Any online business is either managing the data it collects or needs to learn how quickly, and every business that collects any kind of data needs to become compliant and maintain compliance with data protection laws.
Whether you are selling barbecue sauce or big beautiful women, your business will never reach its potential without big data, and big data imposes big responsibilities
If you collect data from your customers, you need to take steps to comply with various and overlapping data protection laws.
Who your customers are, where they live, how often they visit your site, what they buy, and how often they buy are critical data that can help tailor your offerings and increase sales.
In an increasingly competitive environment, not using big data to improve your bottom line is a mistake that cuts into profits. Collecting information from your customers is a necessary part of doing business online, and proper data management is necessary to make the most of that data.
However, if you collect data from your customers, you need to take steps to comply with various and overlapping data protection laws.
Next May, the E.U.’s General Data Protection Regulation (GDPR) will take effect, and if you collect information, like login name, IP and email addresses from E.U. residents, or if E.U. residents buy your stuff, your business is subject to this law.
The GDPR requires, at minimum, that you post a privacy policy with understandable terms and actually stick to those terms. Additionally, it requires businesses to maintain systems where customers can correct erroneous information or have all their data erased, and under the GDPR, erased really does mean erased.
After a customer requests deletion, deactivating that customer but retaining the customer data in an inactive file is a violation incurring potentially large financial penalties. The penalties are intended to be “effective, proportionate, and dissuasive.” That means they’re intended to make it more financially sensible to comply than not, but if you don’t comply, the penalties will cause pain, no matter how big or small your operation. It does not matter where your business is located – if you have E.U. customers, the GDPR applies to you.
While the GDPR will create relatively uniform requirements across the E.U., the U.S. has a growing number of data security and privacy laws, with different requirements, and no federal unifying code.
As of this writing, 48 states, the District of Columbia and Puerto Rico have some sort of data protection law on the books and it can be a confusing mess, with varying requirements for privacy policy notices, how to define data breaches, and what to do after a data breach is discovered, who must be notified and how, and how much time you have to do it. As a business owner, you need to know what laws apply to you and what you need to do to stay compliant.
Some states require a privacy policy to be published on your website, others don’t. Some jurisdictions define a data breach as someone copying information from your servers, others define a data breach as unauthorized access, even if no copying or altering took place.
Some states require notifying the attorney general if you experience a data breach, most require notification of the persons whose data has been compromised, and most have exceptions to the notice rules if the data that was compromised was encrypted so long as the encryption key was not compromised.
California has comprehensive data protection requirements if you collect information from California residents, and Nevada just passed a law that requires a privacy policy to be published on any website that collects any type of identifying information from Nevada residents, even if all you collect is an email. Nevada is quite nice in that it gives you 30 days to post or correct a Privacy Policy after you have been informed of failure to comply.
Both states make it a violation to not post a privacy policy and also make it a violation if you knowingly violate your own privacy policy, so copying and pasting someone else’s privacy policy can cause you more problems than not posting a privacy policy at all.
With so many different jurisdictions and laws in the online space, attempts at compliance can be intimidating. At minimum, every business should be complying with the laws of the jurisdictions where your company headquarters is located, where it is incorporated, where it is hosted, and where its billing solutions are located.
You will need to post accurate Data Privacy Policies, respond to customer requests to delete or correct data, and have a plan in place to respond to a data breach. Does an affiliate manager selling a USB with 1,000 email addresses trigger notification requirements?
It depends on where you are located. Does your state or country require notifying a data protection authority after a discovered breach? Many do, and the time to notify varies, some within 72 hours. Does an employee losing a laptop with customer information count as a data breach? Most likely, and if you don’t have a response plan, you will waste valuable hours figuring out what your law requires.
Getting off the phone with your webmaster who tells you his laptop was stolen from his car is not the time to figure out if you need to notify an attorney general or what constitutes a reportable data breach. Put an emergency response plan in place before you need it, and run some desk top drills.
The good thing about data privacy laws are that they apply equally to all businesses and don’t single out adult enterprises, but the bad things are that an online business needs to comply with laws from many jurisdictions and the number of professionals that understand data privacy compliance is woefully inadequate, and the number of certified professionals even smaller.
Some online businesses will need a full-time data protection officer, others will only need review and updating of current data policies with regular checkups, but everyone will need to include data privacy issues in business planning. If you haven’t started planning for data protection rule compliance, you are already behind.
Chad Anderson is an Arizona attorney working in the area of cybersecurity and data privacy. He can be reached at chad@chadknowslaw.com.