Data Protection (Jersey) Law 2018 Compliance Online businesses
Navigating the regulatory compliance landscape as an online business involves more than just providing a great product or service; it also requires strict adherence to data protection regulations. The Data Protection (Jersey) Law 2018 (DJL), modelled closely after the EU’s General Data Protection Regulation (GDPR), is crucial for businesses operating in or targeting Jersey residents.
Compliance ensures that businesses handle personal data responsibly, maintain user trust, and avoid sanctions from the Information Commissioner.
For example, an eCommerce business in Jersey that collects customer data for transactions must comply fully with the DPJL. This includes implementing data protection measures, such as secure payment gateways and encrypted data storage, to protect customers’ bank details and personal information and provide methods for data subjects to enforce their rights under DPJL.
This means the eCommerce business must have a robust data protection compliance structure within its business. The would consist of policies, employee training and awareness of their responsibilities under the DPJL and ‘operational and technical measures’ in place to protect the data collected, processed and deleted.
At Propelfwd, we offer data protection services to match any of your needs and can easily tailor a compliance program to match your exact requirements. Contact us today.
What is Data Protection (Jersey) Law 2018 Compliance for Websites?
Compliance with the DPJL for websites involves several key steps. Websites must clearly outline their data protection practices, including how they collect, process, and store personal data. This involves creating a detailed Privacy Notice that explains the types of personal data collected, the purposes of data processing, and the rights of data subjects. For instance, an online retailer must inform customers that it collects data like names, addresses, and payment information to process orders and manage customer relationships.
Additionally, obtaining explicit consent from users before collecting data, especially through cookies, is essential. This means that websites should have cookie consent banners that allow users to opt in or opt out of non-essential cookies. For example, a news website might use cookies to track reader preferences and suggest articles, but it must first obtain user consent.
CookieScan provides an essential service. CookieScan helps manage the use of cookies on your website by ensuring that you obtain proper consent from users and that your use of cookies complies with relevant regulations. Whether your website targets residents in Jersey, the UK, or the EU, CookieScan can tailor its solutions to meet the specific requirements of the DPJL, the UK-GDPR and PECR, or the EU’s GDPR and ePrivacy Directive.
Adhering to the law also includes implementing robust security measures to protect customer data and regularly reviewing business processes to ensure ongoing compliance. These measures can include regular security audits, data encryption, and appointing a Data Protection Officer (DPO) or Manager (DPM) to oversee compliance efforts.
Do all websites need GDPR?
Yes, all websites that collect or process personal data from users within Jersey must comply with the DPJL. This applies regardless of the business’s physical location. Even if your website is based outside of Jersey, if you target Jersey residents or monitor their behaviour, you must ensure compliance.
For example, an American eCommerce site that ships products to Jersey must comply with this law if it collects personal data from Jersey residents. Similarly, a social networking site based in another country but with users in Jersey must adhere to these regulations. This includes eCommerce businesses, social networking websites, and digital marketing platforms.
Failure to comply can result in significant fines and damage to the business’s reputation. For instance, if an online clothing store fails to protect Jersey customer data and experiences a data breach, it could face legal action from the Jersey Commissioner and a loss of customer trust.
What happens if your website is not GDPR compliant?
Non-compliance with the DPJL can lead to severe consequences. The Jersey Office of the Information Commissioner (JOIC) has the authority to impose substantial fines based on the severity of the breach and non-financial sanctions such as public reprimands, prevention of the processing of personal data or a warning. For example, a company that suffers a data breach due to inadequate security measures could be fined up to £10 million of pounds (DPJL maximum financial penalty), depending on the extent of the breach and the company’s size.
Moreover, a data breach resulting from non-compliance can erode customer trust and damage your brand’s reputation. For instance, if a popular travel booking website fails to secure customer data and hackers steal personal and payment information, it can lead to a significant risk to the customers and a total loss of users who no longer feel safe using the platform.
It won’t take long for a bad website to become very well-known. Customers leave very honest and sometimes very damaging reviews or comments on social media sites. One error or lapse in data protection controls can lead to severe consequences once the online jury starts their posts.
Legal actions from affected data subjects, including claims for damages, can further compound the financial and reputational damage. Therefore, online businesses must take data protection seriously and ensure their practices align with the law. Regularly updating security measures and training employees on data protection best practices are ways to mitigate these risks.
Are all cookies personal data?
Not all cookies are considered personal data. However, many cookies can be used to identify users indirectly by tracking their browsing behaviour, even an IP address, and other personal details. As a result, they often fall under the scope of PECR or the ePrivacy Directive. For example, cookies that remember login details or track browsing habits for personalised advertising can be classified as personal data.
Are cookies necessary?
Cookies play a crucial role in enhancing the user experience of websites by remembering preferences, enabling functionalities, and supporting personalised content. For example, online retailers use cookies to keep items in a shopping cart even if the user leaves the site and returns later.
However, it is important to manage them responsibly, ensuring users are informed and have the option to opt out. Websites should provide clear information about cookie use and respect users’ privacy choices. Cookies deemed to be necessary for the functionality of the website do not require user consent before they are set on the user’s device.
Do I have to tell site users that I am collecting their data?
Yes, you must inform site users that you are collecting their data. This transparency is a core principle of data protection laws, and every person (data subjects) has a right to be informed. Users should be aware of what data is being collected, the purpose of the data collection, and how it will be used. For instance, a fitness app must notify users when collecting location data to track their workouts.
Does my website need a Privacy Notice?
Yes, your website needs a Privacy Notice, but there is nothing in law to say you have to, so why is it needed? A privacy notice informs users about how their personal data is collected, used, stored, and protected. It should be easily accessible and written in clear, concise language.
For example, a blog site collecting email addresses for newsletters should have a Privacy Notice detailing how those emails will be used and protected. Under DPJL and the UK-GDPR, people have a right to be informed; the privacy notice is a method by which the data controller provides this information, and putting it on a data controller’s website is the easiest method to get that message out.
Notice I have said privacy notice and not privacy policy. This drives me mad; it is not a policy. To explain to those who call it a policy, A policy is an internal company document, and a notice is an external statement. So please call it a Privacy Notice ☺
Can I use direct marketing?
Direct marketing is permitted under DPJL, but users must give explicit consent. Businesses must provide clear options for users to opt into marketing and ensure they can easily withdraw their consent at any time. For example, an online retailer sending promotional emails must first get explicit consent from users during the sign-up process.
Another suitable legal basis is Legitimate Interest (LI) if you are sending material to people with whom the business already has a relationship and with whom they would expect to receive it. Direct Marketing in the UK is covered by PECR if sent by electrical means or over a public telecommunication device. This is a topic for another blog.
Can I use other tracking technologies like Pixels or Beacons?
Yes, you can use other tracking technologies like Pixels or Beacons, but they also fall under regulations like PECR or the ePrivacy Directive. You must inform users about these technologies, obtain their consent, and explain how the collected data will be used. For example, a website using tracking pixels for targeted advertising must disclose this in its Privacy Notice and obtain user consent.
Conclusion
The DPJL has significant implications for online businesses akin to the broader GDPR framework. It mandates that businesses manage personal data with utmost care, ensuring transparency, security, and respect for user rights. Online businesses must implement robust data protection measures, from obtaining explicit consent to safeguarding data, to avoid severe penalties and maintain customer trust.
The PECR and ePrivacy Directive also play an important part in this compliance structure. They both take the meaning of consent from the GDPR, so that really is the only involvement of this law in the control of marketing and cookies. Still, compliance with the data protection laws two will put online businesses in a rock-solid place.
Propelfwd can assist businesses in navigating these complex requirements. They offer comprehensive solutions to help your business become and remain compliant with the DPJL, UK-GDPR, etc. From data mapping and drafting privacy notices to conducting data protection impact assessments and providing training for your team, Propelfwd ensures that you meet all necessary compliance requirements. Get in touch with us today, to find out more.
CookieScan provides an essential service for cookie compliance. CookieScan helps manage the use of cookies on your website by ensuring that you obtain proper consent from users and that your use of cookies complies with relevant regulations. Whether your website targets residents in Jersey, the UK, or the EU, CookieScan can tailor its solutions to meet the specific requirements of the Data Protection (Jersey) Law 2018, the UK-GDPR, or the EU’s GDPR and ePrivacy Directive.
Please remember that 100% compliance is not possible; anyone who says it does not know what they are talking about. CookieScan will get you as close as you can.
It’s important to note that if your website targets UK residents with products or services, paid or not, the UK-GDPR applies. For cookies, the PECR must be followed. For EU residents, the GDPR applies, and cookie usage must comply with the ePrivacy Directive. Each of these regulations has specific requirements for handling personal data and obtaining user consent for cookies and other tracking technologies.
Compliance is not just a legal requirement but a fundamental aspect of ethical business practices in the digital age. It ensures that online businesses can build and maintain trust with their customers.
