What is compliance? It is where a business adheres to established guidelines and specifications, or is the process of doing so.
Why is this important? The goal of the compliance program is to reduce an organization’s overall risk of violating the standards as set out.
We’ve found there are several governing bodies and compliancies that organizations need to take into consideration when building a digital presence. In this article we are going to cover a few of the top standards. Depending on your location, industry, and whether your website is marketing or informational, an e-commerce site or user specific in gathering details, there are many regulations that you need to monitor to stay current in your digital space.
- 1 Accessibility for Ontarian’s with Disabilities Act (AODA)
- 2 Health Insurance Portability and Accountability Act (HIPPA)
- 3 Canada’s Anti-Spam Legislation (CASL)
- 4 General Data Protection Regulation (GDPR)
- 5 Payment Card Industry Data Security Standard (PCI DSS)
- 6 Children’s Online Privacy Protection Act (COPPA)
- 7 Secure Sockets Layer (SSL) Certificate
- 8 Moderator Features
- 9 Staying Up to Date with Compliance
Accessibility for Ontarian’s with Disabilities Act (AODA)
Since June 2005, Ontario has enforced AODA compliance law. The Accessibility for Ontarian’s with Disabilities Act applies to both the private and public sectors in Ontario, and requires individuals and organizations to follow accessibility standards in five areas:
- information and communications
- customer service
- design of public spaces
To find out how to be compliant with AODA, all public organizations, non profits and private businesses must complete an AODA compliance report. This report is a tool to ensure all businesses are following AODA guidelines. Businesses with over 20 employees must complete the report.
Some general requirements of AODA include:
- Providing training to staff and volunteers.
- Developing an accessibility policy.
- Creating a multi-year accessibility plan and update it every five years.
- Considering accessibility in procurement and when designing or purchasing self-service kiosks.
If you’d like to learn more on how to make your website compliant to AODA, check out this previous article.
Health Insurance Portability and Accountability Act (HIPPA)
HIPPA is a federal law that sets national standards to protect medical records and other personal health information. Protected health information can be defined as:
- Information that identifies an individual.
- Information maintained or exchanged electronically or in hard copy.
This applies to any health care provider, health plans and healthcare clearing houses who transmit health information electronically. Healthcare providers that must comply with HIPPA rules include hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors and psychologists. Health plans include health insurance providers, company health plans, government programs such as Medicare and veterans health care programs.
Canada’s Anti-Spam Legislation (CASL)
CASL is a federal law protecting consumers and businesses from poor digital technology practices such as spam. This law was created in 2014 to ensure best practices in email marketing. Spam has become an issue online and is constituted as any unsolicited email, text message or software. The legal definition of spam according to Canada’s Anti Spam Legislation is:
- Unauthorized alteration of transmission data.
- The installation of computer programs without consent.
- False or misleading electronic representations (including websites).
- The harvesting of addresses (collecting and/or using email or other electronic addresses without permission).
- The collection of personal information by accessing a computer system or electronic device illegally.
This law applies to all businesses in Canada who use promotional emails to target audiences. CASL states that all promotional emails must include a working unsubscribe link, the recipient must be able to identify the sender, and brands are only allowed to send emails to those who have agreed to receive them or who have done business together within the last two years.
How to know if someone has given consent to receive promotional emails?
Express consent: A person has given oral or written consent to receive emails. This form of consent does not expire and is valid until the email recipient unsubscribes from emails.
Implied consent: If someone has purchased a product from a brand or used a brands service, this is considered implied consent, and the brand can send promotional emails to this recipient. However, this form of consent expires between 6 months to 2 years.
General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation came into force in 2018, and has implications on Canadian organizations that control or process personal information in the European Union (EU). The European Union is a political union that is made up of 28 states. Members of the EU include Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
This regulation has changed the way European personal data is handled from healthcare to banking information. Examples of personal data include a name, home address, an ID card number, location data, a cookie ID, data held by a hospital or doctor. The regulation protects EU data privacy and shapes the way organizations approach data privacy.
We have seen an increase in pop-ups on websites to notify users that cookies are being used on sites, and that consent is required if the users is going through the website.
Payment Card Industry Data Security Standard (PCI DSS)
PCI is a set of security standards that ensure all businesses that accept, process, store or transmit credit card information maintain it securely. This standard applies to any organization that accepts credit cards. There are four PCI compliance levels that are based on merchants credit card transactions over a 12-month period.
Merchant levels include:
- Level 1: Any merchant that processes over 6 million credit card transactions per year.
- Level 2: Any merchant that processes 1million to 6million credit card transactions per year.
- Level 3: Any merchant that processes 20,000 to 1 million transactions per year.
- Level 4: Any merchant that process less than 20, 000 transactions per year.
Small to medium-sized businesses include Level 4 merchants and must follow a few steps in order to satisfy PCI requirements. Firstly, they must determine which self-assessment questionnaire their business must use to validate compliance and fill out the questionnaire.
Did You Know?
Since 90 per cent of breaches impact small businesses. Making sure your e-commerce is compliant may be intimidating, but it is necessary! Want to know if you are protected? Contact us today.
Children’s Online Privacy Protection Act (COPPA)
COPPA was formed in 1998 to address issues concerning the privacy of children online. The goal of COPPA is to place parents in control of what information is collected from their children online. This rule applies to operators of websites and online services, including mobile apps directed to children under age 13 that collect personal information from them.
Personal Information collected from children can include:
- First and last name.
- Physical address.
- Contact information.
- Telephone number.
- Social insurance number.
- Photographs, videos or audio files, that contains a child’s image or voice.
- Geolocation information that can identify street names cities, or towns.
Secure Sockets Layer (SSL) Certificate
SSL certificates ensure that a website is secure, and should be used by everyone who would like to protect their information. SSL certificates are small data files that secure connections from the website server.
Why should you add an SSL certificate to your website?
SSL is used to secure confidential information such as credit card transactions, login information, and data transfers. It will also keep your data secure, increase google rankings, build customer trust, as well as improves conversion rates.
When an SSL certificate is installed to your website’s server the application protocol (or HTTP) will change to HTTPS. The ’s’ means the website is now secure. For example, Treefrog is a secure website and will appear as https://www.treefrog.ca.
While this is not a compliance, moderators are something that website owners should consider when developing an application that allows users to load their own content, such as a blog. There are different types of moderators that protect the site from issues. Text moderators restrict unwanted text from an application or website, while photograph monitors restrict pictures from being shared (i.e pornographic images).
Did You Know?
If you are found to be non-compliant, you face a possible fine of up to $100,000 per day!
Staying Up to Date with Compliance
Becoming aware of rules and regulations, whether federal, provincial, or industry-wide is an excellent place to start in making sure you are compliant. However, without the proper expertise, it can all be daunting.
By working with Treefrog Inc, we can help you build or update your website to meet your specific requirements so that you never have to worry about data privacy or whether you are compliant. If you would like a complimentary evaluation of your website to learn about what you need to do to ensure compliancy, please let us know.
Don’t forget to subscribe to our monthly Digital Digest Newsletter to get top technology and digital tips and trends for your business. Sign up today!
List all article referenced here:
- https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions#General Questions