It’s hard to believe it’s been almost three years since the EU enacted its General Data Protection Regulation (GDPR), which fundamentally changed how businesses collect, process, and store consumer data. For many organizations, the GDPR was a major disruption that forced them to switch from a mindset of “collect as much data as you can in case you need it someday” to a mindset of only collecting and storing the data they really need to conduct business. Compounding that disruption, several other countries quickly passed similar laws, including:
And then there are countries like South Korea and Argentina, which had privacy policies even before the GDPR.
But for many small- and medium-sized U.S. businesses, those international laws weren’t much more than a blip in the news cycle. Now, however, things are changing. Despite (or perhaps because of) the lack of a federal privacy laws, states are beginning to enact their own. The most well-known is California’s CCPA, which has even stricter standards than the GDPR. And, as with the GDPR, a business doesn’t have to be based in California for the law to apply; it just has to have customers who are California residents.
Other states are paying attention, especially as consumers become more concerned about the use and security of their personal data. Here are the states that have either passed privacy laws or have them in the works:
So it’s no wonder that smaller businesses across the United States are anxious about data privacy laws and how they’re going to become compliant. However, while I firmly believe that respecting the value of your consumers’ data will be a competitive advantage, there’s no reason to panic about laws that don’t even apply to your company.
How American businesses should respond to state-based privacy laws
First, let me make one thing clear: Every business should be moving toward privacy by design, where protecting consumer privacy is built into your processes from the ground up rather than being added later as a patch. That’s a global trend that’s not going away and will become a requirement for all business over time. However, let’s focus on what you need to do (or not!) right now to keep your organization compliant with all applicable laws.
Find out which laws apply to you
Despite the seeming universal nature of the internet, not every state law applies to every business. Here are a few examples:
- Geography: If you’re a brick-and-mortar business that doesn’t conduct online sales, you probably don’t have to worry about laws outside of your own state.
- Gross revenue: California’s law, for example, makes an exception for businesses that generate annual gross revenue of less than $ 25 million.
- Type of relationship: Some state laws are based on the type of relationship a business has with consumers. Vermont’s law, for example, doesn’t apply to businesses that have a direct relationship with their consumers, such as websites, apps, or e-commerce platforms. Instead, the law applies to what the state calls “data brokers,” businesses that sell data to a third party.And then there’s Nevada’s law, which makes exceptions for certain healthcare providers and financial institutions, as well as automotive manufacturers and repair shops.
- The number of people affected: California’s law, for example, exempts businesses that have data on fewer than 50,000 people.
These laws are complex and filled with legalese, so the first thing you need to do is figure out whether they even apply to you.
Identify the steps you need to take to achieve compliance
I don’t want to mislead anyone: If you’re subject to any of these laws, you need to take steps to become compliant right away. But I also don’t want you to fall for hype or “fake news.” So here are some sources you can use to find out which laws apply to you.
First, there’s always our friend Google. Before you panic over something you read in an article, go straight to the source, and Google the specific law the article is talking about. If you still have questions, try some of these other resources.
Your own legal counsel or a digital policy consultant
If your company has in-house legal counsel or external counsel on retainer, they should be your first stop. They can do a deep dive into which laws may or may not affect your business and then do a “risk vs. opportunity” analysis to prioritize which you need to address first.
If, like many small businesses, you don’t have an existing legal advisor, you can also turn to a digital policy consultant. While most digital policy consultants aren’t lawyers, they’re more likely to have the latest information on compliance issues. Even better, they can talk to you in “plain speak” about the requirements that apply to you and identify practical steps to address them.
Many state websites have resources for small businesses. In addition to taking advantage of tools you can use to make your business more successful, you can also research the state’s business laws. If you can’t find it on the website, contact the Secretary of State’s office.
Small business association
The Small Business Association offers a wealth of information to business owners, including a section on legal requirements as well as free business counseling.
SCORE, a partner of the U.S. Small Business Association, offers free business mentoring and education. Since 1964, 11 million entrepreneurs have benefited from their workshops and mentoring programs. We have a number of ways to help you find the information you need.
Conclusion: Act, but don’t overreact
I really can’t overstate the importance of complying with all applicable privacy laws. But the key is “applicable.” If you’re a small business just now starting the journey to digital compliance, identify your flashing red lights and take care of those first. Then wrap your arms around the concept of “privacy by design” and learn how treating consumers’ data with respect can be a competitive advantage.