Q

Data Privacy for SMBs: Essential Compliance Info to Know

Cybersecurity and privacy concepts to protect data. Lock icon an
Photo credit: Thapana_Studio - stock.adobe.com

In today’s digital landscape, data is a valuable asset. And no matter what type of business you have, you’re likely collecting, storing and using customer data. 

Navigating the realm of data privacy regulations can feel incredible complex and overwhelming, but it’s crucial for safeguarding your business and maintaining customer trust.

Below, we outline expert-backed insights and best practices to help you become a more privacy-savvy business in today’s data-driven world.

Let’s get started!

What are data privacy regulations and why do they exist?

Shahara D. Wright, a Business Law Attorney and Founder of The Wright Firm, PLLC, breaks down the fundamentals of data privacy laws in the United States. 

“Privacy regulations really have to do with how data is handled,” she stated. 

According to Wright, the U.S. doesn’t have one specific data privacy law; instead, states enact their own laws. 

“It started with California,” said Wright. “After GDPR happened in Europe, California was the first state to enact privacy laws. And then every state has started to have something either in process or has enacted privacy laws.”

What data and privacy regulations should SMBs should be aware of?

Various kinds of data privacy regulations exist. Rebecca Herold, CEO at Privacy & Security Brainiacs, outlined the different types of laws small business owners should be aware of:

Comprehensive state privacy laws

“These all generally govern how personal data can and cannot be used for purposes beyond the reason the data was originally collected, such as for sales and marketing,” explained Herold. There are “at least 14 such laws in 13 states,” each at various stages of enactment. 

At the time of writing this article, California (CCPA and CPRA), Virginia (CDPA), Colorado (CPA) and Connecticut have laws that are in effect. The Utah law (UCPA) went into effect recently, on Dec. 31, 2023, while the following state laws will go into effect at various times between 2024 and 2026:

  • Florida (FDBR)
  • Oregon (OCPA)
  • Montana (MCDPA)
  • Iowa (ICDPA)
  • Texas (TDPSA)
  • Delaware (DPDPA)
  • Tennessee (TIPA)
  • Indiana (ICDPA)

Don’t see your state in the list above? You should still be aware of the laws in different states and ensure that you comply with them.

“Regardless of whether the state has a privacy law in place or not, you should follow regulations,” said Wright. This typically means following the strictest state laws.

“California would probably have the most rigorous laws, and you really want to follow them because [these laws apply] not where the business is, but it’s where the consumer is,” Wright added. “And so if you have a digital business and you’re collecting information from people across the United States—even if you are in a place that doesn’t have privacy laws—you have to be responsible for that.”

Breach response laws

Herold also brought up breach response laws, which are regulations requiring businesses to take specific actions in the event of a data breach.

“This is important not only for SMBs who sell services and products to consumers but also for business-to-business firms,” Herold said. “SMBs need to make sure their business clients who have entrusted personal data of any kind to them have provided clear instructions for how to report personal data breaches to them, including details about the date, time and type of breach. Timeliness is an issue with each of the laws, so they can’t put off responding. This includes marketing databases.”

She continued: “The laws that apply are the laws of the states and territories where the individuals reside; it is not only the state/territory in which the business is located.”

What consequences could SMBs face by not complying with privacy regulations?

The legal consequences of non-compliance can lead to fines and penalties. 

“SMBs have been given huge fines and multi-year penalties involving ongoing oversight, some as long as 20 years, and regular, frequent audits from the associated regulatory agencies,” Herold explained. “SMBs can also face legal actions. If harms occur to the associated individuals whose personal data was breached, the organization could face lawsuits for the harms, and the issue of compliance will come into play during the cases, often as an issue of the organization not performing due diligence by complying with privacy and security requirements.”

Beyond legal action, failing to comply with data regulations can lead to terminated partnerships and vendor agreements. Not to mention, non-compliance can diminish customer trust and severely hurt your business.  

As Wright put it, “You can lose access to your third-party applications if you’re not doing what you’re supposed to do [with regards to handling data]. You can have data breaches, and that can lead to losing clients because everybody is concerned about data privacy.”

What best practices should SMBs follow to comply with data privacy rules?

“The first, most basic thing is to have a website privacy policy,” Wright explained. This policy tells people “how you collect data, what you do with that data, why you need it, the reason you use it for and whether or not you sell it.”

Tracking where data is stored and how it’s used is paramount, which is why Herold recommended that you “create an inventory for all the locations and devices where personal data, in all forms, is collected or derived, stored, processed and accessed.”

Herold continued: “An organization cannot protect personal data or ensure actions taken with the personal data are legally compliant unless they actually know where the data is located. The inventory should include not only the devices and products owned by the organization, but also devices and products used and owned by third parties and personally owned employee devices and products used to support business activities.”

What resources can SMBs use to learn about the latest privacy regulations so they can stay compliant?

Privacy laws and regulations are constantly evolving, so see to it that your business stays informed and adapts accordingly.

Here are some of Herold’s top resources for doing just that:

 

Data Privacy for SMBs: Essential Compliance Info to Know

Cybersecurity and privacy concepts to protect data. Lock icon an

In today’s digital landscape, data is a valuable asset. And no matter what type of business you have, you’re likely collecting, storing and using customer data. 

Navigating the realm of data privacy regulations can feel incredible complex and overwhelming, but it’s crucial for safeguarding your business and maintaining customer trust.

Below, we outline expert-backed insights and best practices to help you become a more privacy-savvy business in today’s data-driven world.

Let’s get started!

What are data privacy regulations and why do they exist?

Shahara D. Wright, a Business Law Attorney and Founder of The Wright Firm, PLLC, breaks down the fundamentals of data privacy laws in the United States. 

“Privacy regulations really have to do with how data is handled,” she stated. 

According to Wright, the U.S. doesn’t have one specific data privacy law; instead, states enact their own laws. 

“It started with California,” said Wright. “After GDPR happened in Europe, California was the first state to enact privacy laws. And then every state has started to have something either in process or has enacted privacy laws.”

What data and privacy regulations should SMBs should be aware of?

Various kinds of data privacy regulations exist. Rebecca Herold, CEO at Privacy & Security Brainiacs, outlined the different types of laws small business owners should be aware of:

Comprehensive state privacy laws

“These all generally govern how personal data can and cannot be used for purposes beyond the reason the data was originally collected, such as for sales and marketing,” explained Herold. There are “at least 14 such laws in 13 states,” each at various stages of enactment. 

At the time of writing this article, California (CCPA and CPRA), Virginia (CDPA), Colorado (CPA) and Connecticut have laws that are in effect. The Utah law (UCPA) went into effect recently, on Dec. 31, 2023, while the following state laws will go into effect at various times between 2024 and 2026:

  • Florida (FDBR)
  • Oregon (OCPA)
  • Montana (MCDPA)
  • Iowa (ICDPA)
  • Texas (TDPSA)
  • Delaware (DPDPA)
  • Tennessee (TIPA)
  • Indiana (ICDPA)

Don’t see your state in the list above? You should still be aware of the laws in different states and ensure that you comply with them.

“Regardless of whether the state has a privacy law in place or not, you should follow regulations,” said Wright. This typically means following the strictest state laws.

“California would probably have the most rigorous laws, and you really want to follow them because [these laws apply] not where the business is, but it’s where the consumer is,” Wright added. “And so if you have a digital business and you’re collecting information from people across the United States—even if you are in a place that doesn’t have privacy laws—you have to be responsible for that.”

Breach response laws

Herold also brought up breach response laws, which are regulations requiring businesses to take specific actions in the event of a data breach.

“This is important not only for SMBs who sell services and products to consumers but also for business-to-business firms,” Herold said. “SMBs need to make sure their business clients who have entrusted personal data of any kind to them have provided clear instructions for how to report personal data breaches to them, including details about the date, time and type of breach. Timeliness is an issue with each of the laws, so they can’t put off responding. This includes marketing databases.”

She continued: “The laws that apply are the laws of the states and territories where the individuals reside; it is not only the state/territory in which the business is located.”

What consequences could SMBs face by not complying with privacy regulations?

The legal consequences of non-compliance can lead to fines and penalties. 

“SMBs have been given huge fines and multi-year penalties involving ongoing oversight, some as long as 20 years, and regular, frequent audits from the associated regulatory agencies,” Herold explained. “SMBs can also face legal actions. If harms occur to the associated individuals whose personal data was breached, the organization could face lawsuits for the harms, and the issue of compliance will come into play during the cases, often as an issue of the organization not performing due diligence by complying with privacy and security requirements.”

Beyond legal action, failing to comply with data regulations can lead to terminated partnerships and vendor agreements. Not to mention, non-compliance can diminish customer trust and severely hurt your business.  

As Wright put it, “You can lose access to your third-party applications if you’re not doing what you’re supposed to do [with regards to handling data]. You can have data breaches, and that can lead to losing clients because everybody is concerned about data privacy.”

What best practices should SMBs follow to comply with data privacy rules?

“The first, most basic thing is to have a website privacy policy,” Wright explained. This policy tells people “how you collect data, what you do with that data, why you need it, the reason you use it for and whether or not you sell it.”

Tracking where data is stored and how it’s used is paramount, which is why Herold recommended that you “create an inventory for all the locations and devices where personal data, in all forms, is collected or derived, stored, processed and accessed.”

Herold continued: “An organization cannot protect personal data or ensure actions taken with the personal data are legally compliant unless they actually know where the data is located. The inventory should include not only the devices and products owned by the organization, but also devices and products used and owned by third parties and personally owned employee devices and products used to support business activities.”

What resources can SMBs use to learn about the latest privacy regulations so they can stay compliant?

Privacy laws and regulations are constantly evolving, so see to it that your business stays informed and adapts accordingly.

Here are some of Herold’s top resources for doing just that: