Back to Publications

Are There Privacy Laws that Apply to Your (Small) Business?

Most people are aware of the General Data Protection Regulation (GDPR) in effect in the European Union and many are aware that the United States does not have a comparable federal law. The US has some industry-specific laws, such as the Health Insurance Portability and Accountability Act (HIPAA) that applies to the healthcare industry and the Gramm-Leach-Bliley Act that applies to financial institutions, but no law that protects consumer information generally across all industries. But the lack of a general privacy law like the GDPR does not mean that US companies have no privacy obligations. In fact, companies operating in the US can have an even more complicated web of privacy laws to navigate than European companies do.

In the absence of a comprehensive federal law (and the improbability that Congress will enact one in the foreseeable future), individual states are beginning to tackle the issue on their own. California adopted the California Consumer Privacy Act (CCPA) in 2018 and California voters modified the CCPA by adopting the California Privacy Rights Act (CPRA) by ballot initiative in 2020. Virginia passed its Consumer Data Protection Act (CDPA) in March 2021. Eleven other states have one or more bills pending. Nine states have debated bills that either died in committee or were postponed. While there is not yet broad consensus on what a privacy law should include (which is why 20 states have debated – but not yet adopted – legislation), there is broad consensus that legislation is needed and discussions will undoubtedly continue in the 48 states that have not yet found an acceptable compromise.

These state laws are creating a patchwork of privacy laws that can be more challenging for businesses than a single federal law. First, when legal theories evolve at the state level, businesses that operate across state lines need to monitor the laws of all the states they touch. Second, dissimilar state laws require businesses to sort out how to apply different laws to different consumers. For example, almost every law defines “personal information” slightly differently, so a business needs to decide whether to operate under a single definition that will satisfy all states’ laws or to try to apply different standards to different states’ residents. And, because the California laws require businesses to disclose consumers’ right to opt out of sales of their personal information, companies who have California customers need to choose between extending those opt-out rights to all consumers (regardless of state of residence) or trying to explain to consumers from New York, Colorado, or any of the other 47 states that they don’t have a right to opt-out because they aren’t California residents.

There are no easy answers for businesses, particularly for smaller businesses that lack internal resources to monitor multiple states’ laws and maintain compliance policies and procedures that work across their entire geographic footprint. That said, there are a few strategies that most businesses should adopt:

  1. Know what personal information you are collecting, why you are collecting it, and where you keep it. These are important first steps for many reasons, including that it’s impossible to protect information – or to respond to consumer requests to update or delete information – if you don’t know what information you have or where it is.  Analyzing why you are collecting the information also facilitates data minimization, where a business limits the information it collects to what it actually needs for the purposes it has disclosed to its customers and only keeps the information for so long as the business needs it. Data minimization increases customer trust and decreases the risk of loss from a security breach.
  2. Know the laws of the states in which you have offices or customers or are otherwise “doing business.” Privacy laws apply based on where the consumer lives, not on where the business is headquartered or which state’s laws are selected in the company’s Privacy Policy or contracts. If a company is doing business nationally, then it needs to know all 50 states’ privacy laws. A small business that is not operating nationally still needs to comply with the laws of the states in which it is operating or in which the majority of its customers reside. That starts with the states in which the company offices are located, but also includes states in which the company is qualified to do business as a foreign corporation, licensed for a particular line of business, or subject to state tax. Even if a company isn’t “doing business” in a state as defined under state law, if it targets customers in the state, or a significant number of its customers are residents of the state, compliance with the state’s privacy laws may technically be required or at least a pragmatic option for customer relations purposes or to avoid conflicts with the state attorney general.
  3. Always consider privacy and data security when you are about to make an investment in computer equipment, software, or a new business line. These are inflection points where the cost and complexity of enhancing privacy and data security can be minimized. “Privacy by design” is much easier than “privacy by retrofit.”
  4. Make sure the Privacy Policy on your website is complete and accurate. From the consumer’s point of view, there shouldn’t be any “gotchas.” Most of the state laws that are being debated or adopted require that a business disclose what personal information it is collecting, what it does with the information, and with whom it shares the information. Consumers lose trust (and file lawsuits) when their information is collected or used in ways that were not disclosed and they didn’t expect. If a business details its information practices in its Privacy Policy – even if it doesn’t think it is obligated to do so – there is less of a risk of a disconnect between the company’s use of the information and the consumer’s expectations. As for accuracy, the Federal Trade Commission (which has been the primary federal protector of consumers’ privacy rights under the Commission’s authority to police unfair or deceptive trade practices) typically focuses on situations where the company overstated its privacy or data security practices, such as claiming that it “safeguard[s] our Customers’ personally identifiable information by using industry standard practices” when, in fact, the company did not use “readily available security measures….” In the FTC’s view, there’s no place for puffery in a Privacy Policy.
  5. Understand the privacy implications of how you use information. Does your website use cookies to track users’ actions on your website? Do you use Google Analytics to understand how customers are using your website or to serve up customized advertisements? These are all ways companies use personal information and they all affect the explanation in your Privacy Policy of what information you collect and how you use it. Some uses – particularly in connection with behavioral advertising – can even constitute “selling” personal information for purposes of the California laws, even if you would never dream of selling a customer list in the traditional sense.

Privacy policies and data security programs can – and should – have different levels of complexity, depending on the nature of your business, what information you collect, and how the information is used. But every business collects personal information in some way, shape, or form, so every business should think through the issues that are relevant to it and develop a privacy and data security strategy that fits its size and needs.


> Back to Corporate Perspectives