Why Your Business Should Take Privacy Protection Seriously
Protecting consumers’ privacy is not just for big businesses or big corporations. Privacy laws affect both small and big businesses. Most, if not all, businesses today collect some amount of information about its consumers, such as a consumer’s name, phone number, email, or payment information. When your business collects information from a consumer, your business triggers certain privacy obligations that it must adhere to. If you are not complying with the applicable privacy laws in how to handle consumers’ personal information, your business may be liable for the mishandling of a consumer’s private information.
What Happens If My Business Does Not Comply With The Privacy Laws?
Also, if your business does not implement some type of data security measure to protect your consumers’ personal information that you collected, your business may likely be liable for any security breach that occurs. Furthermore, not having a strong privacy protection policy will ultimately threaten the viability of your business by causing the loss of goodwill and business trust.
In today’s data driven market, it is imperative for your business to be competitive by investing in the resources necessary to demonstrate that your business respects and protects the security of the personal information in its custody. Do not let your business be the next Equifax data security breach story. Instead, take the time to develop a strong privacy protection policy, so you can have greater peace of mind and focus on growing your business.
What Are My Privacy Obligations?
Unfortunately, in the United States, there is no comprehensive law or one place that business owners can look to find out what their privacy obligations are when running a business. Instead, the body of privacy law is made up of a combination of state and federal law.
In general, the privacy obligations of businesses are governed by state law, but for certain industries, businesses will have to comply with both federal and state privacy laws. For example, California businesses in the health field are often subject to both the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and California's Confidentiality of Medical Information Act (CMIA). I highly recommend contacting a business lawyer to determine which privacy laws apply to your particular business.
Although there are businesses in certain industries that will have to comply with more privacy laws at both the state and federal level, there are general privacy laws in California that dictate the privacy obligations that every business in California must follow.
Your Privacy Obligations When Doing Business in California
There are numerous privacy laws in California, which can be found at https://oag.ca.gov/privacy/privacy-laws. The one privacy law that applies to all businesses with a commercial online presence is the California Online Privacy Protection Act of 2003 (CalOPPA). In general, the law states:
Businesses must describe the types of personal identifiable information (PII) collected, how it is used, and to then comply with what they say. PII consists of:
First and last name
Home or other physical address (including street name and name of a city or town)
Social security number
Any other identifier that permits the physical or online contacting of a specific individual
Information concerning a user that is collected online from the user, in combination with one of the above identifiers
How to Protect Personal Identifiable Information (PII)?
There are many ways and methods to implement to electronically protect the PII your business collects. In general, your business should pursue the following:
Encrypt all PII and any other sensitive information, which includes sending the PII to third parties and to internal employees within the business to further protect against any data breaches. Keep in mind to use secure connections and to encrypt the PII when using wireless and remote access connections (such as cloud services).
Implement and regularly update anti-malware programs on computers and servers.
Restrict access to PII to “need to know” employees.
Require strong login credentials, such as strong passwords, biometrics, and/or multi-factor authentication, to access the PII.
Implement a firewall on all computers.
I recommend reading the FTC’s guide for businesses on how to protect personal information for further details - https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business#LockIt
*The above blog article is for general informational purposes only and should not be taken as legal advice. Contact me to find out how any information here applies to your particular circumstances.