Data Privacy Compliance Guide for Agencies

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: July 21, 2022

Partner With Termly
Data-Privacy-Compliance-Guide-for-Agencies-01

Data privacy compliance is complicated, with many laws being enacted worldwide and more drafted each year. These laws can have different requirements, and some third-party tools — like Google Analytics — have their own privacy rules.

However, no matter how complicated compliance can seem, it is not optional. Some businesses believe they can avoid the issue in the short term, but they risk fines, reputation losses, and customer attrition.

As an agency, data privacy is an increasingly important issue for your customers.

This guide will cover why data privacy is important and how you can convince your clients to take it seriously.

Table of Contents
  1. Why Is Data Privacy Important?
  2. Data Privacy Laws That Impact Your Clients (and Your Agency)
  3. An Agency’s Responsibilities and Liabilities Under Data Privacy Laws
  4. The Benefits of Offering a Compliance Solution To Your Clients
  5. Compliance Solutions That You Can Offer Your Clients
  6. How to Convince Your Clients They Need These Compliance Solutions
  7. How Termly Makes Offering a Compliance Solution Easy
  8. Termly’s Agency Partnership FAQs
  9. Summary

Why Is Data Privacy Important?

Over the last several years, data privacy has come to the forefront of political discourse around the world. But data privacy goes beyond regulations and legal requirements.

Consumers have become increasingly aware of privacy, privacy rights, and corporate accountability. If a company wants to retain its customers — and attract new ones — it must demonstrate that it takes data privacy seriously.

  • A PWC study found that 92% of consumers “agree companies must be proactive about data protection.”
  • Additionally, a McKinsey report found that 87% of respondents “would not do business with a company” if they had concerns about the company’s data security practices.

The number of consumers concerned about data privacy practices grows every year.

One of the most well-known data protection regulations is the General Data Protection Regulation (GDPR), which took effect in 2018. Since then, awareness about data privacy has grown exponentially.

US states have also begun enacting their own privacy laws, many of them based on the GDPR, and each year more states enact legislation.

Data privacy compliance is essential to any business’s growth, and, as an agency, you want your clients to be successful and to be able to grow their business. In addition, your clients must build trust with customers and maintain their reputation.

A single privacy law infraction could have devastating consequences. Even if the fine is not excessive, reputation losses from violations can be extreme.

In most cases, violations are publicly available, and your client’s customers can search for information about a company’s privacy practices — or lack thereof.

Ultimately, implementing data privacy practices is the right thing to do.

Whether it is a legal requirement or not, respecting a customer’s privacy is an admirable goal for a company. Any business that considers trustworthiness and client focus to be a part of its core values can’t overlook data privacy.

Data Privacy Laws That Impact Your Clients (and Your Agency)

Every data privacy law has its own requirements. Some laws have specific revenue or customer thresholds that a company must meet before compliance is required, while others apply to any business that has customers from certain countries or regions.

When considering whether or not your clients have to comply with these laws, it’s important to understand that in most cases these laws go beyond country borders.

Most of these laws apply to any company that has website visitors or customers from a certain country or region. It doesn’t matter if a company is located in that country or region or not, they still must comply with the law.

If your customers’ websites are available to users in the US or EU, you need to be aware of the following laws:

  • The General Data Protection Regulation (GDPR)

    • The GDPR applies to any business or website that has customers or website visitors from the EU. No matter where your clients are located, if they serve EU customers or website visitors, they need to comply with the GDPR. The GDPR is one of the most restrictive data privacy laws, and violations can come with severe fines.
  • ePrivacy Directive

    • Also known as the EU Cookie Law, the ePrivacy Directive places restrictions on how cookies can be used. Similar to the GDPR, any company that has website visitors or customers in the EU is required to comply.
  • California Consumer Privacy Act (CCPA)

    • The CCPA was the first major state data privacy law in the United States. It applies to companies that reach a certain threshold of revenue and/or California customers. It contains some similar restrictions to the GDPR.
  • California Online Privacy Protection Act (CalOPPA)

    • The CalOPPA applies if your website is accessible by any users in California. This law focuses on privacy policy requirements, including the information that must be included and where the privacy policy should be linked.
  • Virginia Consumer Data Protection Act (CDPA)

    • The CDPA is the second state data privacy law passed in the US. It will go into effect in 2023. If your clients have a significant number of Virginian customers, they may be impacted by this law.
  • Colorado Privacy Act (CPA)

    • The CPA, like the CDPA, was passed in 2021 and will go into effect in 2023. If any of your clients have a large number of customers from Colorado, they may be required to comply.
  • Personal Information Protection and Electronic Documents Act (PIPEDA)

    • PIPEDA is Canada’s national data privacy law. It is not as restrictive as the GDPR, but still gives Canadians some similar protections over their personal data and holds businesses accountable for the use and safety of that data.

Many other countries and individual US states have considered enacting data privacy and consumer protection laws.

In the US, data privacy regulation has widespread support, with lawmakers in both major political parties proposing legislation at a federal and state level.

Third-party Requirements

Governments are no longer the only entity requiring data privacy compliance. Third-party software providers are implementing data privacy requirements themselves.

For example, Google Analytics requires its user to have a comprehensive Privacy Policy when using their product. Additionally, Google Ads now requires you obtain user consent from EU consumers or risk having your account terminated.

Third-party requirements are a snowball effect of the data privacy laws themselves and you must consider them when creating websites and apps for your clients.

An Agency’s Responsibilities and Liabilities Under Data Privacy Laws

Responsibility for Your Own Business

If your business meets the GDPR, CCPA, or any other privacy law requirements, you must comply just like any other business or website.

You should be aware of additional restrictions and requirements if you also process data (which can include names, email addresses, IP addresses, and more) for your clients. You might process data depending on the services you provide for your clients.

If this is the case, you need to review how laws like the GDPR impact what types of data you process and, importantly, how you process it.

Are You Liable For Your Clients’ Businesses?

Ultimately, you are not responsible or liable for the data privacy compliance of your clients when you partner with Termly to provide them with a compliance solution. Their misuse of data or violation of any law is not your responsibility, and you should make that clear from the start.

However, it is also vital to inform them of data privacy best practices and make it clear that just having your solution in place is not where their compliance efforts end. Only they can answer crucial questions about their business practices, which proper compliance requires.

The Benefits of Offering a Compliance Solution To Your Clients

How You Benefit

Data privacy compliance is not optional.

Your services may not be complete without offering a compliance solution for your clients. If a client wants a comprehensive service, why wouldn’t they choose an agency that provides an essential service — compliance?

Some of your clients may already be aware of some of their compliance requirements. For example, they may already know that Google requires any website or application to have a published privacy policy before using Google Analytics.

Most companies and individuals are at least aware of laws like the GDPR, even if they do not know how those laws impact them.

As an agency, you can stand out by offering an easy-to-use, comprehensive compliance solution.

A solution like Termly’s that includes cookie consent management and policies can give your clients the reassurance they need that their website is:

  • More compliant with privacy laws
  • compliant with third-party tool requirements
  • Well-positioned to demonstrate trustworthiness to their customers

How Your Clients Benefit

Customers, businesses, governments, and regulators worldwide are all increasingly aware of and concerned about privacy issues. Consequently, in today’s world, your clients cannot claim to be unaware of cookie laws and privacy concerns.

Your clients stand to lose out on business if they don’t have a compliance solution.

Compliance is easy for customers to see — they are familiar with cookie banners, terms and conditions that they have to agree to in order to use a service, privacy policies, and more. When they encounter a business that doesn’t have these critical pieces of compliance, they may reconsider using that service, website, or company.

Limiting liability is another benefit for your clients.

Your clients will be the ones held accountable if they do not comply with data privacy laws. Even if your clients are small businesses, they are not exempt from all data privacy laws and still run the risk of fines and other legal consequences.

Compliance Solutions That You Can Offer Your Clients

Consent Management

Cookie Consent Manager

Consent management is essential for compliance with data privacy laws like the GDPR and CCPA and cookie-specific laws like the ePrivacy Directive. It involves managing consent opt-in and opt-out, creating a cookie banner, a preference center, a cookie policy, and cookie blocking.

Some laws, like the GDPR and CCPA, also require that websites give visitors a way to request access to their data — known as a Data Subject Access Request (DSAR).

A DSAR allows customers to submit requests to access, delete, transfer, or modify their data. A growing number of consumers take advantage of these requests.

Privacy Policies

Privacy Policy Generator

Privacy policies are a critical compliance piece that explains how a business or website collects, uses, and shares users’ personal data. Some common third-party tools also require them.

The Apple App and Google Play Store also require a privacy policy to publish an app.

Terms & Conditions

terms and conditions

A Terms and Conditions agreement — also known as Terms of Service or Terms of Use — is a legal agreement between a website and its users. They outline what user behavior is acceptable and include information and limitations on using that website’s services and content.

Data privacy laws do not usually require a Terms and Conditions agreement; however, any website that wants to protect itself in the case of a legal dispute, copyright infringement, or unacceptable user behavior needs this policy.

Your clients leave their website and content vulnerable if they do not create a Terms and Conditions agreement.

How to Convince Your Clients They Need These Compliance Solutions

As an agency, you may already be aware of how serious data privacy compliance is. However, your clients may not.

Many businesses, especially small- or mid-sized businesses — may not know how data privacy affects them, or that they are likely still subject to many of the laws larger companies comply with.

Here are some tips to help you make your clients understand why complying with data privacy laws is crucial:

Let Your Clients Know About the True Impact of Ignoring Data Privacy

Inquire if they understand the ramifications of not complying with data privacy laws. Start a conversation on topics such as:

  • Could their businesses already be losing customers over data privacy and data security issues?
  • Can their business survive thousands of dollars in fines?
  • Do they care about demonstrating their client focus and credibility?

If your clients aren’t already asking themselves these questions, then odds are, they are open to discussing a managed solution.

Show Them the Stats

Don’t just rely on your persuasiveness; show them the numbers. The amount of data privacy statistics proving the need for complying with the law and the ethical demand is growing every day.

Here are a few of the most compelling data privacy stats to highlight to your clients:

  • Most companies see a very positive return on their privacy investment, and over 40% see benefits at least double their privacy spend. (Ledgeview Partners)
  • 60% of users say they would spend more money with a brand they trust to handle their personal data responsibly. (Global Consumer State of Mind Report 2021)
  • 37% of users say that companies that are transparent about how they collect and use data and are more proactive in enforcing data privacy online reduce their concerns. (TrustArc)
  • 48% of users have stopped buying from a company over privacy concerns. (Tableau)
  • 92% of consumers agree that companies must be proactive about data protection (PwC)
  • 87% of respondents would not do business with a company if they had concerns about the company’s data security practices (McKinsey)

Show Them the Consequences

While there are many positive benefits of respecting data privacy, the consequences of non-compliance with the laws may be the push your clients need. Let them know how serious these regulations are and show them the fines and penalties levied so far.

Here are a just few of the largest GDPR fines you can highlight:

  • Enel Energia — €26.5 Million ($29.27 Million)
  • REWE International — €8 Million ($8.8 Million)
  • Cosmote Mobile Telecommunications — €6 Million ($6.6 Million)
  • OTE Group — €3.25 Million ($3.59 Million)
  • Notebookbilliger.de — €10.4 Million ($11.5 Million)

Discuss Data Privacy During Your Onboarding

Your onboarding process is a good time to provide a gentle reminder to your clients about the importance of data privacy compliance. You can point out where your client may be lacking and offer them a fix.

How Termly Makes Offering a Compliance Solution Easy

Termly offers a complete compliance solution that you can resell to your clients. Our platform includes a comprehensive cookie consent manager and access to customizable legal policies covering laws in the US, Canada, the EU, and the UK.

For resellers, we offer:

  • Multi-domain management: You can manage all of your licenses from one account.
  • Centralized billing: We have volume-based discounted pricing starting at 10 domains, and all licenses can be billed to a single account. Additional domains can be added ad hoc.
  • Multi-user functionality: You can add customers or employees to domains with customizable access levels.
  • Tech stack: Termly has a dedicated API, in addition to a WordPress plugin, a Google Tag Manager template, and other tools to help make integration easy.
  • Support: We offer live training sessions, video walkthroughs, webinars, and more for our partners. Our support can help with technical concerns, legal questions, and any issues that come up, both for you as an agency and for your clients.

Termly’s Agency Partnership FAQs

If I offer Termly’s compliance solution, am I liable for my clients?

  • No, you are not liable for the compliance of your clients. If your client violates a privacy law, that violation is not also applicable to you, unless you also violated the law.

What do the GDPR and CCPA say about Agencies?

  • Any company that processes personal data can be subject to comply with the GDPR and CCPA. As an agency, you should evaluate what data you use and how, especially any data processed on behalf of or from your clients. If you process any data on behalf of your clients, you may be considered a “data processor” and therefore subject to additional rules regarding that data.

Am I a Data Controller or Data Processor for my clients?

  • A data controller determines how and why personal data is collected. A data processor gathers, stores, or maintains personal data. Data processors often handle personal data for data controllers. If you gather, store, or maintain personal data for any of your clients, you likely are considered a data processor. Personal data is any information that can identify a person, including their name, email address, location data, and more.

Will I have to respond to DSARs on behalf of my clients?

  • No, you will not have to respond to DSARs on behalf of your clients. Termly offers an embeddable DSAR form that can be placed on your client’s websites. Requests can be sent to a specific contact listed in the form.

Can I give my clients direct access to Termly’s dashboard?

  • Yes, your clients will have direct access to Termly’s dashboard.

Does Termly offer customer support and guidance?

  • Yes, Termly offers customer support, guidance, and more for agencies. We offer technical guides, FAQs, video walkthroughs, webinars, and live training sessions to help keep any Termly installation simple.

Does my agency have to be big to partner with Termly?

  • Nope! We partner with and provide custom solutions to agencies of all sizes!

Summary

Data privacy compliance is critical for any modern company. Beyond legal obligations, companies must consider data privacy in order to attract and retain customers.

Any business that considers themselves client-focused can’t overlook data privacy.

As an agency, offering a compliance solution shows that you are truly interested in offering a complete service to your clients. Don’t let compliance become an issue for your clients — get in touch with us and let Termly take the issues of data privacy and compliance off of your plate.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author