Facebook paid a whopping $5 billion fine for data privacy issues in 2019 because they violated user trust and data security regulations. In September 2022, Instagram was fined $403 million by Ireland's Data Protection Commissioner. As governments at the national and local levels further define these regulations, small businesses will surely feel the trickle-down effect, and face difficult and costly choices.
This all depends on the countries in which you conduct business. Every country has their own laws & regulations. The European Union has the General Data Protection Regulation (GDPR). Some individual EU nations have their own laws as well.
The United States has regulations related to financial (FCRA) and healthcare (HIPAA) information and is continuing to expand state regulations. Some states have implemented their own privacy laws, like California's CCPA, that require companies to disclose how they use personal information, to whom they provide it, to provide a mechanism for a person to request deletion of all personal data, and other protections.
Data privacy regulations will continue to be added and tightened in favor of consumer control. When you think about it, it makes sense. Consumers concern for privacy is higher than it's ever been and their collective voice continues to grow. Legislators are listening.
Fines will be levied against the biggest companies to start. These are easy targets and regulators can dedicate resources in order to establish precedent. But once a few of these have been won, as they are doing now, SMB's will be more exposed. I doubt the Federal Trade Comission is going to come after Johnny's Tow Yard directly. More than likely what will happen is that a company will be sued by a consumer or another company. And that will open Pandora's box of small business data privacy lawsuits.
Every company that has a website, uses software to collect and store customer information, and provides information to third parties will be at risk. For years, companies that process credit cards have seen the push for PCI-DSS compliance. This is purely related to personal confidential information, such as credit card numbers, bank account information, social security numbers, etc.
However, there is more to data privacy than confidential information. Phone numbers, addresses, MAC & IP address, body characteristics, relatives, friends, employment history, photographs, and much more are all included in the list of personal data types that are considered part of someone's personal data.
You likely collect some personal data if your website tracks users, allows users to comment, has conversion forms, requires a login, or collects and processes payments. If you use third-party components on your website, like Google Analytics & Tag Manager, Disqus, ShareThis, social media plugins, or any number of other external components, you are indirectly collecting personal data.
If you use software like Quickbooks, Salesforce, Mailchimp, Google Forms, etc., then you are collecting personal data. Obviously, if a person is a current customer then you'll need this data to conduct normal business. But if the person leaves and requests that you delete all personal data it becomes a bit of a problem. We'll have to see how that sort of situation plays out.
Below is a simplified guide, but it is a starting point. I recommend consulting with a qualified provider because everyone's situation can vary.
The very first thing to do is be aware of every collection point within your organization. Where is data collected? Where is it stored? Is the data compiled into aggregate data sets? Is the data provided to third-party software providers (e.g. Google Analytics, Facebook)? Do you have control over the data?
Collecting all this information might be easier said than done so you may have to contact your web developer or agency to get it. Once you've catalogued all the data collection points be sure to update them regularly as collection points are added or removed.
For each data collection point, have it reviewed for the type of information captured, retained, and shared. If there is any personal data associated with it be sure:
Part of data privacy is notifying your website visitors and customers about your data collection, retention, and dissemination practices. This means providing some type of window on your website (a popup, slide down, etc.) that shows this and links to more information, if necessary.
Additionally, sending an email to existing customers when your data practices change can prove incredibly helpful.
Being proactive is the key. If you wait until you get sued or a regulatory agency starts snooping, it may be too late. By identifying collection points, starting mitigation for any problems or vulnerabilities, and proactively notifying your consituents about your policies, you will establish a track record of compliance; that can go a long way.
Depending on your location, you may already be required to provide notifications, especially to obtain consent. Anyone in the European Union must abide by this. The consent to collect personal data is given by the visitor explicitly and should never be implied or assumed.
A web content management system (CMS) can help you keep track of the data you collect, the permissions given by visitors, and also give you control over personal data. Look for a true fully managed platform. Simply by being a fully managed solution, you'll be able to stay up-to-date on the latest security patches and updates because these are provided by the CMS vendor to everyone at the same time.
Ultimately, you are responsible for controlling consent and data collection. Your CMS platform, however, should provide the features that allow you to craft and control your consent mechanisms. It should also provide an easy path to manage and purge data when necessary.
You CMS platform should also let you execute with maximum agility and flexibility. This means that your content editors and front-end developers should be able to make quick changes and updates to your content and user experience without having to call a senior application developer and go through a full dev lifecycle.
You can work towards meeting data privacy regulations by simpling showing up, paying attention, and taking the steps above. These will potentially lead to additional required steps but you'll be on your path to compliance, at the very least. Sitting on your haunches and assuming your small size exempts you from data privacy regulation is the wrong thing to do.