You feel like you just got finished worrying about GDPR (General Data Protection Regulation) compliance, and now everyone’s talking about the CCPA (California Consumer Protection Act). And while you may not know it yet, the CCPA is just the tip of the iceberg.
There are already seven other privacy laws in the works (or already in effect) in Nevada, New York, Maine, North Dakota, Massachusetts, New Jersey, and Pennsylvania. That’s a lot, but it probably won’t stop there. And all of these laws come with the risk of hefty penalties.
Businesses now have a choice. You can scramble to learn the details of each law, find out if it applies to you, and figure out how to do the minimum to comply. Or you can be proactive about implementing changes that get you on the right side of data security now.
10 Steps to Be on the Right Side of Privacy Laws
Most of these laws simply codify what consumers want anyway. By implementing a few best practices, you can earn goodwill from your customers and minimize the risks of expensive violations at the same time.
1. Assume all privacy laws affect you.
Some people reading up on the CCPA will be pleased to find it doesn’t apply to them.
In case you’re wondering, the companies required to comply are for-profit businesses that sell goods or services to California residents and get half of their revenue from selling personal information; have personal information for more than 50,000 California residents; and have $25 million in annual revenue.
That’s pretty specific and lets a lot of businesses off the hook. But just because a business can duck dealing with this privacy law doesn’t mean you won’t get caught up in one of the others. And it’s always better to err on the side of not being in violation than to assume a law doesn’t apply to you and learn otherwise too late.
2. Only include people on your lists that have actively signed up.
This seems simple enough, but we all know how often businesses fail at this in practice. A simple commitment to only send emails to people who have actively opted in goes a long way to staying in compliance.
And that doesn’t mean people you met at an event once, or who downloaded a whitepaper. If they haven’t taken the specific step of confirming that they want to receive emails from you, better to leave them off your list.
3. Give subscribers a chance to re opt-in.
If you followed GDPR’s requirements, then you probably already took this step. Under that law, “you had to be able to prove that you got [subscribers’] consent, so having them opt in again fulfilled that purpose,” Carter says.
If you haven’t taken this step yet, do it now. It may mean you lose subscribers, but if they were people who didn’t want your email to begin with, it’s no real loss.
4. Don’t ask for more information than you need.
Marketers are often guilty of trying to get as much information as possible for data points. But collecting more data means increasing your responsibility to protect it. Marriott’s famous data breach inexplicably included passport numbers, which made their failure to protect the data far more serious than if they’d only had email addresses and phone numbers.
Any time you’re asking consumers for information, consider if you really need everything you’ve included in the form. Is a phone number really necessary? Do you need their home address? If not, leave it off.
5. Don’t keep personal information past the point you need it.
Sometimes you will need sensitive information like addresses and credit card numbers. But you don’t have to keep it. If you make it your policy not to save the sensitive information you receive once it’s served its purpose, you reduce your responsibility to protect it and your liability.
6. Always provide clear notice when collecting personal information.
While the details may be different, this is a common theme in the privacy laws, which requires you to disclose what information is being collected and how it is being used.
7. Audit your security process.
Knowledge and consent are big parts of these laws, but the other important part is responsibility. With data breaches a regular part of the news, people are rightfully concerned about brands’ ability to keep their data safe.
Let these laws be your incentive to conduct a serious audit of what you’re doing now to protect your customers’ information. If you’re not sure where to start, Carter recommends researching what’s standard for your industry. How stringent your security procedures need to be depends on what kind of information you’re collecting and saving.
“If the only thing you have from people is their email address and there’s a breach, they might get some spam email. That’s a lot lower risk than if you have health information, social security numbers, credit card numbers—that requires a much higher level of protection.”–Ruth Carter
This is also a good opportunity to take a step back and revisit your privacy policies. Look at:
- What your notice currently says
- How you decide what data to collect
- How you store it
- What you use it for
- Who has access to it
- When you delete it
Taking a more conscious approach to each of those items can go a long way to reducing your risk.
9. Put a conspicuous “Do not sell my personal information” link on your website.
This is part of the CCPA, and relatively easy to comply with. All companies are required to give consumers the opportunity to opt out of having their personal information sold. Putting a link on your home page that takes visitors to where they can opt out will check that box for you.
10. Consult with a lawyer at least annually to avoid missing anything new.
Taking all these steps proactively should put you in a pretty good place, but new laws will continue to come down the pipeline. And amendments to those already in effect are inevitable as well. It’s worth making an annual commitment to talk to a legal professional who can weigh in on if there’s more you need to be doing.
Privacy Laws Don’t Have to be Scary
Yes, the penalties for some of these laws are high. But if there’s good news, it’s that the focus of enforcement is likely to stay on the biggest offenders.
“From what we’ve seen from GDPR enforcement, they’ve only been going after the big dogs who have been making massive errors in terms of data security,” Carter says.
If you implement privacy practices that keep you far from the level of errors made by brands like Facebook and Marriott, you shouldn’t have much to fear.