedes the site UX badly.
- US clients are zone 2, since California is necessarily covered.
- Canadian clients are in zone 1 or 2, depending. If they do substantial business in the US, we treat them as zone 2.
- European and multinational clients are in zone 3.
- German and Chinese clients are in zone 4, as both have data sovereignty laws that require the storage of data within country borders.
But the pieces are continually moving.
FAQs
Answers to frequently asked questions.