Megaphone

What makes us different? 5 major benefits that set us apart.

Learn More

Legal

Understanding Data Privacy Laws and How They Impact Small Businesses

What you need to know about data privacy laws as a business owner

AUTHOR
Taylor Bradley, Esq.
PUBLISHED
Share:
Combination Lock Keyboard Credit Cards

The internet has connected the world in ways we could've only dreamed of decades ago. It also created a brand-new way to track data about internet users. Governments around the globe have recently regulated what data websites can collect and how they can use that data.

Small businesses operating websites must comply with data privacy laws even if they operate across borders, as many governments regulate websites accessible to their residents.

Overview of Major Data Privacy Laws

Website operators can store information about user internet activity. In response to growing data concerns, governments have passed privacy laws. The European Union's General Data Protection Regulation (GDPR) was an early trailblazer, and many governments have followed the EU's example since it passed the GDPR in 2016, including several U.S. states.

The General Data Protection Regulation (GDPR)

The GDPR regulates how website operators store and utilize user data for EU residents or citizens. It applies to businesses tracking information about their online behavior via cookies.

Seven Principles Required:

  • Lawfulness, fairness, and transparency

  • Purpose limitation

  • Data minimization

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality

  • Accountability

EU Citizens Have the Right to:

  • Know what data you collect

  • Access that data

  • Correct inaccuracies

  • Erase the data

  • Restrict processing

  • Transmit their data to others

  • Object to data collection or use

  • Not be subject to automated or system-based data profiling

Users also have the right to prompt notice of any data breaches.

Lawful Data Collection Bases:

  • The user provides unambiguous consent

  • Processing is necessary to complete a contract

  • A court order requires data collection

  • Processing is necessary to save someone's life

  • Processing is necessary to carry out official functions or public interest tasks

  • You have a legitimate interest in processing the data

You may have a legitimate interest if you process data in ways users would reasonably expect with a minimal privacy impact or when a compelling justification exists.

California Consumer Privacy Act (CCPA)

California became the first state to pass a data privacy law in 2018 in the form of the CCPA. California voters expanded the CCPA's protections by approving the California Privacy Rights Act (CPRA), which amended the CCPA.

The CCPA applies to for-profit businesses in California that:

  • Have an annual revenue of $25 million or more

  • Use personal information from 100,000+ California residents or households

  • Earn half their annual revenue by selling California residents' personal information

Personal information includes data identifying or linking to individuals or households. Sensitive personal information includes government IDs, usernames, passwords, credit card numbers, and medical information.

Californian Consumers Have the Right to:

  • Know what information businesses collect and how they use it

  • Delete personal information

  • Opt out of businesses selling or sharing their information

  • Not be discriminated against for exercising their rights

  • Correct inaccurate information

  • Restrict what a business can do with the information

Businesses May Use Personal Information For:

  • Certain research purposes

  • Ways the user reasonably expects according to business activities

  • Responding to security incidents, avoiding fraud, and protecting user safety

  • Maintaining accounts, providing customer service, and verifying information

  • Short-term non-personalized advertising

  • Verifying, maintaining, or improving product or service quality or safety

  • Complying with legal obligations and enforcing or defending their rights

If information is publicly available, businesses are subject to few limitations in its use.

Woman Desk Laptop Window

Compliance with Data Privacy Rules

Businesses must take several affirmative steps:

  • Create an easily accessible privacy policy

  • Notify customers of the website's cookie policy

  • Provide users the ability to opt out of data collection

  • Notify consumers about data policies

  • Offer a way for users to request deletion or correction of data

  • Create a system for responding to user complaints or requests

For best practices, this means creating a comprehensive, detailed privacy policy and comprehensive, detailed procedures to manage data and respond to user requests.

Privacy Policy

Your privacy policy should detail:

  • What you collect

  • Why and how you collect it

  • What you use it for

  • How users can contact you

  • How you update the policy

  • How you'll notify users about updates

The policy should be linked on your homepage and include the word privacy.

Cookie Notice and Policy

Your website should provide a cookie notice that:

  • Asks for consent before activating cookies

  • Clearly explains the cookies you use, their purposes, and whether you share information with third parties

  • Allow users to accept or reject specific types of cookies

The notice should be easily accessible and not prevent users from accessing website contents.

Data and Request Procedures

Create internal processes and procedures for personal information storage and use.

Data Procedures Should Address:

  • What data do you collect?

  • How do you secure the data?

  • How do you ensure your company doesn't store data from those who've opted out?

  • When do you delete data?

  • What are your deletion procedures?

User Request Procedures Should Address:

  • How can users submit requests?

  • How do you verify user identity?

  • How do you verify requests to correct information?

  • What is your target response time?

  • What happens when you don't follow the specified procedure?

Policies should be created to identify and respond to any data breaches.

Consequences of Noncompliance

The GDPR authorizes penalty fines of up to $20 million. The CCPA authorizes the California government to act against you. Various other state and national laws set their own penalties, subjecting you to potentially significant fines from multiple places.

Small Business Compliance

Even if you don't expect your website to reach EU citizens or fall under the CCPA, since 2016, more and more governments have adopted regulations covering how websites use data. Ensuring you comply by establishing policies and procedures, consulting a data specialist, and designating a compliance officer is essential to website operation in the modern age.

Key Takeaways


  • Data privacy laws like GDPR and CCPA regulate how businesses collect and use customer data

  • The GDPR applies to any business that tracks data from EU residents, regardless of location

  • CCPA applies to California businesses with revenue over $25 million or handling data from 100,000+ residents

  • Businesses must create accessible privacy policies and cookie notices

  • Users have rights to access, correct, and delete their personal data

  • Non-compliance can result in fines up to $20 million under GDPR

  • Establishing clear data procedures and consulting specialists is essential for compliance

Taylor Bradley, Esq.
Taylor Bradley, Esq.

Taylor Bradley, Esq., is a licensed attorney and writer with experience in the private and public sectors, including a highly coveted state supreme court clerkship. She is passionate about many areas of the law and enjoys helping people better understand their legal rights and responsibilities.

Taylor earned her B.A. in Political Science and History summa cum laude from Iowa State University and her J.D. with High Distinction from the University of Iowa College of Law. While there, Taylor spent her time working on articles for the Iowa Law Review and working with clients in the immigration and domestic violence legal clinics. After law school, Taylor clerked for the Iowa Supreme Court, where she spent two years learning about many different areas of the law and finding something fascinating in (almost) every one. She then practiced business immigration law before turning her focus to legal writing. Taylor loves her cats, music, exploring nature, and embracing her nerdy side by playing tabletop roleplaying games like Dungeons and Dragons.

Read More
Share:
Raw Real Unfiltered

Get Bizee Podcast

Join us as we celebrate entrepreneurship and tackle the very real issues of failure, fear and the psychology of success. Each episode is an adventure.

READ MORE