Photo by cottonbro from Pexels

Article by Lauren Hughes

Have you noticed some new privacy laws in town? I certainly have! (But I’m a privacy lawyer so maybe that’s cheating.) If you have noticed and are worried about how the General Data Protection Act (GDPR) or California Consumer Privacy Act (CCPA) affects your business and data collection practices, you’re on the right track to 2020 e-commerce regulatory compliance (and investor-friendly business savvy). Hooray! Not every business is required to comply with privacy laws like the GDPR and CCPA. If you’re unsure of whether the CCPA applies to you, check out this article and neat chart I created especially for you –> Does CCPA Apply to Me?.

While you might not be legally required to alter your data collection practices under the CCPA or GDPR to protect your customers’ personal information, it is still important that you start moving your business in that direction.

Your business—no matter its size or earnings—may be liable for security breaches and the loss of consumer personal information irrespective of these particular laws, especially as highly publicized hacks – Hey, Equifax! Hey, Twitter! – increasingly put businesses on notice for heightened standards of data protection.  So if you’re doing nothing special to protect third-party data, you’re actually leaving your business open to some pretty steep legal liability.

I’ve created a list of five easy-peasy steps that you can take to get your toes wet in the ocean of privacy protection and data rights management. Every business is unique and should consult with counsel to determine best practices, but these steps are pretty universally JUST PLAIN GOOD THINGS YOU SHOULD BE DOING.

1.     Make a Map.

The first step to any good data rights management plan is to determine what information you’re collecting from your buyers and visitors. This is typically information you ask for when someone calls your business, creates an account on your site, or simply stops by (even virtually) to say “hello.” Here’s a (non-exclusive) list of frequently collected data:

  • names
  • addresses (email, shipping, billing)
  • credit card/payment information
  • social security number
  • biometric data (fingerprint scans + facial recognition)
  • signatures
  • contact info
  • purchase history
  • search history
  • webpage/ad interaction history
  • cookies
  • IP addresses

And on and on and on and on . . . All those tidbits of information you use to vamp up your sales and customer relationships—likely it’s all collected data that needs some sort of protection. But don’t worry—it’s totally okay to collect info! Just list out everything you’re collecting, because the next step to data-excellency is to determine why are you collecting all this information.

Does your e-commerce store really need a telephone number as a requirement to create an account? If you’ve never once in the history of your opening called a single person for store-related reasons (because email is your go-to)?

While telephone numbers and “extra credit” information might be useful because you can make money selling it to third parties—which annoyingly increases the frequency of robo- and spam calls—you might find you don’t actually need it to do business. So, stop collecting phone numbers. Or social security numbers. Or even Face ID scans. Yeah, it might be cool to have an app where customers can easily log in by scanning their face, BUT YOU ARE RESPONSIBLE IF THAT INFORMATION EVER GETS STOLEN. And do you really want to be on the hook for collecting data that’s not really helping your business grow? Truth be told, the more information you collect from your customers, the more likely you are to be targeted by data hackers. And if you are attacked, your state—and possibly even your customers—will demand that you pay for all the harm you caused through your negligent data collection actions.

Another important part to any data map is addressing who has access to the information you’re collecting—and why does that party have access? This could be your employees, third-party vendors, or even family and friends that are helping you out with a business task. When allowing others to access your collected data, consider this: Do they need access to everything or just some things? If an individual needs to know some information, that’s understandable. But your brick-and-mortar cashier doesn’t need access to a buyer’s computer IP address; your payroll vendor doesn’t need access to your customers’ email addresses. Be careful what you’re sharing because sharing ≠ caring. It’s a bunch of liability you don’t need.

2.   Cut the Fat.

You probably already guessed this next bit, but once you map out your collection processes, it’s time to slim those down to only the essential components. You heard me: Cut. The. Fat.

Whether you’re collecting unnecessary data, sharing secrets with everyone, or just holding on to information for an excessively long period of time, its time to say buh-bye to some nasty habits. Unfortunately, this might be uncomfortable—change is hard, right? It might mean rethinking how user accounts are created, how marketing data is collected, or how employees are trained to interact with customers. But trust me—the effort is worth it if it means avoiding a lawsuit or censure.

Also, did you know that Millennials and younger (and also pretty much everyone else) find it super annoying when they’re required to provide unnecessary data to companies they want to interact with? It’s true! (Even if all my data is anecdotal). Everyone hates the accounts that require three pages of personal information just to allow you to browse rugs online—I personally think it’s odd when sellers ask for my home and work phone numbers when I’ve already handed out my mobile. This discomfort often leads to a customer closing tabs (and sellers losing sales) just because they’re tired of dealing with all the unnecessary sharing.

And why would you as a seller even want all this data anyway? My theory is that people have started collecting data just for the sake of collecting, just as my various apartment addresses throughout the years have turned into some kind of freaky stamp collection obsession.

But don’t just cut your own fat—you’re also responsible for all the information you choose to share with your vendors (IT services, payment processors, website managers, etc.) Cut those third party vendors off from information that they don’t need. No one wants to share all the details of their life (credit card info + buying habits), only to have you go blab them to the next person.

So dump that data like an ex who stole your car, and move on! Boundaries, please.

3.   Respect your Rules.

At the bottom page of a website, you can usually find a nice little link to a business’s privacy policy. Do you have one too? Where did you get it? If you simply stole one from someone else, or maybe even if you created your own like a privacy-Picasso, make sure that the policy actually applies to your business.

Here’s a neat 2020 anecdote: have you heard yet that the U.S. is considering banning TikTok? That’s right—it could be bye-bye for everyone’s favorite 10s clip app. This is due to privacy concerns. You don’t want to be banned in America like TikTok, do you? Have some good privacy rules in place and follow them.

A bit about TikTok: This app/site has been used by millions of children. TikTok has been in trouble in the past for not specifically catering its privacy policy to its kid users. The business wanted to be for “grownups,” and reflected that in an earlier privacy policy. But REALITY CHECK: That simply wasn’t true. Because there are specific laws protecting the privacy rights of kids (like COPPA), TikTok needed to offer extra privacy protection measures to its kiddo users. They didn’t, ergo, that is on their Permanent Record forever (at least as far as the U.S. is concerned).

If you’re a hair salon catering exclusively to local clients, make sure your privacy policy doesn’t contain paragraphs and paragraphs of irrelevant information, i.e., your policy mentions the GDPR but 1.) you don’t collect data under the scope of that law and 2.) you don’t even have any idea what the GDPR even is.

If you do take the time to create a privacy policy, respect it. If your policy says you will delete customer information after 6 months, do it. If it says you will allow customers to review and modify information related to them, allow it. Don’t pin up a policy just because everyone else with a website does it, especially if you don’t expect to honor it, because that can get you in trouble with the Federal Trade Commission (our governmental promise-enforcer branch) real quick. If your practices don’t match your promises, you’re on the hook for lying to consumers.

Follow your own rules.

4.   Encourage Education.

Very important, so don’t miss this one. If you have a privacy policy or if the GDPA, CCPA or another privacy law applies to you—you are LEGALLY required to obey it. I know we just talked about this, but let me explain: By “you,” I don’t mean you “you.” I mean your business. Your employees. Your contractors. Your vendors. Your husband who unofficially helps you with bookkeeping. As we say in Tennessee, I’m talkin’ bout ALL YA’LL.

When you have new staff come on, teach them how to comply with your privacy policy. Whether they interact with your customers directly in your store, operate the customer service line, manage your social media pages, or somehow—someway—receive customer data, they need training. Because if a customer asks staff to delete or modify their data (while ignoring your new Chief Privacy Officer), you could be held legally responsible if that employee 1.) ignores them, 2.) tries to help, albeit unsuccessfully, or 3.) shares that personal information with others.

You’re on the hook for whatever your employees do (or fail to do)—You get it. But also be on the lookout for sly third party information-sharing vendors you may be working with. If they go down, they might just take you with them. Vet those vendors. Make sure they understand the importance of protecting customer privacy!! Any third parties that collect and process personal information on your behalf need to have reasonable security and privacy practices or this could lead to your downfall. Privacy isn’t just an internal obligation, but a whole-system effort.

Don’t forget to bring your customers into the loop. They may not even know enough about privacy to care that its protected, but do them a favor and inform them of your security methods. To bring this full circle, always ask for consent prior to collecting customer data (which can also serve as an important safeguard should any legal action be threatened). By making privacy a two-way conversation, you’re providing additional value to your customers by showing them that you respect their data. Make consent an option wherever possible, and don’t forget that “no means no.”

5.   Review on the Reg.

That’s it. Simply take time every now and again to review and update your privacy practices. The laws are changing—more and more states are seeing the value in creating strict privacy restraints and practices for businesses. Stay updated. Watch the news. Do a Google search. Check in with a privacy attorney (like me). The rules around what you may do with the information that you collect WILL evolve. If you’re not careful, this could leave you subject to hefty fines and a horrible reputation. Practice safe collection.

 

LASTLY, THIS IS NOT LEGAL ADVICE. I AM NOT YOUR LAWYER. NOTHING IN YOUR REVIEW OF THIS ARTICLE OR ACTIONS YOU TAKE IN FURTHERANCE OF IT ESTABLISHES A LEGAL RELATIONSHIP BETWEEN YOU AND ME. I PROBABLY DON’T EVEN KNOW YOU, THOUGH WHO’S TO SAY WE CAN’T BE FRIENDS? NOTHING IN THIS ARTICLE IS WARRANTED TO BE ACCURATE IN ANY WAY, AND THOUGH PRACTICALLY UNLIKELY, IT IS POSSIBLE THAT THE SUBSTANCE OF THE ARTICLE CAN KILL, HARM, MAME, OR OTHERWISE DEFEAT YOU, PARTICULARLY IF YOU ARE READING IT WHILE LIVING THROUGH 2020. YOU SHOULD NOT RELY ON ANYTHING IN THIS ARTICLE WITHOUT INDEPENDENTLY DISCUSSING IT WITH YOUR LAWYER. YOU PROBABLY SHOULD HAVE ALREADY BEEN IN TOUCH WITH A LAWYER BEFORE READING THIS ARTICLE. LAWYERS ARE A GOOD THING – ALSO NOT LEGAL ADVICE.


About Lauren Hughes

Lauren Hughes is the privacy and trademark lead at RVL®. Her other musings include:

Trademarking BLM—When You Can No Longer (Commercially) Say “Black Lives Matter”

What are the Benefits of a Registered Trademark?

Certification Marks / Trustmarks in E-Commerce

New Year, New Law: Gig Economy Employers, Take Note

The California Consumer Privacy Act Doesn’t Apply to Me, Does It?

Contact Lauren at lauren@rockridgelaw.com.

About RVL®

Rockridge Venture Law®, or RVL®, was launched in 2017 to become the preeminent intellectual property and technology firm across the Appalachian Innovation Corridor. We now have offices in Chattanooga, Durham, and Nashville, and represent clients and interests globally. Our services include all aspects of intellectual property, litigation, M&A, privacy, technology transactions, and ventures.

In 2018 and 2019, we were recognized as B Corp Best for the World for our commitment to triple bottom line business practices. RVL® is also certified by 1% for the Planet for its nonprofit partnerships advancing stewardship and sustainability. RVL’s nonprofit partners in 2020 include Green|Spaces, Living Lands and Waters, Mustard Seed Ranch, and the NC State Lulu Games Social and Environmental Impact Competition.

Our pioneering environmental and social impact programs attract top-notch legal talent and assure our clients of missional Rockridge Venture Law alignment with their corporate values. Rockridge uniquely addresses two modern profit drivers: innovation (uptake and development), and corporate social responsibility. We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.

Lauren Hughes

Author Lauren Hughes

RVL® associate attorney

More posts by Lauren Hughes

CHATTANOOGA
200 W M.L.K. Blvd STE 1000
Chattanooga, TN 37402
(423) 800-8855

COOKEVILLE
116 Locust Ave, STE E
Cookeville, TN 38501
(931) 650-4055

DURHAM
300 Morris St. Floor 7
Durham, NC 27701
(919) 808-1777

MEMPHIS
(901) 701-8500

NASHVILLE 
41 Peabody St.
Nashville, TN 37210
(629) 401-4200

 

RVL® is a business, intellectual property, and technology firm, building today’s companies for tomorrow’s economy.