Law Office of George R. Bravo
Your Business Lawyer

The Legal Side of Business

A blog written for entrepreneurs or established business owners that discusses the legal side of business issues that arise when starting or growing a business. 

Why Your Business Should Take Privacy Protection Seriously

 
rows of computer servers in security vaults

Privacy Matters

Protecting consumers’ privacy is not just for big businesses or big corporations. Privacy laws affect both small and big businesses. Most, if not all, businesses today collect some amount of information about its consumers, such as a consumer’s name, phone number, email, or payment information. When your business collects information from a consumer, your business triggers certain privacy obligations that it must adhere to. If you are not complying with the applicable privacy laws in how to handle consumers’ personal information, your business may be liable for the mishandling of a consumer’s private information.

What Happens If My Business Does Not Comply With The Privacy Laws?

In California, the Attorney General may impose a fine on businesses up to $2,500 for each privacy violation committed. If there is a violation of federal privacy law, the Federal Trade Commission (FTC) will enforce the law by bringing a suit against your company to comply. The penalty for a federal privacy violation are fines and/or the requirement for your business to undergo audits that may last up to 20 years. Usually, the FTC brings suit against businesses that do not comply with their own privacy policy posted on their websites. Thus, it is extremely important for your business to follow what your privacy policy says your business does. In general, if your business collects any personal information from a customer, then your business likely is required to have a privacy policy.

Also, if your business does not implement some type of data security measure to protect your consumers’ personal information that you collected, your business may likely be liable for any security breach that occurs. Furthermore, not having a strong privacy protection policy will ultimately threaten the viability of your business by causing the loss of goodwill and business trust.

In today’s data driven market, it is imperative for your business to be competitive by investing in the resources necessary to demonstrate that your business respects and protects the security of the personal information in its custody. Do not let your business be the next Equifax data security breach story. Instead, take the time to develop a strong privacy protection policy, so you can have greater peace of mind and focus on growing your business.

What Are My Privacy Obligations?

Unfortunately, in the United States, there is no comprehensive law or one place that business owners can look to find out what their privacy obligations are when running a business. Instead, the body of privacy law is made up of a combination of state and federal law.

In general, the privacy obligations of businesses are governed by state law, but for certain industries, businesses will have to comply with both federal and state privacy laws. For example, California businesses in the health field are often subject to both the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and California's Confidentiality of Medical Information Act (CMIA). I highly recommend contacting a business lawyer to determine which privacy laws apply to your particular business.

Although there are businesses in certain industries that will have to comply with more privacy laws at both the state and federal level, there are general privacy laws in California that dictate the privacy obligations that every business in California must follow.

Your Privacy Obligations When Doing Business in California

There are numerous privacy laws in California, which can be found at https://oag.ca.gov/privacy/privacy-laws. The one privacy law that applies to all businesses with a commercial online presence is the California Online Privacy Protection Act of 2003 (CalOPPA). In general, the law states:

  1. Businesses must describe the types of personal identifiable information (PII) collected, how it is used, and to then comply with what they say. PII consists of:

    • First and last name

    • Home or other physical address (including street name and name of a city or town)

    • Email address

    • Telephone number

    • Social security number

    • Any other identifier that permits the physical or online contacting of a specific individual

    • Information concerning a user that is collected online from the user, in combination with one of the above identifiers

  2. Businesses must conspicuously post a privacy policy and comply with it.

How to Protect Personal Identifiable Information (PII)?

There are many ways and methods to implement to electronically protect the PII your business collects. In general, your business should pursue the following:

  1. Encrypt all PII and any other sensitive information, which includes sending the PII to third parties and to internal employees within the business to further protect against any data breaches. Keep in mind to use secure connections and to encrypt the PII when using wireless and remote access connections (such as cloud services).

  2. Implement and regularly update anti-malware programs on computers and servers.

  3. Restrict access to PII to “need to know” employees.

  4. Require strong login credentials, such as strong passwords, biometrics, and/or multi-factor authentication, to access the PII.

  5. Implement a firewall on all computers.


I recommend reading the FTC’s guide for businesses on how to protect personal information for further details - https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business#LockIt

 

*The above blog article is for general informational purposes only and should not be taken as legal advice. Contact me to find out how any information here applies to your particular circumstances.