Depending on your location, laws on customer data security can vary. California’s Consumer Privacy Act (CCPA) provides the strongest data protection laws in the United States, and will probably be used as a pattern for future legislation in other states. If you’re compliant with California’s laws, you’ll find you’re also in compliance with the less-restrictive laws in other states. We will describe legal requirements under California’s data protection laws and encourage you to check your own state’s laws to discover your local legal liability.
The author is not a lawyer. Zenatta is not a law firm. This is not legal advice. While we have made every attempt to assure the accuracy and utility of the information below, we recommend you consult a lawyer if you need legal advice.
Does CCPA apply to you?
Keep in mind, California’s laws apply only to companies that accrue at least $25 million in revenue a year, receive information about more than 50,000 consumers annually, or derive ≥50% of their revenue from selling consumer data. Failure to comply you can expect legal penalties and civil liability if you fail to do so.
However, few small businesses qualify to follow these laws, which target larger organizations. However, you’ll have a hard time explaining that distinction to your customers after a data breach. Wise business owners will protect themselves by following the intention of the law regardless of their revenue or business model.
This article does not apply to industries that have their own legal liabilities, like healthcare and government. It’s intended to help small and medium businesses understand what their legal and social responsibilities are for collecting and protecting personal data, and it does not represent the limit of those obligations. Do your own research to ensure you don’t wind up in trouble.
As a rule of thumb, treat personal data like cash: don’t give people opportunities to steal it, and monitor the cash box at all times. And remember that, given sufficient pressure, anyone can become a thief.
What is Personally Identifiable Information (PII)?
Under California laws (CCPA) and the laws of most municipalities, personally identifiable information (PII) is defined as any information that could be reasonably connected to a specific person or used to deanonymize a specific person.
Common PII includes:
The consumer’s first and last names, physical address, IP address, email address, account name, social security number, driver’s license number, purchase history, consumer habits, internet activity, personal characteristics, biometric data, and any other similar identifiers could also be considered personal information with combined with other PII.
Collects and Store Only What You Need
All data collected and stored by your organization must serve a legitimate business purpose. This means the collection of the data is “reasonably necessary and proportionate to achieve the operational purpose”. Your organization may only collect information used as part of your business operations.
Consider, for example, a loyalty program at a hypothetical pet store. They use a third-party app to collect information from consumers, and the default configuration of that page collects their social security number. There’s no justifiable business purpose for collecting that information. In the event of a breach, the organization should expect a class-action lawsuit and an FTC investigation into its data handling practices.
Restrict Access By Default
At many small businesses, information is accessible to all employees by default. It’s all stored in the CRM, and every employee has a CRM account. This is not a secure practice and leaves you wide open to an insider attack by a disgruntled or criminal employee.
Grant access to all information on a need-to-know basis only. Keep a digital log of who accesses the data, when, and for what purpose. For example, only your billing department should be able to access stored financial information. Your marketing team probably needs the names and emails of consumers, but would likely have little use for their addresses. Shipping needs names and addresses, but not credit card numbers. Segment your data and permit access to only the information required to perform a given business function.
Encrypt Data at Rest and In Travel
Data should be securely encrypted both at rest (on disk) and in travel (moving between servers). Fortunately, this is the part that most folks get right. Your choice of encryption standard is the least important decision here: AES-256, RSA-2048, SSL/SHA-2, and PGP are all strong encryption standards. The best choice for the job depends on the scale and usage of your consumer data. If you’re in an unusual situation, hire a security professional that knows the ins and outs of your business.
Monitor and Secure Access to Your Network
The waterfall of hacks and data breaches over the last years has taught corporate America a serious lesson: access to networks must be closely and carefully guarded. This goes for remote access as well as internal access. Just as with your data, you should segment access of your network to ensure only those who need access obtain it. Log all network access with IP addresses, user credentials, activity, and preserved for as long as practical. Careful segmentation reduces the likelihood of a data breach and helps track down perpetrators if one happens.
Use Industry-Standard Security Systems
Don’t try to build your own security system. You wouldn’t do it for your house, and you shouldn’t do it for your business. Follow industry best practices, using the right encryption algorithms and correctly configuring all security systems. Don’t wind up like Fandango and Credit Karma, who used SSL to encrypt app sessions but turned off SSL certificate verification, probably because a developer overlooked the importance of the feature. These apps were wide open to man-in-the-middle attacks, allowing a potential attacker to siphon highly valuable financial information from a massive number of customers. At least, until the FTC slapped them with a consent order legally requiring them to take certain actions to protect customer information and giving both companies black eyes in the press.
Protect Billing Information
Apply the same customer data protection standards to payment information like credit card numbers. Outside of laws covering fraudulent activity, few United States laws explicitly require certain standards of protection for payment information. However, credit card industry regulators are crystal clear about their security requirements.
If you store consumer credit card information, you’ve likely heard of PCI. They are a certification organization responsible for ensuring credit card information is handled in a safe and secure way. Violate their regulations, and you’ll risk steep fines and the loss of your merchant account, preventing your business from processing any credit cards at all.
Never store credit card information in an unencrypted format. Never record credit card information in your CRM, or store it on records associated with transactions, like invoices. If possible, do not store payment information at all, or use a trusted payment portal to store the information outside their organization. Learn more about PCI’s requirements and recommendations for safe credit card processing.
Secure Non-Digital Records
Many older business owners make the mistake of assuming paper records are more secure than digital records because paper records cannot be hacked. Security through obscurity is hardly better than no security at all. What if an employee with access to those records takes pictures or steals a binder packed with credit card numbers? Secure paper records in the same way as your digital records: secure storage, logged access, and limited accessibility.
Consumer Access to Data and Deletion Requests
Under California’s new privacy law CCPA, qualifying businesses must provide the data collected on a consumer in response to a “verifiable request” from that consumer. A verifiable request is any request that can be verifiably traced to the individual sending the message. Basically, you need to be sure you’re talking to the right person before you can comply with their request.
Most organizations handle this by putting requests behind a user login. The possession of the correct email and password is enough to consider the request “verifiable” under the law. Consumers must also be allowed to opt out of data collection, if feasible, and retain the right to prohibit businesses from selling their PII without consent.
If you’re already compliant with GDPR rules, this will sound familiar. If your organization receives a verifiable request from a consumer to delete personal information about that consumer, your organization must delete the information, and direct any service providers to do the same. While there are exceptions to this rule, you should always fulfill the consumer’s request.
Information about minors is typically protected more strongly, especially if they are under the age of thirteen. If you collect information on minor consumers, review local laws to understand your legal obligations, which can vary from complete prohibition to defined opt-in standards.
Tell Consumers About Your Data Collection
Informing consumers is required under almost every data collection law in the world including CCPA. Presented in clear language of what data is collected and the business purpose it serves. From both a legal and commercial perspective, best practices dictate that you provide this information at the time of data collection. You can also have it in a clearly marked section of your website.
Conclusion: Play It Safe
If you’re not already securing your customers’ information, start immediately. Encrypt data, log access, and limit availability. Don’t wait for a major hack or an FTC consent order to spur you into action.