The legal intricacies of data privacy for small businesses in the United States can be difficult to navigate. Here's what small business owners need to know.
Small businesses in the U.S. have big privacy obligations. The global data privacy regulatory ecosystem affects every small business that collects data from the people it interacts with. This includes businesses with a digital presence – like a website with a contact form – but also businesses that keep physical records. The web is complex and difficult to navigate; this article will untangle it for you.
What is data privacy?
Data privacy refers to how you gather and use the data you collect. It covers issues like:
● Gaining consent from your customers to collect, use or sell their data
● Giving proper notice to customers if your privacy practices change
● Offering individuals rights to access and delete their data
Fundamentally, data privacy is the proper and responsible collection, creation, use, sharing, retention and disposal of information about people. It also includes decisions about when not to collect, not to create, not to share and not to permit certain uses of information to protect a person's privacy interests.
Legal actions taken against small businesses relating to data privacy are often related to failures to respect a person's legitimate privacy interests. For instance, if a California consumer asks you to delete his or her data and you fail to do so, that would be a privacy violation. Similarly, if you sell the data you collect without proper notice and consent that is also a data privacy issue.
Legally speaking, data privacy is treated differently from data security. Data security refers to how you protect the data you've collected from unauthorized access and use. Any reference to data breaches, privacy breaches, hacks or ransomware are references to data security.
Despite this difference, both data security and data privacy have legal consequences if they aren't managed correctly. This guide will help your small business manage both data security and data privacy risk.
Does the U.S. have privacy laws for small businesses?
There isn't yet a comprehensive federal-level data privacy or security act (though, it is widely anticipated that the president-elect will prioritize enacting one). However, the Federal Trade Commission (FTC) may bring enforcement action to protect consumers against "unfair or deceptive acts or practices." Over the last 20 years, the FTC has used this power to bring enforcement actions against companies that fail to comply with published privacy promises, including failing to secure personal information.
In 2019, the FTC brought enforcement actions in more than 130 spam and spyware cases and 80 general privacy lawsuits. While the statistics for 2020 are yet to be published, 2020 was another big year in privacy enforcement for the FTC.
Thus, to avoid an FTC investigation, small businesses must:
- Live up to any promises they make to consumers regarding the collection, use and protection of their information, and;
- Maintain reasonable procedures to protect consumer information
In addition, small businesses in the U.S. are governed by piecemeal state and industry-specific legislation. Your small business data practices need to align with:
Laws that govern in the state(s) in which you operate
Industry-specific regulations (e.g., laws based on the types of data you collect or the type of individuals from whom you collect data)
Any laws in the geographic areas from where you collect data
Small business compliance with privacy laws in other states or countries
Most privacy laws act to protect anyone within a given geographical location. It doesn't matter whether your business is registered there. What matters is where your users are.
Many states are moving privacy bills through the legislative process. California, Maine and Nevada are the only three states with comprehensive data privacy laws in force at present.
Globally, the General Data Protection Regulation (GDPR) is the most well-known data privacy act, but it isn't the only one. In fact, more than 80 countries currently have data privacy laws in force. If your business collects data from anyone residing in those U.S. states or any other country with data privacy laws, you need to be aware of them, and you may need to comply with them.
Small business compliance with industry-specific privacy regulations
There are more stringent federal regulations for businesses that operate in certain industries or collect data from certain populations. The Health Insurance Portability and Accountability Act (HIPAA), for instance, creates standards for the protection of medical information. Meanwhile, the Children's Online Privacy Protection Act (COPPA) governs the collection of data from children under the age of 13. The Gramm-Leach-Bliley Act and the Fair Credit Reporting Act are financial privacy statutes that govern the use and protection of certain financial information.
Some states have enacted their own corresponding state laws that may go beyond the federal regulations. It's not possible to outline all of the relevant laws within this article. We suggest you speak with a privacy expert to confirm whether your industry is subject to any specific state or federal laws.
Why should small businesses prioritize data privacy?
Beyond your legal obligations, there is a strong business case for embedding a culture of data privacy into your small business. Businesses that prioritize data privacy tend to have a competitive edge over those that do not. Other benefits of a strong culture of data privacy include:
● Increased business agility
● Informed business decisions
● Fewer losses from data breaches
● Better business reputation
● Optimized data processing
● More efficient operations
Whether your small business is obligated to comply with privacy regulations or you just want to access the benefits of a strong data privacy culture, here's how to achieve that:
Step 1: Your small business needs to understand the data it collects.
Understanding the data you collect is the first step any small business should take. Inventory your business devices, including computers, laptops, mobile devices, as well as all flash drives, disks, digital copiers, fax machines, and external data storage devices. Check for personal devices your staff may use for business purposes too. Afterward, review your physical records, including file cabinets, record storage facilities and address books.
During the inventory, take stock of the personal data you have from any person your business interacts with. This includes employees, suppliers, contractors, advisors, third-party providers and customers. Record what type of data you hold and where it's stored.
"Personal" data includes information like names, telephone numbers, credit card details, number plates, addresses, customer numbers, even details about a person's appearance. It's simplest to categorize the data you have under headers like these during your inventory.
Note that certain categories of data may be considered "sensitive" or "special" under certain statutes and may be subject to stricter obligations. For instance, biometric data is classified as "sensitive personal data" under the newly passed California Privacy Rights Act.
There's no point simply saying you collect "personal" information. You need to categorize the data at a more granular level to meet your obligations.
Step 2: Your small business must know what it does with the data it collects.
Data can be collected, transferred, processed, stored, accessed and/or sold. The data privacy laws that govern your small business will vary depending on what happens with the data you collect.
Consider this scenario: You operate a small but thriving jewelry business in the state of Washington. Your business is based on a digital storefront, and you have customers in the U.S. and Europe. To save time, you outsource your bookkeeping to a cost-effective bookkeeper in Estonia, and you ask a freelance writer in India to take care of your weekly marketing emails.
In this case, your bookkeeper may have access to the names and other personal details of your customers, suppliers, employees and more. Additionally, they may need access to financial information to process payments. Meanwhile, you may need to send (i.e., transfer) the freelancer a list of your email subscribers. They might then upload those details to a third-party email marketing platform, like Salesforce, based in California.
It's easy to see how quickly the data your small business collects can travel to various locales around the world. In the situation above, data may be stored in California, accessed and/or downloaded in India and Estonia, and may relate to persons from Nevada, Maine, California, and Europe. All these different locales have data privacy regulations. These may govern anything from how the personal data from persons residing there should be treated to how data should be secured to whether a data transfer is legal.
It's also easy to see how data privacy hygiene can help your business make better decisions. In the case above, the cost-effective bookkeeper may be less cost-effective when the costs of privacy compliance are considered.
Know the laws in relevant jurisdictions
Wherever your personal data is coming from, stored or going to, you need to understand and comply with the relevant laws. The fastest and easiest way to manage this is to consult with a privacy attorney. This may seem like a burden, and it can be. But the costs of noncompliance are significant to your reputation and your bottom line.
Step 3: Your small business should protect the data it collects.
Beyond complying with the relevant laws when you collect and/or use data, you also have a legal obligation to keep it safe. Here are some privacy best practices for achieving this:
Start with a data minimization strategy.
The easiest method of protecting personal data from unauthorized access is for your business to not have it at all. Implement policies and processes for your business to routinely destroy information that’s not essential for your operations.
Share as little personal data as possible.
Where you do need to provide any party with access to the data you've collected, provide as few details as possible. Personal data and records should be subject to access control measures so only the employees and third parties who need to view (or use) it can do so.
Create a cybersecure environment.
In 2019, 164.68 million sensitive records were exposed in the U.S. As cyberattacks grow more sophisticated and become more commonplace, your business needs to make cybersecurity a priority.
A cybersecure business environment takes advantage of robust technological measures and strong privacy practices to protect data. It's wise to consult with a cybersecurity advisor to work out what security measures your small business should be looking at. While cybersecurity can seem daunting as a small business owner, the solutions aren't as expensive as the consequences of a breach. As a starting point, here are 10 practical and cost-effective measures your small business can use to improve cybersecurity:
Encrypted data storage and backups
Strong internal processes and policies
Two-factor authentication requirements
Https security certificates
Regular software and hardware updates
Step 4: Your small business should plan for a data breach.
Finally, you should have plans in place for a data breach or security incident, and you should routinely stress test them. Your plans need to cover both business continuity and addressing your legal obligations.
Again, your legal obligations vary depending on where your business operates and where those who you've collected from are located. All 50 states and Washington D.C. have regulations that govern the notification process following a business data breach. You should be aware of all your obligations, including the timelines for them. Ideally, you should have template notifications prepared before a data breach ever occurs.
Final words of advice
The global privacy ecosystem is complicated and growing every day. To reduce compliance costs today and into the future, the best thing a small business can do is to reduce the volume of personal information flowing through it. A less-is-more attitude toward data collection goes a long way. It doesn't exempt your business from compliance. On the compliance front, prevention is much better than a cure. Seeking qualified help will always be significantly less expensive than either an enforcement action or a data incident.