Kristina Podnar ā January 14, 2020 Itās hard to believe itās been almost three years since the EU enacted its General Data Protection Regulation (GDPR), which fundamentally changed how businesses collect, process, and store consumer data. For many organizations, the GDPR was a major disruption that forced them to switch from a mindset of ācollect as much data as you can in case you need it somedayā to a mindset of only collecting and storing the data they really need to conduct business. Compounding that disruption, several other countries quickly passed similar laws, including:
- Brazil
- Australia
- Japan
- Thailand
And then there are countries like South Korea and Argentina, which had privacy policies even before the GDPR.
Global data privacy laws and regulations (proposed and in effect)
But for many small- and medium-sized U.S. businesses, those international laws werenāt much more than a blip in the news cycle. Now, however, things are changing. Despite (or perhaps because of) the lack of a federal privacy laws, states are beginning to enact their own. The most well-known is Californiaās CCPA, which has even stricter standards than the GDPR. And, as with the GDPR, a business doesnāt have to be based in California for the law to apply; it just has to have customers who are California residents.
Other states are paying attention, especially as consumers become more concerned about the use and security of their personal data. Here are the states that have either passed privacy laws or have them in the works:
So itās no wonder that smaller businesses across the United States are anxious about data privacy laws and how theyāre going to become compliant. However, while I firmly believe that respecting the value of your consumersā data will be a competitive advantage, thereās no reason to panic about laws that donāt even apply to your company.
How American businesses should respond to state-based privacy laws
First, let me make one thing clear: Every business should be moving toward privacy by design, where protecting consumer privacy is built into your processes from the ground up rather than being added later as a patch. Thatās a global trend thatās not going away and will become a requirement for all business over time. However, letās focus on what you need to do (or not!) right now to keep your organization compliant with all applicable laws.
Find out which laws apply to you
Despite the seeming universal nature of the internet, not every state law applies to every business. Here are a few examples:
- Geography: If youāre a brick-and-mortar business that doesnāt conduct online sales, you probably donāt have to worry about laws outside of your own state.
- Gross revenue: Californiaās law, for example, makes an exception for businesses that generate annual gross revenue of less than $ 25 million.
- Type of relationship: Some state laws are based on the type of relationship a business has with consumers. Vermontās law, for example, doesnāt apply to businesses that have a direct relationship with their consumers, such as websites, apps, or e-commerce platforms. Instead, the law applies to what the state calls ādata brokers,ā businesses that sell data to a third party.And then thereās Nevadaās law, which makes exceptions for certain healthcare providers and financial institutions, as well as automotive manufacturers and repair shops.
- The number of people affected: Californiaās law, for example, exempts businesses that have data on fewer than 50,000 people.
These laws are complex and filled with legalese, so the first thing you need to do is figure out whether they even apply to you.
Identify the steps you need to take to achieve compliance
I donāt want to mislead anyone: If youāre subject to any of these laws, you need to take steps to become compliant right away. But I also donāt want you to fall for hype or āfake news.ā So here are some sources you can use to find out which laws apply to you.
Primary sources
First, thereās always our friend Google. Before you panic over something you read in an article, go straight to the source, and Google the specific law the article is talking about. If you still have questions, try some of these other resources.
Your own legal counsel or a digital policy consultant
If your company has in-house legal counsel or external counsel on retainer, they should be your first stop. They can do a deep dive into which laws may or may not affect your business and then do a ārisk vs. opportunityā analysis to prioritize which you need to address first.
If, like many small businesses, you donāt have an existing legal advisor, you can also turn to a digital policy consultant. While most digital policy consultants arenāt lawyers, theyāre more likely to have the latest information on compliance issues. Even better, they can talk to you in āplain speakā about the requirements that apply to you and identify practical steps to address them.
State websites
Many state websites have resources for small businesses. In addition to taking advantage of tools you can use to make your business more successful, you can also research the stateās business laws. If you canāt find it on the website, contact the Secretary of Stateās office.
Small business association
The Small Business Association offers a wealth of information to business owners, including a section on legal requirements as well as free business counseling.
SCORE
SCORE, a partner of the U.S. Small Business Association, offers free business mentoring and education. Since 1964, 11 million entrepreneurs have benefited from their workshops and mentoring programs. We have a number of ways to help you find the information you need.
Conclusion: Act, but donāt overreact
I really canāt overstate the importance of complying with all applicable privacy laws. But the key is āapplicable.ā If youāre a small business just now starting the journey to digital compliance, identify your flashing red lights and take care of those first. Then wrap your arms around the concept of āprivacy by designā and learn how treating consumersā data with respect can be a competitive advantage.
Digital & Social Articles on Business 2 Community
(39)
