What Small Businesses Need to Know About Data Privacy

A person holding up a smartphone
Key Takeaways

  • Data privacy laws require companies to protect individuals’ personal data.
  • The EU’s General Data Protection Regulation may apply to U.S. businesses if they collect data from EU residents.
  • The California Consumer Privacy Act goes into effect on January 1, 2020, and affects all companies that do business with California residents.


Data privacy
is all the buzz—but what’s it really about? And does it matter to you as a small business operator?

Data privacy laws give individuals rights regarding their personal data and penalize companies that fail to safeguard that information. While each law draws its own distinctions about what personal data is, the definition of personal data tends to be broader and more comprehensive than the “personally identifiable information” or PII standard typically used in U.S. legislation. 

PII is quite narrowly read: it includes a person’s name, address and identification numbers like a Social Security number or driver’s license number. Personal data, by contrast, is generally interpreted much more expansively: it’s information that could be used, individually or collectively, to identify an individual. That might include demographic information, biometric data, an IP address or even religious convictions.

Let’s take a general look at the laws that might apply to your small business. 

Where It All Began: The EU’s General Data Protection Regulation

After a two-year lead-up, the General Data Protection Regulation (GDPR) went live on May 25, 2018, launching a global conversation about what data privacy means and what it’s worth. While the GDPR isn’t new legislation, many companies are still struggling to comply with its new approach to personal data.

The GDPR requires companies to keep personal data about individuals safe and carries draconian penalties for those that fail to do so: up to 20 million Euros or 4% of global annual turnover, whichever is higher. It also grants unprecedented rights to individuals to access and control their personal data and requires companies to report any data breach within 72 hours.

Do you need to care about the GDPR, given that it’s a European law? Maybe, as it applies broadly to businesses that collect personal information from EU residents.

Has your online clothing store sold a pair of socks to someone in Spain? Have you emailed an eBook about your industry to someone in Estonia? Shipped a doodad to a customer in Denmark? If so, you’ve doubtless collected at least the name, email address and perhaps shipping address for someone in the EU—which could bring you under the reach of the GDPR.

The GDPR has spawned similar legislation in a number of geographic regions. In the U.S., the data privacy movement is starting most strongly in California. 

New for 2020: The California Consumer Protection Act

The California Consumer Protection Act (CCPA) goes into effect on January 1, 2020, bringing rigorous data privacy protections to the U.S.

The CCPA requires that companies tell individuals what information they are collecting from them. Individuals must also be given access to any information that a company has about them and have the right to opt out of the sale of that information with no penalty. The law imposes penalties as high as $7,500 per incident for intentional violations—multiplied, of course, by the number of affected persons.

Generally speaking, the CCPA applies to for-profit businesses that do business in California and obtain the personal information of California residents, so long as they also meet one of the following three requirements:

  • annual gross revenues in excess of $25 million;
  • annual receipt or disclosure of information about at least 50,000 California residents; or
  • 50% or more of their annual revenue from the sale of California residents’ personal information.


One additional note: the CCPA gives businesses only 45 days to respond to consumer requests for data. This tight turnaround demands that companies actively monitor their communications for data requests, understand their data stores and respond quickly when they receive a request.

 Of course, the CCPA isn’t the only data privacy law in the U.S. 

A lock symbol

Additional Data Privacy Laws in the U.S.

The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) went into effect on October 1, 2019. This precisely named legislation is similar to the CCPA and applies to businesses that offer commercial websites or online services to individuals in Nevada and that create some “sufficient nexus” with the state through their online business.

It requires that covered businesses provide a privacy notice on their site and give Nevada residents the right to opt out of the sale of their personal information.

 Although Washington state was not able to enact its own version of a data privacy law, it did pass a new data breach notification law that gives businesses just 30 days to notify customers of a data breach; new legislation in Texas provides a relatively generous 60 days for the same. Meanwhile, New York state is working on a sweeping data privacy law that would exceed the protections of the CCPA.

 Even if none of these laws affect you, analysts predict that there will be a comprehensive federal law by 2025. That’s why now is the time to get a handle on data privacy

Small Businesses Can’t Afford to Ignore Data Privacy

Expect to see more data privacy laws in 2020 and beyond—and expect these laws to come with serious penalties for noncompliance. Don’t assume that they won’t apply to you. Follow these steps to start:

  • Determine which laws apply to your business and stay current on the news to update this assessment as needed.
  • Audit your data collection, storage and management processes, including what you share with third parties.
  • Assess your data security, breach detection and breach response protocols.
  • Write and implement a data privacy policy that keeps you in compliance with any applicable laws. 
  • Establish any legally required disclosure or data response workflows.


Data privacy is a subject that may require specialized legal knowledge—but it’s one that’s well worth investing in.

Legal Disclaimer. The information contained herein is provided for informational purposes only, and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this site without seeking legal or other professional advice.

Image Credits

Images 1-2: Shutterstock