What Businesses Should Know about Data Privacy (and How to Take Action)


Graphic for a blog about data privacy and what businesses should know about it.

This article is not meant as legal advice. Data privacy law and compliance obligations are complex and constantly changing. You should consult with legal counsel to ensure your company’s privacy practices comply with current law. 

Our modern economy is built upon data. It’s often the most valuable asset a company has. Where would you be without your customer database and insights?

But not all companies know how to handle their data. And with constant news of breaches and misuse, consumers are becoming more weary to share their data through websites and apps. Their attitudes are shifting, and so are resulting laws concerning data. 

This isn’t a problem just for tech giants and enterprises. Even small businesses are vulnerable to these issues– an increased 36% of them experienced a data breach this past year. 

So, what’s the deal with data privacy? How should you be handling it? 

Keep reading to understand what data privacy is and an overview of the current legal landscape. And we’ll give you some ways to improve your company’s privacy practices right away.

Data privacy for businesses

What is Data Privacy?

Data privacy concerns the appropriate handling of data and consent, notice, and regulatory obligations. It regards how data should be collected, managed, and stored as well as compliance with applicable law.

Data Privacy vs Data Security 

Data security, on the other hand, has a more technical focus. It involves preventing unauthorized access to data by third parties or malicious insiders. 

While the two are closely related, they’re NOT the same. 

Another way to think about it is– “you can have data security without data privacy, but you can’t have data privacy without data security.” 

This means that just because your system is secure technically, it doesn’t mean you’re following privacy practices. You can still obtain your data in misleading ways or use it in ways that weren’t authorized.

But it’s also impossible to have data privacy when your data isn’t secure. 

data privacy vs security

Why Data Privacy Matters

Data privacy has come to the forefront of challenges for companies to deal with. 

Why? Because consumers are demanding it. What happens to personal data that’s collected? Do companies profit from it? Is it vulnerable to hackers? There’s a harsh spotlight on companies that are collecting and sharing data without people’s consent and knowledge (looking at you, Facebook).

In fact, KMPG reported that 97% of consumers report that data privacy is a concern. And a majority of them (87%) view data privacy as a human right.

So what’s being done to regulate how data is collected and used?

Quick Overview of U.S. Data Privacy Laws

At this time, the US currently doesn’t have a unified law governing data privacy. Instead, there’s a patchwork of overlaying federal and state laws. This can make it challenging for U.S. companies to understand their precise legal obligations.

The U.S. approach to privacy law is in sharp contrast to the European Union. The EU recently enacted its General Data Protection Regulation (GDPR). The GDPR is a comprehensive law that governs all aspects of handling data of EU citizens.

U.S. Federal Law for Data Privacy

Much of U.S. federal privacy law is industry specific. 

An example is HIPPA, which governs the use of personally identifiable health information. Another is the Gramm-Leach-Bliley Act which applies to financial institutions. 

An important aspect of U.S. privacy law has been the Federal Trade Commission’s enforcement of the FTC Act’s Section 5 prohibition of any “unfair and deceptive act or practice.” Section 5 is not about data privacy. But the FTC has used it against companies when their use of data violated the promises they made in their privacy policy. The FTC pursued Facebook for that company’s violation of its own privacy policy. 

U.S. State Privacy Laws

Besides the various federal laws with privacy provisions, several states have their own laws to follow. 

The most important of these is the California Consumer Privacy Act (CCPA) which governs the use of personal data obtained from California citizens. The CCPA was modeled on the GDPR and is similarly comprehensive and complicated. 

Other states are seeking to enact laws like California’s. 

Sounds confusing? That’s because it is. Right now, it’s causing headache for companies to manage multiple (possibly conflicting) state laws. 

Due to this complexity, some are calling for the federal government to enact comprehensive privacy legislation like the GDPR. This legislation could preempt state privacy laws, making it easier for U.S. companies to comply with their data privacy obligations. 

But will that ever happen? It’s not clear if it will yet. 

SPARK bolt logo SPARK TIP: In addition to the few states that now have their own privacy laws, all 50 states now have data breach notification laws. That is, when a company has a data breach, each state has a law describing when, how, and what information must be sent in notices to its citizens who have had their data stolen. These laws don’t all align though. So, it can be challenging to meet legal obligations when there’s a data breach involving citizens from multiple states. 

What’s at Risk without Compliance 

Even though the regulations and law aren’t in order yet, it doesn’t mean that companies shouldn’t prioritize it. Without it, you put your company at serious risk now and in the future. 

  • Legal risk. A lack of compliance with data privacy law exposes your company to legal problems. That could mean government-imposed fines and lawsuits as well as private lawsuits. What the particular risks will depend upon the law.
  • Clean up costs. If you have a privacy law violation such as a data breach, the costs to remedy the situation (e.g., technical issues, public relations expenses, etc.) and notify your customers of the data breach can be large. The average cost of a data breach is $3.86 million. Yikes!
  • Meeting Consumer Demands. More consumers care about who they give their data to and what companies are doing with it. Some of the tech giants are starting to respond to these shifting attitudes. 

For example, Apple recently made headlines by changings it Safari browser to limit third parties’ ability to track users. It also limits email senders’ ability to track whether recipients are opening emails.

  • Reputation. Misuse of customer data, a publicized data breach, or an investigation by a government agency into a company’s privacy practices harms your company’s reputation. You’ll lose current and potential customers.
  • Ability to do business with third parties. Even if your company doesn’t prioritize privacy, some companies you would like to do business with might. Breaches matter to leadership and others in boardrooms. If working with you would require the sharing of their data, many companies will insist upon having a thorough understanding of your privacy practices.
  • Acquisition and valuation risk. If you are hoping to sell your company, your potential acquirer could audit your practices. If you don’t have the right measures in place, they will likely see that as a big risk and reduce the value it places on your company or even walk away from the transaction entirely. 

How to Improve Your Data Privacy Measures

Here’s some simple steps to improve your company’s data privacy. Some of these might seem like a lot work.

Don’t worry! You don’t need to do everything at once. And you don’t need to do it all yourself. Remember, there are great companies and service providers out there that can assist you. 

  • Keep data privacy (and cybersecurity) front and center. Data privacy and cybersecurity is not simply an issue for Facebook or other enterprises. Anyone is vulnerable to these issues. So, you need to act accordingly.
  • Survey your data. Start by taking an inventory of the data you already have. What is it? Where is it stored? Did you have consent for it when you first obtained it? How are you using it? Who is responsible for it? Is it secure? Get an idea of where you’re at now and what you need to change.
  • Minimize data storage. Stored data that isn’t needed or used is an unnecessary liability. Develop policies and procedures regarding data retention and destruction that make sense for your business needs, comply with promises you’ve made to data subjects, and fulfill your legal obligations.
  • Minimize data collection. A great way to improve your data privacy posture is to refrain from collecting data you don’t need. Are your forms asking for home address and phone number when you never use either? Change them to only collect what you need.
  • Get consent. When you obtain data, get informed consent as to how you will use that data. This is typically done online by having users click a box to agree to a privacy policy when they enter their data.
  • Develop, follow, and post a privacy policy. Posting a privacy policy can give users a sense of security and confidence in your company. It can also help your own company understand its use of the data it receives. 

The policy should describe what data you collect and how you will use it. Many companies incorporate their privacy policies into their terms and conditions or compel users to agree to their privacy policy before entering their data. 

But if you decide to post a privacy policy, take it seriously. Work with counsel. Do not simply find a different company’s privacy policy and search and replace the company’s name with your name. While no U.S. law requires companies to have a privacy policy, companies get in trouble with the FTC by making promises in their privacy policies and then not following them. So, make sure the statements in your privacy policy match your actual practices. 

  • Training and culture. Develop a culture that makes data privacy a priority. Provide training to employees so they understand the importance of data privacy and the specific means and methods your company uses to ensure data privacy. Make it part of the onboarding and have periodic refreshers.
  • Audit your providers. If you rely on other companies to process data you’re collecting on your customers, be sure that they have good privacy and cybersecurity practices themselves. You are at risk for what they do with the data you provide to them.

Bottom Line: Implement Good Data Privacy Measures

Data privacy is important. Your customers expect it. And not doing anything exposes your company to legal and financial risk. 

But the good news is that implementing good data privacy measures improves your company. A company that is thoughtful about privacy naturally improves its operations and has greater clarity and insight into them. 

It also establishes you as a trustworthy company that can be relied upon by both customers and business partners. 

Read more about the latest tech trends and digital best practices:

More from the author

Jake Lonc
Vice President As Vice President of SPARK, Jake has a passion for building lasting partnerships with SPARK’s clients. He effectively communicates technical concepts to non-technical stakeholders and advocates for the client’s vision to our project teams of software developers and designers. connect on Linkedin

More Related Articles

How Custom Software is Powering Michigan’s Community Scholarship Program

Since its start in 2006, The Kalamazoo Promise offers place-based scholarships for Kalamazoo, MI students...

Read More
Stakeholder aligned software projects can still fail.

Lesson Learned: How Stakeholder-Aligned Software Projects Can Still Fail (and How to Prevent It)

SPARK CEO Bob Armbrister shares how a project experience went wrong and how build feedback...

Read More
Podcast banner image. Implementing technology in construction.

Listen: Implementing Technology in Construction

Construction companies often face problems implementing technology. Listen to this podcast for how to face...

Read More