Each year, some of the biggest companies in the world fall victim to data breaches—in 2020, this list included Microsoft, Facebook, and Instagram. But just because small businesses aren't dealing with billions of electronic records like Amazon or Google doesn't mean they aren't just as vulnerable to data breaches. And failing to safeguard sensitive data may put businesses at risk of violating state and federal data privacy laws. Learn more about the data privacy obligations a small business owner has, as well as some steps to take to keep your data secure.
Data Privacy Laws Have Been Updated
Because most companies with any internet presence may do business with clients and consumers in all 50 states, they tend to be regulated by the strictest state standards, not the most lenient. For example, businesses that do business with California residents must comply with the California Consumer Privacy Act (CCPA), one of the most comprehensive data laws in the U.S. And businesses that collect data from residents of the European Union (EU) must adhere to the EU's General Data Protection Regulation.
Neither of these laws existed before 2018. If you have not updated your business's data security protocol since then, they may be out of date. The data covered by these privacy laws is limited to personal identifiable information (PII), which may include a person's name, address, Social Security or other government identification number, and driver's license number.
What Are Businesses Responsible for Collecting and Reporting?
Each data privacy law imposes its own restrictions and requirements. Under the CCPA, companies with annual gross revenues of $25 million or more are required to inform individuals what information is being collected and allow these individuals to opt out of any sale of their personal information. Companies that don't comply with the disclosure or opt-out provisions can be assessed a fine per each person affected—which, for heavily-trafficked websites, can be tens or even hundreds of thousands of people.
Other states, including Nevada, Washington, and New York either have just enacted or are in the process of enacting their own data privacy laws. With more and more of these laws on the books, small businesses may need to take steps when it comes to protecting consumer privacy.
Where Should Businesses Begin?
Getting a crash course on privacy laws in all 50 states can seem overwhelming. However, there are resources available, including 50-state surveys, that may make it easier to see precisely which laws apply to your business.
Some other steps to consider taking to stay ahead of data privacy laws include:
- Auditing your data collection process and documenting what data you share with third parties. You may be asked to produce this information quickly if you receive a consumer request.
- Document, update, and assess your data security protocols.
- Create a workflow that ensures data requests are handled quickly and in compliance with applicable laws.
In some cases, it may help to bring an experienced third party (like a data consultant) on board to quickly get you up to speed on data security.
The opinions voiced in this material are for general information only and are not intended to provide specific advice or recommendations for any individual.
All information is believed to be from reliable sources; however LPL Financial makes no representation as to its completeness or accuracy.
This article was prepared by WriterAccess.
LPL Tracking # 1-05206790