Disclaimer: The information in this article is intended to provide background information and is not legal advice. Consult an attorney to ensure that you’re protected.
What are the legal requirements?
Privacy laws regulate how governments, businesses, organizations, and individuals collect, store and use personally identifiable information. In particular, they seek to keep sensitive personal information–like your social security number or financial or medical records–from getting disclosed.
Since there’s no comprehensive US data privacy law, the California Online Privacy Protection Act 2003 (CalOPPA), serves as the de facto regulation for the rest of the country. According to the legislation, CalOPPA applies to anyone who is: “An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service.”
The General Data Protection Regulation (GDPR) goes into effect in the European Union (EU) on May 25, 2018. The GDPR provides tighter consumer protection than the U.S. currently requires. if you collect any type of personal information from people in the EU, regardless of whether you’re a business or a nonprofit, you’ll have to comply with GDPR regulations. For example, here’s how you’d need to adapt your email marketing practices for the GDPR.
We Are All Data Collectors
You may think your business isn’t connected to this digital web, but it’s nearly impossible to do business without gathering personal information about your customers. If you use almost any service provider to host your website, take credit card payments, send emails, analyze your web traffic, etc., then data is being collected on your behalf.
Most people—including me—think this is kind of creepy. At the same time, I love being able to log into my insurance company’s website and be able to download my policy without having to call somebody (or store it myself). I’m willing to sacrifice (some of) my privacy because I think it’s worth the trade-offs.
If your customers value the speed and convenience these services provide and you like having access to information to help you market to your customers as effectively as possible, then take responsibility for it. Make thoughtful decisions about what information you will collect and how you’ll protect it, then share that information with your customers. Let them decide if the trade-offs make sense to them.
Develop Privacy Protocols
Assign a point person
- You (or a designated staffer or consultant) should oversee your data and set up protocols to protect your customers’ privacy.
- Be sure that you (or someone else) has access to everything and understands the system, in case your point person isn’t available and so that there’s built-in oversight.
Map how your business collects, stores, and uses customer data
- What are you collecting and why?
- Where is the information being collected and stored?
- Can you use it and get rid of it immediately after or do you need to keep it?
- How are you encrypting or protecting it?
- What will you do if there’s a data breach?
- Can you offer any ways for customers to opt out?
Review your service provider agreements and their privacy policies
- Make sure you understand how they’re collecting, storing, and protecting your customer information.
- Are they sharing or selling any of your data?
- What happens if there’s a data breach?
- Do they offer ways for your customers to opt out?
The FTC has a great guide for how to how to inventory, scale down, secure, and dispose of the customer data you collect.
- Start by reading privacy policies of similar companies or organizations to get ideas. But don’t copy someone else’s policy verbatim. That would be stealing, plus what they say may not apply to you!
- Use simple language, not jargon. You can usually provide a link to more technical information, if needed.
- Make it readable. I love the way this home furnishing company, Louise Dean, wrote their policy. It makes me want to check out their furniture!
Legal Disclaimer (again)
As stated above, the information in this article is intended to provide background information and is not legal advice. Consult an attorney to ensure that you’re protected.