Businesses are subject to a patchwork of state laws regulating the use of personal information. If your company collects private info like bank account numbers, credit card numbers, drivers’ licenses, social security numbers, or even usernames and email addresses, these laws may apply to you.
As a practical matter, you probably don’t need to worry about a specific state law until you’re collecting personal data from a meaningful number of that state’s residents.
Still, being aware of what these laws generally require can help you stay compliant as your business expands.
Here’s a high-level look at the major types of data privacy laws:
Security: Protect Personal Information
With this type of privacy law, the state’s concern is that companies that collect sensitive personal information protect that data from breaches. Make sure you’re adopting reasonable safeguards to protect the security and confidentiality of your customer and employee data.
What constitutes reasonable? Do a risk assessment, take demonstrable steps to protect private information, and periodically delete information you no longer need. Use complex passwords and/or set up SSH keys or dual authentication. Consider getting a cybersecurity policy in place and training employees on the importance of data protection. You need to make a genuine effort to protect customer data.
Notice: Tell Customers When You Get Hacked
These laws require that companies inform customers when their private data may have been compromised in a security breach. Some laws also require notice to the state Attorney General’s office. For example, North Dakota’s privacy law requires a company to inform the AG if more than 250 people were affected by a breach.
Transparency: Disclose How You Use Personal Information
These types of laws require you to inform customers how their personal information is being used. For example, California’s recent data privacy act, the CCPA, requires companies to tell customers if their data is being sold. Post a privacy policy on your website that describes how you are using customer data, and make sure it stays updated. If your actual practices don’t line up with what you say in your privacy policy, you could be the victim of an enforcement action by the FTC.
Control: Let Customers Control Their Personal Information
This is the most progressive of the three types of law. Two examples are the GDPR and the CCPA. So far, it’s the least common type of privacy protection, but these two laws apply broadly to companies not operating in either the EU or California. This type of law allows customers to tell companies not to sell their personal information. For example, the CCPA requires a link customers can click which says, “Do Not Sell My Data.” Nevada’s data privacy law requires companies to have a point of contact customers can reach out to with a similar request. It’s early days for these laws, but if implementation goes well over the next couple years, expect to see more just like them.