What privacy laws apply to small businesses?
Business owners may be surprised to learn just how extensive federal and state privacy laws truly are. You might also be surprised to learn just how much customer and employee data you have — from employee Social Security numbers to customer names, addresses and credit card information.
Federal and international laws
Several states have their own privacy laws, but there is currently no federal law on privacy or data collection. The Federal Trade Commission (FTC), however, will step in to prevent "unfair or deceptive acts or practices." In some cases, the FTC's reach will extend to the data you collect and store.
In today's economy, the European Union's General Data Protection Regulation (GDPR) might also affect your business. While this law is not created by the United States government, it is something that can apply to companies that collect information from EU residents.
Because even small business owners operate in a global economy, this EU law may affect your small business. Essentially, if you do business with anyone in the EU, you are subject to the GDPR. Ignoring this law can result in large fines.
California privacy laws
Several states also have privacy laws. For example, California enacted the California Consumer Privacy Act (CCPA) in 2020. This law applies to any company that does business in California or collects personal information on California residents. The CCPA requires many companies to not only tell customers that data is collected but also give customers access to that data.
The CCPA applies to any business that meets one or more of the following criteria:
- Sales above $25 million.
- Personal information processed for at least 50,000 California residents.
- At least 50% of its revenue is derived from sharing consumer data that belongs to California residents.
Under the law, businesses must offer customers the right to opt out of this data collection. The state can impose fines of up to $7,500 for each offense.
California has also enacted the Online Privacy Protection Act (CalCOPPA). This law applies to any business with a website accessible to California residents (essentially any website) that collects information from consumers living in California. You may be surprised to learn that this law has been in place since 2012. It requires a disclaimer on your website to notify Californians of their privacy rights as well as inform them how their data is used, collected and stored.
Virginia privacy laws
The Virginia Consumer Data Protection Act (VCDP) was the second privacy law enacted after California's privacy law, with an effective date of Jan. 1, 2023. It applies to any company that conducts business in Virginia or markets its goods or services to Virginia residents if they meet one of the following criteria:
- Control or process the personal data of at least 100,000 Virginia residents.
- Control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of its gross revenue from the sale of that personal data.
Virginia allows consumers to know how their data is being collected and used while giving them the right to delete personal data. They must also be eligible to opt out of the collection and the sale of personal data.
Colorado Privacy Act
Colorado allows its residents to opt out of targeted advertising, the sale of their personal data and certain types of profiling through the Colorado Privacy Act.
The legislation applies to companies that control or process personal data of at least 100,000 consumers or derive revenue or receive a discount on the price of goods and services from the sale of personal data of 25,000 or more customers.
While the law has already passed, it will not go into effect until July 1, 2024.
Utah privacy laws
The Utah Consumer Privacy Act might apply to your business if you operate in Utah. Like the California law, it applies to companies that earn at least $25 million in annual sales and process the data of at least 100,000 residents or 25,000 residents while earning at least half of their income from sharing or selling that information.
Many other states could have similar laws in the near future.
Do data privacy laws apply to employees?
Various data privacy laws also apply to employees. As a general rule, businesses cannot disclose personal employee information without the employee's express consent. There are some exceptions, such as compliance with legal requirements or in the performance of a contract.
Some examples of employee information that cannot be disclosed are:
- Employee health information (based on HIPPA and the ADA).
- Credit reporting information.
- Tax and payroll information (including Social Security numbers and withholding information).
- Bank account information held for payroll purposes.
Disclosure of this information can have serious repercussions, regardless of whether the data breach was the result of a security lapse.
How can a small business put the right safeguards in place to meet these regulations?
Complying with various state, federal, and international laws can seem overwhelming. Many laws, however, require essentially the same protections, and the same general rules apply in multiple states.
Typically, the first step is to know where your customers are located. This information will help you determine which laws affect your business. Gathering that information is not always easy. If you do not have a good way to determine where your customers are located, make policies that comply with the privacy laws that could affect your company. This may simply mean allowing all customers the right to opt-out, access to their stored personal information, and allowing customers or users to request their information be deleted.
What are data security steps my small business may take to comply with these data privacy laws?
Below are some quick tips that may help your small business with compliance:
- Use HTTPS protocol on any web page that collects data and maintain SSL encryption certification.
- Use encryption to collect and store highly sensitive data, such as credit card information or Social Security numbers.
- Use strong passwords internally and require individual accounts to cut down on potential avenues for illegal access to data.
- Create access control protocols to ensure computers are protected.
- Consider working with a cybersecurity professional to protect your network from viruses and hacks.
Keeping data safe is a must for small businesses in today’s day and age. If you have more questions about your small business’s data privacy, reach out to a Rocket Lawyer network attorney for affordable legal advice.
This article contains general legal information and does not contain legal advice. Rocket Lawyer is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.