How to Review Your Small Business Website for Privacy Mistakes

Privacy requirements can be overwhelming, especially for small businesses. Sometimes, it’s hard to know where to even start evaluating whether your small business website is compliant with the requirements that privacy laws can impose. However, evaluating your website for privacy pitfalls is important as privacy laws can and do apply to small businesses and non-compliance fines can be high (starting at $2,500 per website visitor). In this article, we will discuss how to check your website for the most common privacy mistakes so that you can check your own site and make corrections where needed. It is important to note that this article includes a review of general privacy requirements – you may be subject to different or additional requirements based on the privacy laws that apply to you. 

Step 1: Check any forms on your website 

When conducting a privacy review, you should first check all forms on your website. For example, does your website have a contact form, email newsletter subscription form, account creation form, job application form, or a meeting booking form? It is a good idea to go through all website pages to check for forms. 

Once you have found all of the forms on your website, you should evaluate the following for each form: 

1. Is the form necessary? For example, if you were hiring for a new position a few years ago, you may have created a job application form on your website. However, if you do not currently have any open positions, the job application form should be removed from your website as it is not necessary. This will ensure that individuals do not submit their personal information to you unnecessarily; 
2. Does the form obtain proper consent? Each form should include an unchecked checkbox to have individuals agree to your Privacy Policy (the Privacy Policy should be linked) before they can submit their personal information. Make sure that the Privacy Policy is properly linked, that the checkbox is unchecked, and that individuals are required to check the box before they are able to submit the form. Do not combine any other policies (e.g. Terms of Service) in the same checkbox as doing so can negate the consent. 

Step 2: Check any advertising or analytics trackers on your website 

The second step in a privacy review is to determine whether there are any analytics or advertising trackers on the website. Trackers such as Google Analytics, Hotjar, Meta Pixel, LinkedIn Insights or the Reddit Pixel can subject you to additional privacy laws and can put your website at risk of privacy-related fines or even lawsuits. You can check whether your website has these trackers by checking the website code, checking what cookies are being placed on your device or running a scan of the website using a tool such as Wappalyzer. 

When it comes to advertising or analytics trackers, you will want to evaluate the following: 

1. Are these trackers really necessary? Lots of businesses install analytics features on the website when the website is initially built but the website owner never accesses the analytics data nor makes any changes to the website based on the data. If this is the case for you, then these tools should be removed. On the other hand, many websites install advertising tools such as Meta Pixel or LinkedIn Insights, complete an advertising campaign, and never remove the advertising tool. If you do not currently run an advertising campaign, these tools should be removed as well. 
2. Can the analytics trackers be replaced with privacy friendly tools? If they are actually needed, analytics tools such as Google Analytics can be replaced by privacy friendly tools such as Fathom Analytics or Matomo Analytics, which collect much less personal data; 
3. Do the analytics tools load prior to consent being given? Check your consent banner (more on that later) to see whether analytics cookies are loading before consent is obtained from the user – if they are, this needs to be fixed so that they load only after consent is provided. 

Step 3: Check other trackers on your website 

Many website owners do not realize this but common website features such as videos, spam and bot prevention tools, fonts, payment tools, chat tools and even your website’s CMS all collect data and track users. They also frequently share this data with the provider of the tool. Review the backend of your website or ask your website designer to review it with you and consider the following: 

1. Are all of these tools necessary? For example, if the chat tool is not used by customers or can be replaced with other means of communication, such as sending an email or submitting a ticket, consider removing these tools; 
2. Can the tools be replaced by a privacy-friendly alternative? Consider the following examples:
   1. YouTube or Vimeo videos can be replaced by self-hosted videos that do not collect any personal information, do not track users, and therefore do not need consent to play; 
   2. Tools such as reCAPTCHA can be replaced by privacy-friendly alternatives such as Friendly Captcha; 
   3. When not self-hosted, Google Fonts is not compliant with GDPR. Self-host Google Fonts to avoid compliance issues; 
   4. Google Maps collects personal data and tracks users. It can be replaced with a simple screenshot of the map or by linking to your location on Google Maps. 
3. Do these trackers load prior to consent being given? Check your consent banner (more on that later) to see whether any non-essential trackers such as videos, fonts, spam prevention tools, or maps load without consent. If they are, this needs to be fixed so that they can load only after consent is provided. 

Step 4: Check the Privacy Policy 

Many privacy laws require small businesses to have a comprehensive and up to date Privacy Policy. If you do not have a Privacy Policy in place, make sure to obtain one. If you do already have a Privacy Policy in place, evaluate it for the following: 

1. Is the link to the Privacy Policy easy to find and clearly visible on your website? Usually, your website’s footer should have a link to the Privacy Policy. The link should be clearly visible (i.e. with enough contrast between the link and the background color of the footer), should include the words “Privacy Policy” and should not be combined with other policies (e.g. Terms of Service). 
2. When was the last time that you updated your Privacy Policy? If it’s been awhile, chances are that your Privacy Policy is out of date when it comes to more recent privacy laws; 
3. Where did you obtain this Privacy Policy? It is important to ensure that the Privacy Policy is based on the privacy laws that apply to you as that is what dictates what disclosures your Privacy Policy contains. If it is not based on the privacy laws that apply to you, then the policy is most likely not compliant; 
4. Does the Privacy Policy accurately list your business and privacy practices? For example, if your Privacy Policy states that you collect names and emails but you really collect names, emails, phone numbers, IP addresses, device identifiers, etc. the policy will not be compliant as it does not accurately depict your business and privacy practices. 

Step 5: Check your consent banner 

If your website sets cookies and tracks website visitors and the privacy laws that require websites to have a consent banner apply to you, you will want to make sure that you have the right banner in place that has the right functionality. You would want to test the banner to ensure that it has the following: 

1. An “Accept” and a “Decline” button that have equal prominence; 
2. The consent banner should prevent all non-essential scripts from firing until the user provides their consent; 
3. The consent banner should accurate list all of the services that your website has and should allow the user to choose their consent settings by category (e.g. functional or marketing) or by service itself (e.g. accept Google Analytics but decline YouTube video); 
4. After the user has selected their consent settings, there should be a way to bring up the consent banner again to change those settings (e.g. through clicking an icon or a link). 

Checking the items above, while tedious, can help you determine if your website is making some common privacy mistakes that can cause non-compliance fines or lawsuits. Taking the time now to review your website, resolve any issues, remove any unnecessary data collection points, and make adjustments to different vendors or settings can help you avoid privacy issues in the future.