T he internet has connected the world in ways we could’ve only dreamed of decades ago. It also created a brand-new way to track data about internet users. Governments around the globe have recently regulated what data websites can collect and how they can use that data. Many small businesses run websites to expand their reach exponentially. These websites typically aren’t limited by user location; people can access them worldwide. That means your website should comply with laws passed by governments that otherwise have little authority over you. The following provides a primer covering what you need to know about data privacy laws as a small business owner.
Overview of Major Data Privacy Laws
Website operators can store information about what individuals use the internet to view and what data they send or receive online. In response to growing concerns about how businesses use this data, several governments have passed data privacy laws. The European Union’s General Data Protection Regulation (GDPR) was an early trailblazer, and many governments have followed the EU’s example since it passed the GDPR in 2016, including several U.S. states. Most states follow the pattern set by the GDPR or the California Consumer Privacy Act (CCPA).
The General Data Protection Regulation (GDPR)
The GDPR regulates how website operators may store and utilize user data without violating the right to privacy held by people in the EU. It applies to businesses that offer goods or services to EU residents or citizens or track information about their online behavior. So, if someone in or from the EU accesses your website and it tracks them with cookies, you fall under the GDPR. The law requires data processors to abide by seven principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
It also establishes that every EU citizen and resident has the right to:
- Know what data you collect
- Access that data
- Correct inaccuracies
- Erase the data
- Restrict processing
- Transmit their data to others
- Object to data collection or use
- Not be subject to automated or system-based data profiling
Users also have the right to prompt notice of any data breaches. The GDPR limits when you can collect data and how you can use it to the following:
- The user provides unambiguous consent
- Processing the data is necessary to complete a contract to which the user is a party
- A court order requires you to collect the data
- You must process the data to save someone’s life
- Processing is necessary to carry out an official function or perform tasks related to the public interest
- You have a legitimate interest in processing the data
You may have a legitimate interest if you process data in ways users would reasonably expect with a minimal privacy impact or when a compelling justification exists. Generally, this means balancing the value of your use of the data against the user’s right to privacy.
California Consumer Privacy Act (CCPA)
California became the first state to pass a data privacy law in 2018 in the form of the CCPA. California voters expanded the CCPA’s protections by approving the California Privacy Rights Act (CPRA), which amended the CCPA. The CCPA applies to for-profit businesses that do business in California that:
- Have an annual revenue of $25 million or more
- Use personal information from 100,000 or more California residents or households
- Earn half their annual revenue or more by selling California residents’ personal information
Personal information includes data that identifies, relates to, or could be linked to you or your household. Sensitive personal information includes specific data, like government ID numbers, usernames and passwords, credit card numbers, and medical information. Under the CCPA, as amended by the CPRA, Californian consumers have the right to:
- Know what information businesses collect and how they use it
- Delete personal information
- Opt out of businesses selling or sharing their information
- Not be discriminated against for exercising their rights
- Correct inaccurate information
- Restrict what a business can do with the information
Businesses may use personal information:
- For certain research purposes
- In ways the user reasonably expects according to the business’s activities
- To respond to security incidents, avoid fraud, and protect user safety
- To maintain an account, provide customer service, verify information, or for similar purposes
- On a short-term basis for advertising that is not personalized
- To verify, maintain, or improve the quality or safety measures of products or services
- To comply with legal obligations and enforce or defend their rights
If information is publicly available, businesses are subject to few limitations in its use.
Compliance with Data Privacy Rules
Complying with the various data privacy laws requires businesses to take several affirmative steps:
- Create an easily accessible privacy policy
- Notify customers of the website’s cookie policy
- Provide users the ability to opt out of collection of certain data
- Notify consumers about the business’s data policies
- Offer a way for users to request deletion or correction of data
- Create a system for responding to user complaints or requests
For best practices, this means creating a comprehensive, detailed privacy policy and comprehensive, detailed procedures to manage data and respond to user requests.
Privacy Policy
Your privacy policy should detail:
- What you collect
- Why and how you collect it
- What you use it for
- How users can contact you
- How you update the policy
- How you’ll notify users about updates
The policy should be linked on your homepage and include the work privacy.
Cookie Notice and Policy
Your website should provide a cookie notice that:
- Asks for consent before activating cookies
- Clearly explains the cookies you use, their purposes, and whether you share information with third parties
- Allow users to accept or reject specific types of cookies
The notice should be easily accessible and not prevent users from accessing the website’s contents.
Data and Request Procedures
Create an internal set of processes and procedures to follow whenever your website stores or uses personal information. In your data procedures, address at least the following questions:
- What data do you collect?
- How do you secure the data?
- How do you ensure your company doesn’t store data from those who’ve opted out?
- When do you delete data?
- What are your deletion procedures?
In your user request procedures, address these questions:
- How can users submit requests?
- How do you verify user identity?
- How do you verify requests to correct information?
- What is your target response time?
- What happens when you don’t follow the specified procedure?
Also, policies should be created to identify and respond to any data breaches.
Businesses must take steps like creating accessible privacy policies to comply with data laws.
Consequences of Noncompliance
Failing to comply with the myriad of data privacy rules can result in serious penalties. The GDPR authorizes penalty fines of up to $20 million. The CCPA authorizes the California government to act against you. Various other state and national laws set their own penalties, subjecting you to potentially significant fines from multiple places.
Small Business Compliance
Even if you don’t expect your website to reach EU citizens or fall under the CCPA, since 2016, more and more governments have adopted regulations covering how websites use data. Ensuring you comply by establishing policies and procedures, consulting a data specialist, and designating a compliance officer is essential to website operation in the modern age.