Have you noticed some new privacy laws in town? I certainly have! (But I’m a privacy lawyer so maybe that’s cheating.) If you have noticed and are worried about how the General Data Protection Act (GDPR) or California Consumer Privacy Act (CCPA) affects your business and data collection practices, you’re on the right track to 2020 e-commerce regulatory compliance (and investor-friendly business savvy). Hooray! Not every business is required to comply with privacy laws like the GDPR and CCPA. If you’re unsure of whether the CCPA applies to you, check out this article and neat chart I created especially for you –> Does CCPA Apply to Me?.
While you might not be legally required to alter your data collection practices under the CCPA or GDPR to protect your customers’ personal information, it is still important that you start moving your business in that direction.
Your business—no matter its size or earnings—may be liable for security breaches and the loss of consumer personal information irrespective of these particular laws, especially as highly publicized hacks – Hey, Equifax! Hey, Twitter! – increasingly put businesses on notice for heightened standards of data protection. So if you’re doing nothing special to protect third-party data, you’re actually leaving your business open to some pretty steep legal liability.
I’ve created a list of five easy-peasy steps that you can take to get your toes wet in the ocean of privacy protection and data rights management. Every business is unique and should consult with counsel to determine best practices, but these steps are pretty universally JUST PLAIN GOOD THINGS YOU SHOULD BE DOING.
1. Make a Map.
The first step to any good data rights management plan is to determine what information you’re collecting from your buyers and visitors. This is typically information you ask for when someone calls your business, creates an account on your site, or simply stops by (even virtually) to say “hello.” Here’s a (non-exclusive) list of frequently collected data:
- addresses (email, shipping, billing)
- credit card/payment information
- social security number
- biometric data (fingerprint scans + facial recognition)
- contact info
- purchase history
- search history
- webpage/ad interaction history
- IP addresses
And on and on and on and on . . . All those tidbits of information you use to vamp up your sales and customer relationships—likely it’s all collected data that needs some sort of protection. But don’t worry—it’s totally okay to collect info! Just list out everything you’re collecting, because the next step to data-excellency is to determine why are you collecting all this information.
Does your e-commerce store really need a telephone number as a requirement to create an account? If you’ve never once in the history of your opening called a single person for store-related reasons (because email is your go-to)?
While telephone numbers and “extra credit” information might be useful because you can make money selling it to third parties—which annoyingly increases the frequency of robo- and spam calls—you might find you don’t actually need it to do business. So, stop collecting phone numbers. Or social security numbers. Or even Face ID scans. Yeah, it might be cool to have an app where customers can easily log in by scanning their face, BUT YOU ARE RESPONSIBLE IF THAT INFORMATION EVER GETS STOLEN. And do you really want to be on the hook for collecting data that’s not really helping your business grow? Truth be told, the more information you collect from your customers, the more likely you are to be targeted by data hackers. And if you are attacked, your state—and possibly even your customers—will demand that you pay for all the harm you caused through your negligent data collection actions.
Another important part to any data map is addressing who has access to the information you’re collecting—and why does that party have access? This could be your employees, third-party vendors, or even family and friends that are helping you out with a business task. When allowing others to access your collected data, consider this: Do they need access to everything or just some things? If an individual needs to know some information, that’s understandable. But your brick-and-mortar cashier doesn’t need access to a buyer’s computer IP address; your payroll vendor doesn’t need access to your customers’ email addresses. Be careful what you’re sharing because sharing ≠ caring. It’s a bunch of liability you don’t need.
2. Cut the Fat.
You probably already guessed this next bit, but once you map out your collection processes, it’s time to slim those down to only the essential components. You heard me: Cut. The. Fat.
Whether you’re collecting unnecessary data, sharing secrets with everyone, or just holding on to information for an excessively long period of time, its time to say buh-bye to some nasty habits. Unfortunately, this might be uncomfortable—change is hard, right? It might mean rethinking how user accounts are created, how marketing data is collected, or how employees are trained to interact with customers. But trust me—the effort is worth it if it means avoiding a lawsuit or censure.
Also, did you know that Millennials and younger (and also pretty much everyone else) find it super annoying when they’re required to provide unnecessary data to companies they want to interact with? It’s true! (Even if all my data is anecdotal). Everyone hates the accounts that require three pages of personal information just to allow you to browse rugs online—I personally think it’s odd when sellers ask for my home and work phone numbers when I’ve already handed out my mobile. This discomfort often leads to a customer closing tabs (and sellers losing sales) just because they’re tired of dealing with all the unnecessary sharing.
And why would you as a seller even want all this data anyway? My theory is that people have started collecting data just for the sake of collecting, just as my various apartment addresses throughout the years have turned into some kind of freaky stamp collection obsession.
But don’t just cut your own fat—you’re also responsible for all the information you choose to share with your vendors (IT services, payment processors, website managers, etc.) Cut those third party vendors off from information that they don’t need. No one wants to share all the details of their life (credit card info + buying habits), only to have you go blab them to the next person.
So dump that data like an ex who stole your car, and move on! Boundaries, please.
3. Respect your Rules.
Here’s a neat 2020 anecdote: have you heard yet that the U.S. is considering banning TikTok? That’s right—it could be bye-bye for everyone’s favorite 10s clip app. This is due to privacy concerns. You don’t want to be banned in America like TikTok, do you? Have some good privacy rules in place and follow them.
Follow your own rules.
4. Encourage Education.
You’re on the hook for whatever your employees do (or fail to do)—You get it. But also be on the lookout for sly third party information-sharing vendors you may be working with. If they go down, they might just take you with them. Vet those vendors. Make sure they understand the importance of protecting customer privacy!! Any third parties that collect and process personal information on your behalf need to have reasonable security and privacy practices or this could lead to your downfall. Privacy isn’t just an internal obligation, but a whole-system effort.
Don’t forget to bring your customers into the loop. They may not even know enough about privacy to care that its protected, but do them a favor and inform them of your security methods. To bring this full circle, always ask for consent prior to collecting customer data (which can also serve as an important safeguard should any legal action be threatened). By making privacy a two-way conversation, you’re providing additional value to your customers by showing them that you respect their data. Make consent an option wherever possible, and don’t forget that “no means no.”
5. Review on the Reg.
That’s it. Simply take time every now and again to review and update your privacy practices. The laws are changing—more and more states are seeing the value in creating strict privacy restraints and practices for businesses. Stay updated. Watch the news. Do a Google search. Check in with a privacy attorney (like me). The rules around what you may do with the information that you collect WILL evolve. If you’re not careful, this could leave you subject to hefty fines and a horrible reputation. Practice safe collection.
LASTLY, THIS IS NOT LEGAL ADVICE. I AM NOT YOUR LAWYER. NOTHING IN YOUR REVIEW OF THIS ARTICLE OR ACTIONS YOU TAKE IN FURTHERANCE OF IT ESTABLISHES A LEGAL RELATIONSHIP BETWEEN YOU AND ME. I PROBABLY DON’T EVEN KNOW YOU, THOUGH WHO’S TO SAY WE CAN’T BE FRIENDS? NOTHING IN THIS ARTICLE IS WARRANTED TO BE ACCURATE IN ANY WAY, AND THOUGH PRACTICALLY UNLIKELY, IT IS POSSIBLE THAT THE SUBSTANCE OF THE ARTICLE CAN KILL, HARM, MAME, OR OTHERWISE DEFEAT YOU, PARTICULARLY IF YOU ARE READING IT WHILE LIVING THROUGH 2020. YOU SHOULD NOT RELY ON ANYTHING IN THIS ARTICLE WITHOUT INDEPENDENTLY DISCUSSING IT WITH YOUR LAWYER. YOU PROBABLY SHOULD HAVE ALREADY BEEN IN TOUCH WITH A LAWYER BEFORE READING THIS ARTICLE. LAWYERS ARE A GOOD THING – ALSO NOT LEGAL ADVICE.
About Lauren Hughes McClanahan
Lauren Hughes McClanahan is the privacy and branding lead at Rockridge Venture Law®. Equally adept at creative campaigns as well as technology transactions, Lauren leads clients through copyright, privacy, regulatory, and trademark considerations in optimizing successful e-commerce portfolios. She is a leading voice among women practicing in technology law and an IAPP Young Privacy Professional. Her primary practice areas include copyright and trademark law, data privacy, sports and entertainment law, and technology transactions. Lauren also leads the Knoxville Technology Council’s Women in Tech Committee, and is a Director of the Tennessee Women’s Theater Project. Read more about Lauren, connect with her, and Calendly her.
RVL® recommended reading by Lauren
Rockridge Venture Law® was launched in 2017 to become the preeminent intellectual property and technology firm across the Appalachian Innovation Corridor. We now have offices in Chattanooga, Durham, and Nashville, and represent clients and interests globally. Our services include all aspects of intellectual property, litigation, M&A, privacy, technology transactions, and ventures.
In 2018 and 2019, we were recognized as B Corp Best for the World for our commitment to triple bottom line business practices. Rockridge® is also certified by 1% for the Planet for its nonprofit partnerships advancing stewardship and sustainability. RVL’s nonprofit partners in 2020 include Green|Spaces, Living Lands and Waters, Mustard Seed Ranch, and the NC State Lulu Games Social and Environmental Impact Competition. We value transparency and proudly publish our yearly impact reports.
Our pioneering environmental and social impact programs attract top-notch legal talent and assure our clients of missional alignment with their corporate values. Rockridge uniquely addresses two modern profit drivers: innovation (uptake and development), and corporate social responsibility. We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.
Learn about global impact and innovation leaders at Rockridge I-Suite®.
See case studies on how we’ve helped transformative companies at Rockridge Case Studies.