Do Privacy Laws Apply to Small Businesses?

If I had a dollar for every time I heard someone say “my business is too small for privacy laws to apply to me”, I’d be rich. In fact, many small businesses assume that privacy laws do not apply to them because their business is too small, they collect too little personal information, they don’t have many (or any) employees, they make too little revenue, or because people input their personal information into website forms voluntarily. However, all of these assumptions are incorrect. In fact, there are many privacy laws that apply regardless of business size or location. In this article, we will discuss which privacy laws apply to small businesses so business owners can determine whether they need to comply with these laws. 

Privacy laws are not dependent upon the business’ location 

The first incorrect assumption that many small business owners make is that they are in the clear if their state or country does not have a privacy law. For example, since Illinois does not have a comprehensive privacy law, business owners in Illinois may assume that they are not subject to any laws. However, privacy laws were enacted to protect consumers, not businesses so the location of the business is not truly relevant in determining which privacy laws apply to you. 

When trying to determine which privacy laws apply to you, you should ask: 

1. Whose personal information am I collecting through my website? For example, could people from other states or countries access your website and fill out your contact form or subscribe to your email newsletter list? 
2. Who am I tracking online? For example, could people from other states or countries visit your website and be tracked through Google Analytics or the Facebook Pixel or similar tools? 
3. Where are my customers located? For example, do you ship to other states or countries or perform services there? Can people from other states or countries purchase on your website or from your business? 
4. Where do you offer goods or services? For example, do you offer your website in multiple languages? Can people from other states or countries place an order? Where do you advertise? 

As you can see from the above, not one of the questions asks where your business itself is located – this is because the privacy laws of other states or countries can apply to you regardless of where you or your business is actually located. 

Privacy laws that apply to small businesses

There are multiple privacy laws that can apply to small businesses. The following privacy laws can apply regardless of business size, the number of employees, the revenue amounts, and the amount of personal information collected: 

1. California Online Privacy and Protection Act: applies to any operator of a website that collects the personal information of residents of California; 
2. California Invasion of Privacy Act: applies to any operator of a website that tracks residents of California (e.g. through tools such as Google Analytics or Facebook Pixel); 
3. Nevada Revised Statutes Chapter 603A: applies to any operator of a website that collects the personal information of residents of Nevada and does business in Nevada; 
4. Delaware Online Privacy and Protection Act: applies to any operator of a website that collects the personal information of residents of Delaware; 
5. Rhode Island Data Transparency and Privacy Protection Act: applies to any operator of a website that does business in Rhode Island or that has customers in Rhode Island; 
6. General Data Protection Regulation: applies to any operator of a website that offers goods or services in the European Union or monitors the behavior of residents of the European Union online; 
7. United Kingdom Data Protection Act: applies to any operator of a website that offers goods or services in the United Kingdom or monitors the behavior of residents of the United Kingdom online; 
8. Personal Information Protection and Electronic Documents Act: applies to any operator of a website that collects, uses, or discloses the personal information of residents of Canada in the course of a commercial activity; 
9. Quebec Law 25: applies to any operator of a website that collects, holds, uses or shares the personal information of residents of Quebec, Canada; 
10. Australia Privacy Act 1988: applies to any operator of a website that does business in Australia and collects and holds the personal information of residents of Australia. 

As you can see from the above, there are plenty of privacy laws that apply to small businesses – these laws require small businesses to follow certain rules when it comes to collecting and using personal information such as the requirement to have a Privacy Policy. 

Are privacy laws enforced against small businesses? 

While the news headlines primarily focus on large businesses that receive fines of millions of dollars, the privacy laws that apply to small businesses are still enforced. For example, small businesses have been fined for GDPR non-compliance. In addition, many small businesses have received demand letters and have been sued for CIPA non-compliance. With opportunistic lawyers and the potential to win thousands of dollars, small businesses are not exempt from fines and lawsuits. 

What if the information is provided voluntarily? 

Many small businesses assume that just because individuals provide them with their personal information voluntarily (e.g. the website visitor fills out the contact form), that they are somehow exempt from privacy law requirements. Consent is a legal basis, meaning that, if done correctly, it can be a legal way to collect personal information. However, it does not exempt the business collecting this personal information from privacy law requirements. In addition, in order for consent to be valid, the business must meet privacy law requirements such as having a comprehensive and up to date Privacy Policy. 

Conclusion 

As you can see from the above, many privacy laws do not exempt small businesses from their requirements. If you currently run a small business with a website, you should review the factors above to determine which privacy laws apply to you. Then, you should determine the requirements for compliance such as the requirement to have a comprehensive Privacy Policy and consent banner. Meeting the compliance requirements of these laws can greatly reduce the risk of fines and lawsuits.