Data Privacy Requirements for Website Forms and Analytics

A common question I hear from law firms is: “Do the DPDP Rules apply to our website?” Short answer: Yes, in most cases, they do. If your website collects any digital personal data, even something as basic as a name, email or phone number via a contact form, you are processing personal information under the DPDP Act and will likely be a Data Fiduciary. This is not limited to tech companies or large enterprises. Law firms of all sizes, sole practitioners, legal-tech platforms, and even basic websites that use analytics or WhatsApp widgets are covered. Where DPDP usually applies on a law firm site - Contact / enquiry forms - Consultation bookings and internship applications - Newsletter sign-ups - Google Analytics, Meta Pixel or other tracking tools - WhatsApp chat widgets and CRM/lead-tracking integrations What compliance looks like (practical checklist) - Valid consent: Clear notice and explicit consent before collecting data. - Privacy Notice: A transparent notice explaining purpose, retention, sharing, and rights. - Consent management: Easy mechanism to withdraw consent. - Data minimisation & security: Only collect what’s necessary and implement reasonable safeguards. - Children’s data & cross-border storage clarity: If relevant, address these specifically. Common gaps I see - “Submit” buttons without a consent checkbox - No privacy notice or outdated policy - Analytics or pixels running without prior consent - WhatsApp widgets capturing data without disclosure Why this matters Non-compliance isn’t just a technicality, penalties under the DPDP Act can be significant depending on severity. Beyond fines, early compliance builds trust with privacy-aware corporate clients and reduces legal risk. If your firm collects personal data through its website, the practical next step is simple: audit the site (forms, pixels, widgets), add/refresh a clear privacy notice, and implement consent management. It is high time that law firms adapt to these rules quickly, because law firms that adapt early will build more trust with clients, especially corporate ones who are already privacy-aware.

The Data (Use and Access) Act (DUAA) brings changes to the UK's rules on cookies and similar technologies. This briefing explains the three new consent exceptions, the new penalty regime, and whether you still need a cookie banner. — The DUAA amends the Privacy and Electronic Communications Regulations 2003 (PECR). Among other things, PECR regulates cookies, pixels, and other methods of accessing or storing information on people's devices. I'm using "cookies" as a shorthand (sorry). The basic PECR rule remains the same. Before setting cookies (etc), you must: • Tell people about your purposes, and • Get consent. There have always been two exceptions. You don’t need consent if the cookies (etc) are: • Used solely to facilitate the transmission of a communication, or • Strictly necessary for providing a service requested by the user. These “classic” PECR exceptions remain, with some clarifying language. — The DUAA adds three new consent exceptions. New exception 1: "Analytics" You won't need consent to collect statistical information about how your own service or website is used, with the specific aim of making improvements to it. You may not share information collected with another party except for the purpose of helping you make improvements. New exception 2: "Appearance" You won't need consent to adapt how your website appears or functions based on users' preferences, or to enhance functionality on the user’s device (e.g., for "responsive design"). — Note: You can only rely on exceptions 1 or 2 if: • You provide clear and comprehensive information to the user about your specific purposes, • You give the user a simple and free way to object (opt out), and • The user has not objected. — New exception 3: "Emergencies" You do not need consent to access or store information on a person's device if: • You get a communication from the device requesting emergency assistance, and • You access or store information on the person’s device to discover where it is, with a view to providing emergency assistance. This exception doesn’t require you to allow objections or provide information. — Do you still need a cookie banner for the UK? While you will be able to set certain cookies by default (on an “opt-out”) basis, you probably still need some sort of cookie banner or pop-up, even if your cookies fall within one of the new exceptions. I give a hypothetical example of an opt-out cookie banner in the briefing. But hold off for now: We still need to wait for the Government to give effect to the DUAA. — The DUAA also aligns PECR’s enforcement regime with the UK GDPR. In other words… Maximum fines under PECR are rising from £500,000 to £17.5 million. Recent UK regulatory activity in this area has primarily consisted of sending people letters. So there is no guarantee that a large cookie-related fine will ever be issued in the UK… But you should be aware of the possibility.

A court recently let a California CCPA class action lawsuit proceed against a company for its website's use of Google Analytics. Here's what to know and do ⬇️ A federal district court in California allowed a CCPA #ClassAction to survive a motion to dismiss. The defendant offers a website-based service for connecting people to mental health therapists, and allegedly allowed #GoogleAnalytics to collect information like mental health conditions entered into its website. Google offered an IP address anonymization feature that defendant allegedly didn't use.    The court ruled that the CCPA claim under its limited private right of action (Cal Civ Code § 1798.150) could proceed even though there was no data breach. It reasoned that a data breach isn't required--a claim could proceed if personal information is subject to unauthorized disclosure as a result of the business's failure to maintain reasonable security procedures (presumably the use of the Google IP address anonymization feature). While this isn't a ruling on the merits, the fact that the CCPA allows statutory damages of $100-$750 per consumer/incident (or actual damages if greater) could lead to claims against other companies on this theory for using cookies, pixels, and other tracking technologies for common business practices like #TargetedAdvertising and #website #analytics.   What should your company do? Here's four steps to consider: 1️⃣ Don't panic. This case isn't a ruling on the merits, and it's not clear this theory will ultimately prevail. 2️⃣ Assessments. Validate that your privacy or tracking technology assessment processes: 🔹Identify what data is passed by each tracking technology; 🔹Determine whether all data need to be passed & remove any that don't; and 🔹Use privacy-protective tracking technology provider tools and settings (Know what team at your company identifies what options are available, and determine whether they have the privacy knowledge to know what to look for and use. Reviews of providers’ documentation and settings are often needed.). 3️⃣ Governance. Establish or validate an approach to governing the use of tracking technologies on your company's website and mobile #apps, including: 🔹Keeping an up to date understanding of the technologies used and business purposes they serve; 🔹Knowing what specific data types are passed; 🔹Triggering reviews or re-assessments when there are changes to data passed or business purposes the technologies are used for; and 🔹Getting buy-in and alignment on roles and responsibilities with stakeholders that can place, use, or configure the technologies. 4️⃣ Consider Consent. Especially when website/app events or other data types passed could reveal something sensitive, obtain opt-in consent before allowing the data to be transmitted. This is viewed as required by the FTC, and is required under some of the state comprehensive #privacy laws.

All organizations must comply with evolving privacy regulations and meet customer expectations. Clarity on what needs to be managed is critical. These are three key areas to focus on: 1) Privacy Rights Requests. 2) Consent & Communication Preference 3) Cookie Consent Management. Here are details: 1) Privacy Rights Requests (DSRs) These rights are governed by laws like GDPR (EU), CCPA (US), etc. They empower individuals to control their personal data, including: -- Access, Delete, Correct, Portability. Example: “Send me all data you have about me” -- Restrict Processing, Withdraw Consent. Example: “Pause processing my data for marketing” -- Object to Automated Decisions Example: “Request human review of a loan application instead of relying solely on an algorithm.” -- Opt-Out of Sale/Sharing Example: “Do not sell my data to third parties” (CCPA) -- Limit Sensitive Data Use Example: “Restrict use of my health data for analytics” 2) Consent & Communication Preferences Governed by: GDPR, TCPA (US), CAN-SPAM (US), CASL (Canada), etc These preferences give customers control over following engagement: -- Marketing opt-in/out (email, SMS, calls) Example: “Subscribe to product updates via email” -- Transactional notifications Example: “Receive SMS for delivery status” -- Terms acceptance Example: “Agree to app Terms of Service before use” -- Sensitive data consent Example: “Allow use of biometric data for authentication” -- Frequency & channel preferences Example: “Send me monthly newsletters, not weekly” 3) Cookie Consent Management These are governed by: ePrivacy Directive (EU), GDPR, CPRA, etc They ensure transparency and compliance with tracking technologies: -- Published cookie policy Example: “View detailed cookie categories on website” -- Consent banners (accept/reject/preferences) Example: “Choose analytics cookies only” -- Block non-essential cookies until consent Example: “No ad tracking until user opts in” -- Record and audit consent Example: “Store timestamp of user’s cookie choice” -- Editable/revocable consent Example: “Change cookie settings anytime via footer link” -- Essential cookies exempt Example: “Session cookies for login remain active”