Data Privacy Laws That May Impact Your Startup: Here’s What You Need to Know

Most startups collect some form of secure information in digital form. The collection, use and disclosure of this information is regulated under federal, state and even some International laws. As a startup business, it is important to safeguard customer data so that your small business does not face consequences of failing to comply with data privacy laws. Startup founders that understand their legal obligations and make the proper investment to comply with the laws can reduce the likelihood of liability and compete more effectively by earning a reputation that protects their customers.

Federal Laws Governing Data Privacy

There is no one comprehensive federal law that governs data privacy in the United States. Instead, there is a patchwork of state and federal laws and regulations and industry standards that govern the collection, use, and disclosure of private information. Companies that collect financial or medical data have notable exceptions where US lawmakers have adopted specific rules and privacy restrictions.

The Federal Trade Commission protects consumers by stopping unfair, deceptive or fraudulent practices in the marketplace. While the FTC does not explicitly regulate what information should be included in website privacy policies, it uses its authority to issue regulations, enforce privacy laws, and take enforcement actions to protect consumers. The FTC might take action against organizations that:

• Fail to follow a published privacy policy.
• Fail to implement and maintain reasonable data security measures.
• Fail to abide by any applicable self-regulatory principles of the organization’s industry.
• Transfer personal information in a manner not disclosed on the privacy policy.
• Make inaccurate privacy and security representations (lying) to consumers and in privacy policies.
• Fail to provide sufficient security for personal data.
• Violate consumer data privacy rights by collecting, processing or sharing consumer information.
• Engage in misleading advertising practices.

Other Federal laws that govern the collection of information

This is by no means an exhaustive list – but some of the regulations that could apply to your company include:

• ECPA (Electronic Communications Privacy Act) – protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. Establishes criminal sanctions for interception of electronic communication.
• FISMA (Federal Information Security Modernization Act) – assigns responsibilities to various government agencies to ensure the security of data in the federal government.
• Gramm Leach Bliley Act – governs the protection of personal information in the hands of banks, insurance companies, and other companies in the financial service industries.
• FRCA and FACTA (Fair Credit Reporting Act, and Fair and Accurate Credit Transactions Act) – restricts use of information bearing on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living to determine eligibility for credit, employment, or insurance.
• TCPA (Telephone Consumer Protection Act) – regulates calls and text messages to mobile phones, and regulates calls to residential phones made for marketing purposes (telemarketers).
• FERPA (Family Educational Rights and Privacy Act) – gives students the right to inspect and revise their student records for accuracy, and prohibits disclosure of these records or other persona information on student without the student or parent’s consent.
• HIPAA (Health Insurance Portability and Accountability Act) for organizations in the healthcare space, specifically to protect what is considered protected health information.
• GDPR (European Union General Data Protection Regulation) for all organizations that handle data of European Union citizens. The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.
• CCPA (Proposed California Consumer Privacy Act) for all organizations that handle data of California residents. The CCPA gives consumers more control over the personal information that businesses collect about them.
• Future State-Specific regulations currently being reviewed by state senate – from Nevada, New York, Washington, and Texas.

State Data Privacy Laws

The United States is experiencing a push towards privacy legislation at the state level, due to the federal governments inability to reach consensus on how to legislate broadly.  State laws too can have a far-reaching impact on data privacy. In fact, the reason that most websites have a privacy policy in the first place has its origins in state law.

Although companies would rather comply with one single federal standard than have to decipher through multiple statewide laws, state lawmakers have felt pushes from consumers, consumer advocates and even companies to set their own rules. Let’s take a look at some important State Data Privacy Laws that may impact your small business

• CCPA (California Consumer Privacy Act)
• CPRA (California Privacy Rights Act)
• CDPA (Virginia’s Consumer Data Protection Act)
• CPA (Colorado Privacy Act)
• New York SHIELD Act

How To Ensure Compliance With Data Privacy Laws

How Should My Business Navigate Data Privacy Laws?

What you don’t know about data privacy laws can put your business at serious risk. The regulations vary, so we recommend using online resources, software or hiring legal counsel to ensure compliance with the complex and ever-changing laws.

While this is by no means an exhaustive list, here are some steps businesses can start with:

• Map your Data: where is your data coming from, and what related target fields is it going to?
• Secure your Databases: encrypt at rest and in transit, and harden your host.
• Secure your Application: build in authentication, app-level access controls, and audit logging.
• Back up your Data: multiple region backups of your database should be standard.
• Have a Disaster Recovery Plan: what happens if your servers go down? Do you have a backup plan, or have you lost everything?
• Implement Host and App-level Intrusion Detection
• Implement Application Vulnerability Scanning: detect and mitigate vulnerabilities in your applications
• Protect your Credentials, Tokens, and Secrets: mange your passwords, API keys, and other secrets.
• Publish your Privacy Policy: make sure your customers know your privacy policy, how to reach you, how you use their data, and how to opt out and have you delete their data.
• Create a Manual: Have a comprehensive Policy and Procedures Manual highlighting how you handle data security.
• Audit your Vendors and Third Parties: if a vendor you work with has a breach, it may effect your customers as well. Make sure they have their stuff together too.

Penalties for Non Compliance

Businesses, large or small, that fail to follow data privacy and security laws can face serious ramifications. Cybersecurity incidents are often the precursor to investigations and possible enforcement actions by state attorneys general or the FTC. In addition, companies have been held liable for failing to adhere to their privacy policies. These incidents can also lead to private causes of action (or even a class action) typically by consumers whose information was compromised or improperly used or disclosed.

An additional consequence resulting from non compliance with data privacy laws is the businesses reputation. Small businesses in particular have a difficult time recovering after they have lost trust from its existing and potential customers and investors.

Exemplar Companies Data Privacy Legal and Compliance Experts

Exemplar Companies is staffed by skilled legal and compliance professionals practiced in data privacy and cybersecurity with experience across multiple industries. From regulatory compliance, to control, implementation, and incident response, we are the firm clients trust for data privacy thought leadership and expertise. Contact us today to learn more: rise@exemplarcompanies.com