This article is not meant as legal advice. Data privacy law and compliance obligations are complex and constantly changing. You should consult with legal counsel to ensure your company’s privacy practices comply with current law.
Our modern economy is built upon data. It's often the most valuable asset a company has. Where would you be without your customer database and insights?
But not all companies know how to handle their data. And with constant news of breaches and misuse, consumers are becoming more weary to share their data through websites and apps. Their attitudes are shifting, and so are resulting laws concerning data.
This isn’t a problem just for tech giants and enterprises. Even small businesses are vulnerable to these issues– an increased 36% of them experienced a data breach this past year.
So, what’s the deal with data privacy? How should you be handling it?
Keep reading to understand what data privacy is and an overview of the current legal landscape. And we’ll give you some ways to improve your company’s privacy practices right away.
What is Data Privacy?
Data privacy concerns the appropriate handling of data and consent, notice, and regulatory obligations. It regards how data should be collected, managed, and stored as well as compliance with applicable law.
Data Privacy vs Data Security
Data security, on the other hand, has a more technical focus. It involves preventing unauthorized access to data by third parties or malicious insiders.
While the two are closely related, they’re NOT the same.
Another way to think about it is– “you can have data security without data privacy, but you can’t have data privacy without data security.”
This means that just because your system is secure technically, it doesn’t mean you’re following privacy practices. You can still obtain your data in misleading ways or use it in ways that weren’t authorized.
But it’s also impossible to have data privacy when your data isn’t secure.
Why Data Privacy Matters
Data privacy has come to the forefront of challenges for companies to deal with.
Why? Because consumers are demanding it. What happens to personal data that's collected? Do companies profit from it? Is it vulnerable to hackers? There's a harsh spotlight on companies that are collecting and sharing data without people’s consent and knowledge (looking at you, Facebook).
In fact, KMPG reported that 97% of consumers report that data privacy is a concern. And a majority of them (87%) view data privacy as a human right.
So what’s being done to regulate how data is collected and used?
Quick Overview of U.S. Data Privacy Laws
At this time, the US currently doesn’t have a unified law governing data privacy. Instead, there’s a patchwork of overlaying federal and state laws. This can make it challenging for U.S. companies to understand their precise legal obligations.
The U.S. approach to privacy law is in sharp contrast to the European Union. The EU recently enacted its General Data Protection Regulation (GDPR). The GDPR is a comprehensive law that governs all aspects of handling data of EU citizens.
U.S. Federal Law for Data Privacy
Much of U.S. federal privacy law is industry specific.
An example is HIPPA, which governs the use of personally identifiable health information. Another is the Gramm-Leach-Bliley Act which applies to financial institutions.
U.S. State Privacy Laws
Besides the various federal laws with privacy provisions, several states have their own laws to follow.
The most important of these is the California Consumer Privacy Act (CCPA) which governs the use of personal data obtained from California citizens. The CCPA was modeled on the GDPR and is similarly comprehensive and complicated.
Other states are seeking to enact laws like California’s.
Sounds confusing? That’s because it is. Right now, it's causing headache for companies to manage multiple (possibly conflicting) state laws.
Due to this complexity, some are calling for the federal government to enact comprehensive privacy legislation like the GDPR. This legislation could preempt state privacy laws, making it easier for U.S. companies to comply with their data privacy obligations.
But will that ever happen? It’s not clear if it will yet.
SPARK TIP: In addition to the few states that now have their own privacy laws, all 50 states now have data breach notification laws. That is, when a company has a data breach, each state has a law describing when, how, and what information must be sent in notices to its citizens who have had their data stolen. These laws don't all align though. So, it can be challenging to meet legal obligations when there's a data breach involving citizens from multiple states.
What’s at Risk without Compliance
Even though the regulations and law aren’t in order yet, it doesn’t mean that companies shouldn't prioritize it. Without it, you put your company at serious risk now and in the future.
- Legal risk. A lack of compliance with data privacy law exposes your company to legal problems. That could mean government-imposed fines and lawsuits as well as private lawsuits. What the particular risks will depend upon the law.
- Clean up costs. If you have a privacy law violation such as a data breach, the costs to remedy the situation (e.g., technical issues, public relations expenses, etc.) and notify your customers of the data breach can be large. The average cost of a data breach is $3.86 million. Yikes!
- Meeting Consumer Demands. More consumers care about who they give their data to and what companies are doing with it. Some of the tech giants are starting to respond to these shifting attitudes.
For example, Apple recently made headlines by changings it Safari browser to limit third parties’ ability to track users. It also limits email senders’ ability to track whether recipients are opening emails.
- Reputation. Misuse of customer data, a publicized data breach, or an investigation by a government agency into a company’s privacy practices harms your company’s reputation. You’ll lose current and potential customers.
- Ability to do business with third parties. Even if your company doesn’t prioritize privacy, some companies you would like to do business with might. Breaches matter to leadership and others in boardrooms. If working with you would require the sharing of their data, many companies will insist upon having a thorough understanding of your privacy practices.
- Acquisition and valuation risk. If you are hoping to sell your company, your potential acquirer could audit your practices. If you don’t have the right measures in place, they will likely see that as a big risk and reduce the value it places on your company or even walk away from the transaction entirely.
How to Improve Your Data Privacy Measures
Here’s some simple steps to improve your company’s data privacy. Some of these might seem like a lot work.
Don’t worry! You don’t need to do everything at once. And you don’t need to do it all yourself. Remember, there are great companies and service providers out there that can assist you.
- Keep data privacy (and cybersecurity) front and center. Data privacy and cybersecurity is not simply an issue for Facebook or other enterprises. Anyone is vulnerable to these issues. So, you need to act accordingly.
- Survey your data. Start by taking an inventory of the data you already have. What is it? Where is it stored? Did you have consent for it when you first obtained it? How are you using it? Who is responsible for it? Is it secure? Get an idea of where you’re at now and what you need to change.
- Minimize data storage. Stored data that isn’t needed or used is an unnecessary liability. Develop policies and procedures regarding data retention and destruction that make sense for your business needs, comply with promises you’ve made to data subjects, and fulfill your legal obligations.
- Minimize data collection. A great way to improve your data privacy posture is to refrain from collecting data you don’t need. Are your forms asking for home address and phone number when you never use either? Change them to only collect what you need.
- Training and culture. Develop a culture that makes data privacy a priority. Provide training to employees so they understand the importance of data privacy and the specific means and methods your company uses to ensure data privacy. Make it part of the onboarding and have periodic refreshers.
- Audit your providers. If you rely on other companies to process data you’re collecting on your customers, be sure that they have good privacy and cybersecurity practices themselves. You are at risk for what they do with the data you provide to them.
Bottom Line: Implement Good Data Privacy Measures
Data privacy is important. Your customers expect it. And not doing anything exposes your company to legal and financial risk.
But the good news is that implementing good data privacy measures improves your company. A company that is thoughtful about privacy naturally improves its operations and has greater clarity and insight into them.
It also establishes you as a trustworthy company that can be relied upon by both customers and business partners.
Read more about the latest tech trends and digital best practices: