Understanding State Customer Privacy Laws

With a growing number of states imposing restrictions on how businesses can use their customer data, paying attention to your small business’ privacy practices can help promote consumer trust while reducing regulatory risk.

Within the United States, privacy regulation is being driven by the adoption of new laws in California, Virginia and Colorado that, in general terms, regulate how companies obtain, use, share and store customer information such as:

• Identification data such as the customer’s name and contact information
• Customer records such as account numbers and similar information
• Demographic characteristics such as age, gender identity, race and similar data
• Purchase history
• Professional or employment information

Beyond these states, nearly 30 other states have proposals for similar regulations at various stages of their legislative processes. Similarly, companies with customers in the European Union may have to comply with that region’s data protection laws.

Most of the current privacy regulations are targeted at medium and larger companies. For example, California’s Privacy Rights and Enforcement Act (CPRA) exempts companies with less than $25 million in revenue, has information about fewer than 50,000 customers, or earns less than 50 percent of its revenue from selling customer data.

But even if your business isn’t large enough to fall under the regulations, taking steps to promote customer privacy and to protect their information by following regulatory guidelines demonstrates a commitment to privacy that makes your small business more trustworthy to current and prospective customers.

With so many consumers paying attention to potential privacy risks, it’s a good idea to reassure them by discussing the active steps your company takes to secure their personal information.

Privacy Compliance

One of the potential issues for small businesses is that each state’s regulations apply to its residents. This means that if your company serves customers in California, for example, it can be covered by that state’s privacy regulations despite being located outside of California.

A company with customers in several states, therefore, will fall under each location’s privacy regulations. Most privacy advocates say that, in this situation, the safest move is to use the strictest set of regulations as a guideline.

To ensure compliance (as well as effective data protection) companies need to understand:

• The types of customer data flowing in and out of the company. It’s important to know what kinds of information you have, how you use it, and how it’s stored.
• Which team members can access customer data, and for what reason they’re doing so. Under the regulations, a legitimate business purpose is required.
• Whether the sensitive data is encrypted while it is stored. Required or not, encrypting customer data is a good security procedure to follow.
• How the company will respond to customer requests that a company stop sharing any personal information related to them, as well as a request to delete any personal information it may be storing.

It’s also important to post a privacy policy outlining your data collection, storage and sharing practices so customers have reasonable expectations about how their information will be used.

Beyond promoting compliance, highlighting your company’s commitment to protecting customer privacy also offers potential business benefits. People like to do businesses with companies they can trust, and discussing the responsible use of sensitive customer data goes a long way in reassuring customers their information won’t be shared with other providers or otherwise used inappropriately.