Contents
Operating a small business in the United States used to be about just getting up and running, making your customers happy, and growing for the long term. Although operating a business is still about that in the U.S., it's now also about much more. One major thing that U.S. businesses have to worry about these days, especially businesses with an online component (which is everyone), is data privacy and security.
Unlike the EU, which implemented the General Data Protection Regulation, or GDPR, in 2018, the U.S. does not have one specific easy-to-understand federal scheme for how to handle personal data. Instead, there may be several federal laws applicable, depending on what type of data is being handled, and there may also be state laws which govern what your business can do with consumer data.
In this guide, we'll walk you through several relevant laws that touch on data privacy in the U.S. Once you are finished reading this guide, you'll have a good idea of which pieces of law may apply to your business. We'll also briefly discuss the GDPR as it relates to companies in the U.S.
Please note, though, this guide is for informational purposes only and shouldn't be construed as legal advice. Also, keep in mind the data privacy laws all over the world, including the U.S., can be very detailed, and often, how something should be applied depends on the real-life facts of your business. Therefore, it's a good idea to get a licensed attorney's assistance for issues specific to your company.
As mentioned above, unlike the EU, the United States does not have one sweeping data protection regulation. In practice, the Federal Trade Commission, or FTC, has broadly been overseeing online data protection issues in the country. In general, the FTC oversees "unfair or deceptive" trade practices. This means that when a company is behaving in an unfair or deceptive way towards the public, the FTC is the body responsible for investigating. This relates to data privacy and protection in the U.S. because the FTC has determined that failing to tell consumers what you are doing with their data, as well as failing to provide adequate safeguards for their data, can be considered an unfair or deceptive trade practice. In general, it's usually the case that things related to online data will be handled by the FTC at the federal level.
The FTC publishes updates about data privacy and security on their website. Because the U.S. has no comprehensive scheme for data privacy, the FTC updates provide guidance about what types of enforcement actions the FTC is pursuing. This is a good place to start to get to know data privacy in the U.S.
There is also the Privacy Act of 1974, amended as 5 U.S.C. § 552a, which is a broad law governing federal agencies' collection and use of information about individuals. The Privacy Act, among other things, restricts disclosure of personally identifiable records and grants individuals the right to access and amend their data.
Although we said there is no one sweeping data protection, there are, in fact, many data protection laws in the U.S. It's just that those laws are usually specific to one sector.
For example, the Children's Online Privacy Protection Act, or COPPA, governs information collected online from minors and has several requirements outlining when data on minors can be shared. The Gramm-Leach-Bliley Act, or GLBA, is primarily a finance and banking law that also covers some aspects of data collection in that sector. HIPAA, or the Health Insurance Portability and Accountability Act, involves data protection and privacy related to personal health information.
Each of these laws contains significant and detailed rules regarding privacy in that sector. If you think your business may be subject to one of these laws, it's important to speak to an attorney specialized in this area so they can assist in your compliance efforts.
There are, along with the federal laws mentioned above, many individual state laws governing the collection, maintenance, and use of personal information from their citizens. Some of these laws have extraterritorial application, which means that they apply to the collection of personal data from their citizens regardless of whether the entity collecting the data is physically located within the state.
One of the most significant state laws recently implemented with regard to data protection in the U.S. is the California Consumer Privacy Act or CCPA. The CCPA is largely based on the GDPR, discussed more below, and it does have extraterritorial application. The CCPA was meant to target online businesses, and some theorize it may be setting the stage for a larger, more comprehensive U.S. privacy scheme (or at least, more significant state laws).
Additionally, the state that you live in may have its own data protection scheme. It's, therefore, a good idea to be aware of and familiar with both (or all): the law of the state where you live and the laws of the states where you collect resident data.
Although it may be tempting to think that only U.S. laws apply to U.S. businesses, this is, unfortunately, not the case. In fact, depending on which country's citizens you target, you will likely find several other laws applicable to your business.
For example, the biggest and most prevalent non-U.S. law is the European Union's General Data Protection Regulation, or GDPR. This law applies to the collection of data from EU citizens, whether or not the business collecting the data is based in the EU. The GDPR establishes seven key principles that should guide all data collection of EU citizens. They are (with basic explanations) outlined below.
1. Lawfulness, fairness, and transparency: This means that you should only collect data lawfully, you should be transparent about what you will do with that data to your users, and you should keep your word.
2. Purpose limitation: The purpose for which you process data must be specified, explicit, and legitimate.
3. Data minimization: You should only collect the minimum amount of data that you need.
4. Accuracy: The data you process should be accurate.
5. Storage limitation: You should store and retain the data only as long as needed then erase it.
6. Integrity and confidentiality: Keep the data that you process as secure as possible and anonymize where possible.
7. Accountability: Keep a record of everything, including all the steps you take for compliance, as well as your internal and external privacy policies.
Although each of the data protection authorities, or DPAs, in the EU promulgate their own written opinions on issues related to the GDPR (and the relevant country-specific legislation), these 7 principles guide everything else contained within the regulation.
Before we discuss some basic steps all businesses should take with regard to personal user data, please keep in mind the specifics of which laws apply to your business and how the requirements of those laws should be implemented are unique questions that should be answered by a licensed attorney. Only an attorney that fully understands your business model can counsel you about what steps you should take with regard to data privacy.
Here, we'll outline some steps that all businesses should take with regard to personal user data, no matter which additional steps may also be needed based on relevant law.
Auditing and mapping your data will, for most businesses, be a long and complex process. And it should be! Getting a clear picture of all of the data you collect, hold, and use will be a key first step to complying with any data protection law. It's also a key first step in maintaining honest business practices for your users and customers.
Auditing and mapping your data means sitting down with your team and analyzing every single piece of data you collect and making sure there is a legitimate reason to collect all of that data. It means figuring out exactly where all of those data pieces are coming from. It means making sure you are asking users for the specific consent you need for each piece of data. It means reviewing how long you hold each piece of data and why. It also means fully understanding the electronic format the data is held in as well as how it is shared.
The data map you create will probably look something like a very large spreadsheet that has several columns outlining the information above. Consider this the holy grail of your data privacy compliance process. You will need to refer to, maintain, and update this document regularly throughout the life of your business.
One of the most important pieces of your data map will be tracking your consents. This means understanding exactly how you receive permission from users to collect and process their data, what is written in the form that the users see when permission is requested, and making sure you store all of that information somewhere to provide proof that you received adequate consent.
Getting user consent for the processing you plan to do of their data is an extremely important part of any compliance program. That's why it's a good idea to routinely monitor this area of your data protection program.
Although just one or a few people should oversee your data protection program (more on that below), you should consider training all of your employees about the basic data protection principles applicable to your business. The reason for this is because it's likely that many individuals will be handling user data in their day-to-day work for your business, so everyone should be trained on how to properly handle that data.
The training can be as simple as an in-house presentation with a Powerpoint, given by an employee who already understands data protection at a very detailed level. You can also hire an external company to come in and train your employees.
As mentioned above, one specific person (or maybe just a few specific people) should be responsible for data protection oversight at your company. This is because although many individuals will likely be handing user data, there should be one person or a small group of people that have an overview of all of the data practices at your company, so they can be sure that you are maintaining compliance with all applicable laws. Also, when there is just one person or a small group of people overseeing the data protection at your company, they can also be given the responsibility of keeping up-to-date with new laws that may impact your practices.
Your data protection plan should be thought of as a living process, rather than something you do once and forget about it. Privacy laws are constantly evolving in today's day and age, and with each new technology, there is more to learn. Not only that, but data minimization and storage limitation are important principles for any business, not just those that are trying to comply with the GDPR. Routinely monitoring your data allows you to make sure that you aren't holding on to data that you don't need.
It can be complicated to figure out exactly what you need to do to get yourself in compliance with all the data privacy laws that apply to your business. That's why it's extremely important to take a lot of time to truly understand the relevant privacy schemes. And of course, it's never a bad idea to hire an experienced attorney to help you parse through all of the material you need to know.
We hope this guide has been a great starting point to help you understand data privacy for your small business.
About the Author: Anjali Nowakowski is a Legal Templates Programmer at Wonder.Legal and is based in the U.S.A.