Normally, website owners create an internet business with the intention of commercializing their actions, ignoring that behind all this there are certain rules or laws that must be followed. Today we can say that hundreds of Internet businesses put aside the legal part of their business, until the law knocks on their door. We are talking about the LOPD or data protection law . This law regulates the way in which online businesses treat their customers’ data , as well as having the power to sanction the self-employed. Below we detail all the information you should know to put your business to the right and how to adjust to the new changes that the European Union has imposed on the data protection law. What is the objective of the Data Protection Law and who does it affect? Article 1 of the aforementioned law explains: “The purpose of this Organic Law is to guarantee and protect, with regard to the processing of personal data, public freedoms and fundamental rights of natural persons, and especially their honor and personal and family privacy.” In short, the intention of this law is to ensure that companies, businesses, freelancers, among others, do a good treatment of people’s data in order to guarantee their fundamental rights and prevent the data from being used improperly until cause damages. How to increase my sales with Content Marketing Sure after this you ask yourself and how does it affect me or my business? As an owner of e-commerce or any other type of business on the Internet that works for the sake of getting more potential customers, you work under different methods with the intention of attracting more prospects. For example, through marketing automation , forms are created so that users go through a conversion process, whether they become a subscriber, sign up for a webinar, or want to download the latest guide on email marketing, etc. . For each conversion stage to be fulfilled, it is necessary to request some personal data, such as email, in order to conquer it later with newsletters or any other method that the business considers effective. Now, if you are the owner of an online store, it is almost certain that you must manipulate the customer’s credit card data, ID, address, telephone number, etc. What it means is that you should be concerned about the way in which you treat this data, as well as registering with the Spanish Agency for Data Protection . If you don’t, you are already breaking the law and could be about to earn some penalties. For now, it is important that you know that there is an entity that is in charge of regulating this and that, as a business owner, you should worry about being within the margin of the law. But beware! with misinterpretations, because this law only protects citizens of the European Union and does not apply to those in Latin America. So if you have a business in LATAM, but you have part of your audience in Europe, the law may fall on you. If not, you can rest easy. Difference between LOPD and LSS LOPD Law Data Protection, roughly, monitors any business, autonomous or not, declare how how they are treating the data of individuals and also watchman declare in d it or have nde been said stored data . In general, any business, whether offline or digital, has the duty to provide this information through the Spanish Agency for Data Protection. When it comes to an online business and they store the data on the server of a third party, you must make sure that said hosting complies with the stipulation set by the Spanish Agency for Data Protection , because the poor treatment of said data by the server you have hired , it can earn you some penalties. We will talk about this later. LSSI The Information Society Services Law is a law that expressly regulates the administration of data from electronic businesses and other services related to the digital field , as long as they have been developed as an economic activity. Basically, this law monitors that Internet businesses keep the user informed regarding the data of the service provider. That is, it not only takes into account the protection of people’s data, but also protects consumers in order to handle all the information of the service provider; trade name, address it or n, n ú mere phone, price of the product. And in the event that the service provider does email marketing , it must make the identity of the company clear, in addition to explaining the procedure to unsubscribe from the newsletter in case of not wanting to receive more information . The fact of carrying out any contract electronically, gives the user the right to know everything related to the transaction that will take place, therefore, it is the duty of the online business, to provide any type of information that gives clarity to the purchase process. Law Services Information Society, could í to put the eye to the famous cookies, for example. There are some sites that when browsing their pages do not inform the user of the process that this has in order to know the behavior of the user within the pages, so the LSSI will be incurred. So, to be in the right with an online business you have to be aware of the powers of these two laws in order to create a website within the legal framework. The deadline granted by the Spanish Data Protection Agency has already expired. You still don’t know what to do to adjust to the new law? New law of the LOPD entered into force on May 25, 2018 The Data Protection Law was drawn up for the first time in 1999, when we were just beginning to learn about the globalization that the Internet offers us and we could not imagine the phenomenon we are experiencing today. Therefore, the law tried to protect what was considered dangerous for natural persons at the time. But everything has changed a lot since 1999 and in 2016 a new law was created that solves some of the problems that were not seen during the first law. Even so, the Spanish Data Protection Agency has given a period of two years to allow the websites to be updated , and as of May 25, 2018 it begins to sanction according to the stipulations of the new law How to apply the new law? Despite having enough time in the industry, the truth is that both the LOPD and the LSSI did not take away the sleep of any online merchant, but with the new stipulations, it will be better to get to the right if you do not want to earn a sanction such as the from Google or Groupon (we will see these examples later). In principle, when we wanted to capture a lead or new subscriber, the CTAs or Pop-ups did not explicitly show the privacy policies, so it is tacitly assumed that the subscriber was accepting simply by signing up for the newsletter . Now with the new rules of the Law on Data Protection, the regulatory agencies online business, it requires explaining websites expl form í appointment, what privacy policies are within the same pop-ups. That is, instead of showing the classic pop-ups that looked like this: Data Protection Act Now a box should be displayed in which the user can read the privacy policies, in the form of a check box and also place a space to allow them to make it clear that they accept the conditions and wish to register , adding a link in which the user you can fully read the entire privacy policy. All contacts that have so far been obtained by omitting this information, must have the right to know the reason why their data is being used explicitly. One of the most recommended ways now is to send a series of emails to confirm your subscription making it clear that your data is being used. Organizing the matter to make it clearer, we leave you a list of 8 recommendations so that the new law does not catch you off guard: First, the recommendation be í you to review all the mechanisms have on your website to capture prospects and see if some of these are being explicitly explained why you want the data the user and then convert that list of subscribers you have obtained with the passage of time. Yes, it is very likely that with this procedure you will lose some subscribers along the way, but remember that in your updated list you will have the opportunity to reaffirm who your true potential customers are. So rather, you should take it as a filtering process to segment your list again.
Second, do not forget about the check boxes, because it is a way to ensure that the user is reading your privacy conditions. Remember that by putting only the link, many of the users will not even go to it to verify what your privacy policy is about. Rather, take care to leave some well-viewed clauses from your pop-up so that you cover yourself from the law. The third recommendation to put your website to the right of the new Data Protection Law, is that once you have read the new law, you have to reform your privacy policy page to make it clear what the stipulations are. that help you improve the protection of user data . Try to explicitly write the clauses that will allow the user to be informed. Although we know that few will have the courage to read it, it is a way to protect yourself from the demands of users before the Spanish Agency for Data Protection. Subsequently, you must ensure that the unsubscribe mechanism is clear and easy, both for subscribers and for customers. For whatever you are asking for the data, you must also easily allow the user or client to object. One of the new changes that the law has suggested is that the consent of the user or client is subsequently verified, so you must ensure that both you, the user and the regulatory agency can easily verify each consent. In the drafting of the privacy policies of your online business, you must inform who will be responsible for processing the data , the period for which the data is being processed, the information of the recipients, that is, who will have access to the information collected, for example: the company in charge of making the newsletter, the hosting that hosts the information, etc. Remember that it is not the same to create CTA and pop-up to create a list of subscribers, than to create a segmentation process and be able to specify other types of commercial actions (send promotions, discounts, create a database by tastes, ages, sex, etc), in both cases it is necessary to clarify what they will be treated for. In short, we must try to write privacy policies as clear as possible because the new law will be demanding in this regard. The user has the right to know everything regarding the processing of their personal data.
Look at this example: Data Protection Act This capture was taken from the check box of Marina Brocca’s blog pop-up, who also attended a very good webinar on the same topic. Webinar on the New Data Protection Law If you would like to know in an extended way what the new law covers, Watch the video: How to adapt your blog and your recruitment strategies to the RGPD Wh to are the penalties they could win if you violate some of the provisions of the Data Protection Act? Sanctions can vary according to severity, these are classified into three levels: mild, serious and very serious. Mild Light penalties are penalized with fines ranging from 900 to 40,000 euros. In general, the action refers to the fact that the user, consumer or client has requested that their data be deleted from the database and the action requested has not been carried out. The mild sanctions are also due to the non-registration of the files before the regulatory body , which in this case is the Spanish Agency for Data Protection. As well as taking the data of the consumer or user without the prior consent of the owner. With the 1999 law, it was not penalized if it was tacitly seen.     2. Serious The fines in this case can range from 40,000 to 300,000 euros and are due to more serious actions such as creating a website in which user or consumer information is not encrypted and the data is freely accessible to anyone else. It is also considered serious that your business database is mounted on the cloud, for example, Drobpox or Google Drive. The information stored in the cloud does not guarantee that there is total data privacy and, therefore, the user’s data is put at risk. A serious fault could be that after the files have been granted, they are used for a different purpose than that established at the beginning in the Spanish Data Protection Agency , as well as it is considered a serious fault that you collect personal information from consumers or users without obtaining the prior consent of the client. Beware of the latter, those who have dedicated themselves to creating a database to advertise, do email marketing or use the famous cookies improperly, you may be about to have the Data Protection Law knock on your door.    3. Very serious Very serious offenses are due to the reiteration of other types of sanctions , that is, when, in addition to failing to comply with the provisions of the LOPD, you continue to act against the Data Protection Law. Ie if you do not inform policies cookies on your web site and the user is to it is ignorance and if you have indicated you to be in violation with the law and continued using cookies without the prior consent of the users, you will apply stronger sanctions ranging from 300,001 to 600,000 euros. Very serious sanctions also involve hosting user or customer data on servers that are located outside the country or that do not have the necessary security to protect the data of natural persons. In short, it is necessary to apply the right to guarantee that the privacy policies, cookies and data of clients, users and consumers are private and used according to the declaration of the files granted by the Spanish Agency for data protection . Otherwise, you can win some of these sanctions which, after studying the case, you grant to a fine according to the severity level. Examples of some real sanctions imposed by the Spanish Data Protection Agency Sanctions to Google Spain In 2013, news was made known by different media that Google had been sanctioned by the Spanish Agency for Data Protection. After several months of analysis, it was found that Google, in its different services, collected and used the information of its users without making it totally clear what they were being used for but. In addition, the use of data occurred under the unknown of the user, filtering them to segment content and advertising . For which he was assigned a fine of 900,000 euros. The main reason for one of the sanctions is due to the vulnerability in the protection of the data of the people , users of Google services, for which the ignorance on the part of the aforementioned company led to being fined. Sanctions to a bar in the capital During that same year, a bar in the capital was sanctioned by the Data Protection Law with 6,500 euros for installing video cameras in the facilities of the place without duly informing that they were being used for security reasons. In addition, the registration of the file did not inform the installation of video cameras, therefore he was fined considering it as a minor offense. Groupon sanctions Groupon is considered a large company in its industry and, due to its economic activity, manages an extensive database. His mistake was that warehouse or data credit cards of their customers and they were returning to buy again, the data is autocompletaban . But the worst part of the case was that the security code was also saved automatically. For these two offenses, Groupon was fined 20,000 euros. And the sanctions of the LOPD c or mo left? Previously, the highest fine was 600,000 euros, but now that amount has been imposed to fine minor infractions. Now the sanctions that are cataloged as very serious will be assigned a fine of 10,000,000 euros, an amount that can undoubtedly end up ruining any business in full growth. In addition, one more point is added that the old law did not have, and that is that there is the possibility that companies have to compensate users who have sued and in some way have been affected by the “mishandling of their data” . The Data Protection Law is very extensive, however, here we try to summarize the most critical points, those that due to the nature of your business could affect. However, we invite you to immerse yourself more on the subject and above all to get to the right before May 25, 2018, because it will be the deadline to allow websites to operate according to the old law. Do not forget that you must emphasize the non-tacit and explicit consent of the user for the processing of their data and that this in turn can be verified. We hope this content has been useful to you and you can catch up with the new rules of the game.