Business Resource Center

The Value of Small Business Privacy Policies

Major regulatory initiatives are promoting companies of all sizes to update their privacy policies and providing opportunities for businesses to increase customer trust with a strong commitment to protecting their data and privacy.

Two major regulations are shifting the privacy practices of companies worldwide. The European Union’s General Data Protection Regulation (GDPR), which took effect in mid-2018, and the California Consumer Privacy Act, which takes effect in 2020, both require companies to take a number of measures to increase privacy-related protections and disclosures.

GDPR, for instance, requires companies (of any size or location) that do business in Europe to:

• Receive permission from consumers before sending marketing emails
• Protect any identifiable consumer information from unauthorized access, use or disclosure
• Notify officials about any data breaches
• Provide consumers with the ability to request the deletion of their data.

While the law applies directly to companies that interact with European consumers, the global nature of online business means U.S.-based companies, especially leading tech companies, have adjusted their data and privacy practices to comply with the regulation’s requirements. These changes are likely to become expected practices among consumers, regardless of the size or location of the company they’re dealing with.

Similarly, California’s data law requires companies to disclose the personal data they collect; provide an option to opt out of that data being shared with third parties; and to delete personal data upon request.

California’s size and the number of tech companies based there means the state’s data requirements are likely to be adopted in other locations, just as California’s data breach notification law was essentially duplicated by the rest of the country.

An Effective Policy

Because of the regulatory changes, your company’s privacy policy needs to be more explicit about the types of data you collect, how you use, and how you store it. This will typically include personally identifiable information such as a customer’s name, email and physical addresses, and related data.

If you share information with other companies, such as cloud service providers, you need to explain what you’re sharing and why. This may include your customer relationship management software provider, email service provider, and other business partners.

You also want to strike a balance between your policy’s need to establish legal protections with using clear language that customers will understand.

There are a number of sample privacy policies online that can provide an effective starting point for your company’s policy, but it’s also a good idea to customize your policy to fit your business’ needs. A review by your legal professional is a prudent step that can help you avoid problems later.

Protection Steps

Some privacy-related steps you’ll want to take or review include:

• Understand what data you’re collecting and how you’re using it
• Make sure you have permission to collect, use or share that data. Relying on an opt-out is no longer enough
• Prepare for a data breach. Understand how you’ll make required disclosures
• Check with your suppliers and business partners to make sure they have effective policies to protect your customers’ data.

Privacy Opportunities

It’s also helpful to regard privacy protection as an opportunity, not just a compliance hassle. With data protection receiving so much attention, consumers are more likely to trust companies that can demonstrate a clear commitment to protecting their data and using it responsibly.