Understanding Data Privacy Laws and How They Impact Small Businesses

T he internet has connected the world in ways we could’ve only dreamed of decades ago. It also created a brand-new way to track data about internet users. Governments around the globe have recently regulated what data websites can collect and how they can use that data. Many small businesses run websites to expand their reach exponentially. These websites typically aren’t limited by user location; people can access them worldwide. That means your website should comply with laws passed by governments that otherwise have little authority over you. The following provides a primer covering what you need to know about data privacy laws as a small business owner.

Overview of Major Data Privacy Laws

Website operators can store information about what individuals use the internet to view and what data they send or receive online. In response to growing concerns about how businesses use this data, several governments have passed data privacy laws. The European Union’s General Data Protection Regulation (GDPR) was an early trailblazer, and many governments have followed the EU’s example since it passed the GDPR in 2016, including several U.S. states. Most states follow the pattern set by the GDPR or the California Consumer Privacy Act (CCPA).

The General Data Protection Regulation (GDPR)

The GDPR regulates how website operators may store and utilize user data without violating the right to privacy held by people in the EU. It applies to businesses that offer goods or services to EU residents or citizens or track information about their online behavior. So, if someone in or from the EU accesses your website and it tracks them with cookies, you fall under the GDPR. The law requires data processors to abide by seven principles:

Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability

It also establishes that every EU citizen and resident has the right to:

Know what data you collect
Access that data
Correct inaccuracies
Erase the data
Restrict processing
Transmit their data to others
Object to data collection or use
Not be subject to automated or system-based data profiling

Users also have the right to prompt notice of any data breaches. The GDPR limits when you can collect data and how you can use it to the following:

The user provides unambiguous consent
Processing the data is necessary to complete a contract to which the user is a party
A court order requires you to collect the data
You must process the data to save someone’s life
Processing is necessary to carry out an official function or perform tasks related to the public interest
You have a legitimate interest in processing the data

You may have a legitimate interest if you process data in ways users would reasonably expect with a minimal privacy impact or when a compelling justification exists. Generally, this means balancing the value of your use of the data against the user’s right to privacy.

California Consumer Privacy Act (CCPA)

California became the first state to pass a data privacy law in 2018 in the form of the CCPA. California voters expanded the CCPA’s protections by approving the California Privacy Rights Act (CPRA), which amended the CCPA. The CCPA applies to for-profit businesses that do business in California that:

Have an annual revenue of $25 million or more
Use personal information from 100,000 or more California residents or households
Earn half their annual revenue or more by selling California residents’ personal information

Personal information includes data that identifies, relates to, or could be linked to you or your household. Sensitive personal information includes specific data, like government ID numbers, usernames and passwords, credit card numbers, and medical information. Under the CCPA, as amended by the CPRA, Californian consumers have the right to:

Know what information businesses collect and how they use it
Delete personal information
Opt out of businesses selling or sharing their information
Not be discriminated against for exercising their rights
Correct inaccurate information
Restrict what a business can do with the information

Businesses may use personal information:

For certain research purposes
In ways the user reasonably expects according to the business’s activities
To respond to security incidents, avoid fraud, and protect user safety
To maintain an account, provide customer service, verify information, or for similar purposes
On a short-term basis for advertising that is not personalized
To verify, maintain, or improve the quality or safety measures of products or services
To comply with legal obligations and enforce or defend their rights

If information is publicly available, businesses are subject to few limitations in its use.

Person analyzing stock market data on phone and laptop.

Compliance with Data Privacy Rules

Complying with the various data privacy laws requires businesses to take several affirmative steps:

Create an easily accessible privacy policy
Notify customers of the website’s cookie policy
Provide users the ability to opt out of collection of certain data
Notify consumers about the business’s data policies
Offer a way for users to request deletion or correction of data
Create a system for responding to user complaints or requests

For best practices, this means creating a comprehensive, detailed privacy policy and comprehensive, detailed procedures to manage data and respond to user requests.

Privacy Policy

Your privacy policy should detail:

What you collect
Why and how you collect it
What you use it for
How users can contact you
How you update the policy
How you’ll notify users about updates

The policy should be linked on your homepage and include the work privacy.

Cookie Notice and Policy

Your website should provide a cookie notice that:

Asks for consent before activating cookies
Clearly explains the cookies you use, their purposes, and whether you share information with third parties
Allow users to accept or reject specific types of cookies

The notice should be easily accessible and not prevent users from accessing the website’s contents.

Data and Request Procedures

Create an internal set of processes and procedures to follow whenever your website stores or uses personal information. In your data procedures, address at least the following questions:

What data do you collect?
How do you secure the data?
How do you ensure your company doesn’t store data from those who’ve opted out?
When do you delete data?
What are your deletion procedures?

In your user request procedures, address these questions:

How can users submit requests?
How do you verify user identity?
How do you verify requests to correct information?
What is your target response time?
What happens when you don’t follow the specified procedure?

Also, policies should be created to identify and respond to any data breaches.

Businesses must take steps like creating accessible privacy policies to comply with data laws.

Consequences of Noncompliance

Failing to comply with the myriad of data privacy rules can result in serious penalties. The GDPR authorizes penalty fines of up to $20 million. The CCPA authorizes the California government to act against you. Various other state and national laws set their own penalties, subjecting you to potentially significant fines from multiple places.

Small Business Compliance

Even if you don’t expect your website to reach EU citizens or fall under the CCPA, since 2016, more and more governments have adopted regulations covering how websites use data. Ensuring you comply by establishing policies and procedures, consulting a data specialist, and designating a compliance officer is essential to website operation in the modern age.