Common Website Features That Are Subjecting You to Privacy Laws

Modern websites have more features than a Japanese toilet. As web designers know, some of these features are game-changing while others are a bit more crappy. Pun absolutely intended.

What you might not realize is that by adding these features (good or bad) to a website you could be subjecting that site to multiple privacy laws. Cue the disclaimer:

*This is not legal advice. Do not get legal advice from blogs that lead off with toilet talk.

Also note: This blog isn’t designed to freak you out. Website features can be helpful or even essential to your client’s business. Privacy laws are also an essential part of protecting people’s data. So, when you read about how all these features are opening up your websites to all these privacy laws, take a deep breath and try not to purge everything. Termageddon can make this whole thing much easier (we’ll get to that later.)

Why is this topic important in 2024? 

BACK IN OUR DAY you could add whatever feature you wanted, copy and paste a Privacy Policy from your closest competitor, and never lose a minute of sleep wondering if that would lead to consequences… ah, those were the sketchy ol’ days.

However, the Wild Wild Web days of lawlessness and every man’s data for itself are quickly coming to a close as new privacy laws are going into effect each year.

Again, this is all good news. As website visitors, we want our data treated with respect and, as website designers, we want others to feel comfortable and protected when using our websites. That being said, subjecting your website to privacy laws means you’re also subjecting yourself to the penalties that come with not complying with those laws.

For example, just using Google Analytics will open your website to needing to comply with GDPR (one of the most comprehensive privacy laws). This means a business may be:

1. Subject to fines
2. Subject to lawsuits
3. Required to provide more privacy rights

All of this per GDPR guidelines and requirements – a law a U.S.-based website may not of ever had to comply with if not for certain website features.

This means additional time will need to go into making sure the website complies with GDPR and increases not only the cost to do this, but also the risk of much greater costs if the website were ever to be fined for non-compliance. 

Isn’t this a big biz problem? Small websites are fine, right?

Before we go any further this is a common misconception that we need to address. Many web designers still believe that privacy laws only impact large businesses with hundreds of thousands of visitors. And this is true… for some privacy laws.

There are plenty of privacy laws that require small businesses to have a Privacy Policy as soon as that website collects Personally Identifiable Information (PII). Examples of PII include:

• Names
• Email addresses
• Physical addresses
• IP addresses 
• Phone numbers
• Payment information

And don’t let the names of the privacy laws fool you. A law like the Nevada Revised Statutes of Chapter 603A doesn’t require your business/website owner to be in Nevada for it to apply to you. This law can apply to businesses in any other location that collects the PII from Nevada residents and does business in Nevada.

This goes for all the other privacy laws as well. They’re designed to protect the residents, not the businesses in their state or country.

With this in mind, we recommend any website ask themselves the following questions before implementing features onto their website that could open them up to privacy laws from other states/countries.

1. Do you actually need this feature?
2. What business purpose will this feature achieve?
3. Is there a way to achieve the same result without collecting PII through this feature?
4. If it’s needed and you cannot achieve the same result without collecting PII, is there a privacy-friendly alternative you can use?

Common website features that usually subject websites to privacy laws

Hundreds of features could subject your website to privacy laws, but as a wise woman once said:

So, let’s take a look at some examples that websites are likely to use.

Email newsletter subscription forms

PII (usually) collected: Names, email addresses

PII shared?: Yes (MailChimp, ActiveCampaign, etc.)

Track users?: No

Privacy alternative: At the very least, you’ll need someone’s email address to sign them up for an email newsletter. Similar to the ‘Contact Us’ form, if a business doesn’t have a ton of subscribers or isn’t seeing many benefits from a newsletter, it might be worth dropping.

eCommerce forms

PII (usually) collected: Name, billing and shipping addresses, email address, payment information, phone number

PII shared?: Yes, usually with payment processors (E.g. PayPal)

Track users?: No

Privacy alternative: Only collect the information you need to complete the purchase. Also, if you collect an email address for payment purposes, don’t use that email for any other things like marketing unless the purchaser first provides their consent to do so.

Analytics

PII (usually) collected: IP addresses, device information, information as to how individuals interact with your website 

PII shared?: Yes, with whichever analytics tools you’re using (e.g. Google Analytics)

Track users?: Yes

Privacy alternative: While most people use Google Analytics, there are several alternatives available that prioritize privacy (like Fathom Analytics). After all Google Analytics was found to be non-compliant with laws such as GDPR and the UK DPA. Note: Google has launched Google Analytics 4 after this decision and are claiming it no longer tracks users illegally.

Advertising and Remarketing

PII (usually) collected: IP addresses, device information, information as to how individuals interact with the ads

PII shared?: Yes, with the advertising platform (E.g. Facebook, Reddit)

Track users?: Yes

Privacy alternative: Try to find a channel or two that works best for your ads and stick with those. Avoid running ads in multiple areas if you don’t have to so that you can limit which websites you’re sharing data with. Website will often times install pixels “just in case they want to run ads in the future.” Unless you’re actively running ads, these things shouldn’t be installed on the website.

Also it’s a good idea to provide a consent solution on your website that gives visitors the choice if they want to receive your targeted ads or not. 

Social Media embeds

PII (usually) collected: IP addresses

PII shared?: Yes, with the social platform

Track users?: Yes (clicking)

Privacy alternative: Instead of embedding a tweet or post, take a screenshot. 

Video embeds

PII (usually) collected: IP addresses

PII shared?: Yes, with the video provider

Track users?: Yes (clicking)

Privacy alternative: Download the video and store it directly on the website. This will not only prevent the video from sharing user data with the likes of YouTube or Vimeo, but will also allow the videos to play if people decline certain cookies on your website. 

Side note: with a YouTube video, you can click “enable privacy-enhanced mode” which automatically ensures that the video will not collect cookies. With Vimeo, you can add “?dnt=1” to the video URL at the end and it will not track people

Map embeds

PII (usually) collected: IP addresses, physical addresses (if user put in directions)

PII shared?: Yes 

Track users?: Yes

Privacy alternative: Map embeds like Google Maps can be helpful, but many times just taking a screenshot of the location with perhaps a third-party link so users can view on Google Maps directly. This provides the essential information without sharing PII with Google (in this case). 

Font loading scripts

PII (usually) collected: IP addresses

PII shared?: Yes 

Track users?: No

Privacy alternative: Download and host the fonts through your website. This will help speed things up as well as prevent data from being shared. Plus, courts have found that websites that have embedded Google Fonts violate GDPR (yes, the same GDPR from above).

Calendar booking embeds

PII (usually) collected: Name, email, phone number

PII shared?: Yes (with the calendar booking vendor)

Track users?: No

Privacy alternative: Try to use a calendar-booking software that takes privacy seriously. Make sure their Privacy Policy has been updated recently and is clear about how it uses any data. Also, try linking to your calendar booking page instead of embedding it onto your website. Users will still be entering their information, but it will be the calendar provider that’s collecting the data, not your website.

Contact forms

PII (usually) collected: Names, email addresses, phone numbers

PII shared?: Yes, usually to email service providers (e.g. a website owner receives an email whenever someone submits a form)

Track users?: No (unless coupled with reCAPTCHA)

Privacy alternative: There isn’t a great alternative to a ‘Contact Us’ form. Some sort of PII is usually required for a business to get in contact with its users. That being said, if the form is rarely used or isn’t being checked, it might be worth getting rid of it altogether. 

Email newsletter subscription forms

PII (usually) collected: Names, email addresses

PII shared?: Yes (MailChimp, ActiveCampaign, etc.)

Track users?: No

Privacy alternative: At the very least, you’ll need someone’s email address to sign them up for an email newsletter. Similar to the ‘Contact Us’ form, if a business doesn’t have a ton of subscribers or isn’t seeing many benefits from a newsletter, it might be worth dropping.

Comment forms

PII (usually) collected: Names

PII shared?: Yes, comments are typically stored in the website’s backend (so WordPress, Squarespace, etc.) 

Track users?: No

Privacy alternative: Don’t require users to input their name or sign up to leave comments on a blog post or article. Do note that this could lead to more spam, though. So do what’s best for your particular website.

The main takeaways for Web Designers

If you’ve been building websites for some time now, chances are all of the features listed above look familiar. You’ve probably used most of them at some point. That’s great! As we said before, these features are not necessarily bad (except maybe Google Analytics…) They just require web designers to take a few extra steps:

Step 1: List out the PII collected and the features on the website

Provide your clients with a full list of all the features the website uses that would collect PII and all the third-party integrations being used (Google Analytics, PayPal, etc.). Talk to your client about which of these are actually needed for the website/business.

Step 2: Eliminate unnecessary features

Don’t add features for the sake of adding them. Get rid of anything that isn’t being used and for those tools that are, suggest your clients do a compliance check on all third-party features to ensure the tools are compliant with the privacy laws that apply to them.

Step 3: Get it in writing

Have a contract with your client that explains the fact that privacy law compliance is not your responsibility as the web designer. You should also have them sign a waiver like this one that discusses the importance of privacy compliance and reminds them that it’s their responsibility. 

Step 4: Make it easy for them 

Suggest a tool like Termageddon for their website policies and cookie consent tool. 

While an attorney is always their best option, a tool like Termageddon can certainly help them get the policies they need at a much cheaper price. Plus, policies from Termageddon auto-update as laws change – making it a great long-term solution for websites.

Conclusion

Features are great. Sometimes they’re necessary. The goal is to find a balance between providing website users with a good, convenient experience, while also respecting their privacy rights.

Mastering this balance as a web designer will certainly help you stand out from the crowd.

Hope this helps! Thanks for reading.