Skip to main content
Esta página ainda não está disponível em português.

Hey there! Free trials are available for Standard and Essentials plans. Start for free today.

Understanding Data Protection Law in 2022

As a business owner, you have a responsibility to abide by data protection laws. This sounds like a complicated subject, but we’ve created a simple summary.

As technology evolves, companies are gaining more and more access to their customers. The more companies know about you, the more they can use that information to create targeted ad campaigns. Or sell that data to other entities looking to expand their reach. While the thought of only seeing ads that pertain to you and your interests sounds like a smart way to market, there are some who see the amount of personal data collected as invasive.

Not too long ago, ads on social media could target specific income brackets and lifestyles and companies market their products accordingly. Marketing agencies were popping up everywhere boasting to clients how they could pinpoint the exact right person to see their ads. Before long, complaints started calling such targeting discriminatory practices. With that much chatter, governing bodies started to take notice. Before laws could be passed, social media platforms such as Facebook changed their advertising policies to reflect their base's concerns. No longer could marketers put money behind a post and hyper-target audiences. They tightened the AI protocols and quickly flagged anything that is deemed even the least bit problematic.

In fact, you have to specifically click on what type of ad you're running. For example, if what you're advertising will likely require a credit check to own, the ad won't run unless you let them know that. Even then, the site has a strict set of demographics a company must adhere to in order to let the ad continue. One such contingency is age. You can't only show an ad to the ages of those who you believe are most likely to want a product.

Many companies have been following suit with tightened privacy policies. Those are great strides forward for consumers and businesses alike, but it's not enough overall. Since it isn't mandatory to do what a large percentage of consumers view as the right thing, the federal government and state governments are taking action. Continue reading to learn more about data protection laws in 2022 and what they cover.

The average cost of a data breach globally is $4.35M

Are there laws protecting your data?

Concern around personal privacy is nothing new, so you may be wondering if there are any federal laws that protect your personal data. The US Privacy Act of 1974 was passed into law as a way to provide protection for citizens across the nation. Back then, the law was geared towards the federal government and controlling how agencies gathered, used, and shared sensitive data about consumers.

As more companies operate in the digital space, individual states are putting together their own legislation.

Where are there data privacy laws?

In the US, currently five states have put together and passed intensely detailed data protection laws. Since 2018, those states are California, Colorado, Connecticut, Utah, and Virginia. Each state varies somewhat in what is covered by the laws. However, they all have certain aspects in common, such as the consumer's right to access personal data and have it deleted from certain companies that hold onto it.

US data protection laws

There are several US data protection laws that have been put into place to protect the personal data of U.S. citizens. Some of these US data protection laws include:

California data privacy laws

If you've ever wondered how much and what information a company has on you as a consumer, California wants you to find out. As of July 2018, California was the first state to take a step toward general data protection regulation. The California Consumer Privacy Act (CCPA) was officially signed into law to enable this.

CCPA puts people in charge of their personal data. It forces businesses to be clear about what they are doing with the personal data they get and how they express it to the consumer. Businesses must have the consumers' privacy rights in an easily accessible place. There should be no confusion about how to opt out.

Essentially, CCPA empowers Californians to know who has their personal data, to ask those entities to delete private information, to remove themselves from advertising, and to not be discriminated against. Beyond what information residents put into a site, this data protection law also covers things like GPS locations and messages, or posts made using the record function.

In California and getting messages or emails from a business that you don't recognize? CCPA enables consumers to find out who gave or sold their information.

Colorado data privacy laws

The Colorado Privacy Act (CPA) was passed in the state senate on July 7, 2021. Colorado was the third state to sign a data privacy legislation into law. Once it goes into effect as of July 2024, residents will be able to opt out of digital advertising campaigns, the selling of personal information, and being profiled.

CPA applies to any entity that does any type of business within the Colorado borders. This extends to companies that deliver products to customers through eCommerce websites. Also included are services where the personal data of at least 100,000 customers is used annually or the data of 25,000 consumers is used to share discounts.

For the purposes of the CPA, customers are residents who act for themselves or their households.

If there is a breach in the privacy regulations that have an impact on at least 500 residents, the companies must inform anyone who has been affected. They are also required to give notice to the Office of the Attorney General. In an effort to streamline the process, a form can be filled out online to accomplish the task.

Virginia data privacy laws

In March 2021, the Virginia Consumer Data Protection Act (VCDPA) was passed. They were the second state to put detailed data privacy legislation into law. VCDPA gives residents the ability to access their online data. This comes with the right for Virginians to tell a company to permanently remove any individual info they may be storing.

Entities affected are ones that not only have consumer dealings in the state, but also hit one of two thresholds. The first is that the business deals with the personal data of 100,000 customers, at a minimum. The second is if the company gets more than half its revenue from selling the data of 25,000 or more customers.

Businesses with a customer base in Virginia must legally run data protection assessments when it comes to targeted campaigns. This extra step before advertising will keep companies compliant.

Other state privacy laws

Connecticut and Utah are the two other states that currently have data protection laws in place. Utah’s Consumer Privacy Act allows consumers to know what personal data of theirs is being collected and what the business is doing with it. This law also gives consumers the option to delete any personal data that they don’t want businesses to access, as well as opt-out of data collection. Connecticut has an act that allows consumers to opt-out of data collection and request information about what is being done with their data.

European data privacy laws

The European Union has put together some of the strictest data privacy laws in the world to protect EU citizens and their personal data. That can make it tough for businesses to get used to, but not impossible. The General Data Protection Regulation (GDPR) spells out a plethora of privacy regulations that apply to companies all over the globe. Basically, any company that is gathering data and targeting these citizens has to follow guidelines found in hundreds of pages detailing the security law. For example, GDPR forbids companies from sharing info about Europeans with non-EU countries

A business owner’s keys to data privacy

What should business owners know about data privacy?

As a small business owner, there are a few key principles that you should know when it comes to data privacy. There are ways to perform data tracking safely, but you just need to do so with your customers in mind. A few important things that business owners should know about data privacy include:

Understand the financial or legal penalties

As you've probably picked up, the laws regarding data privacy vary by state. What that means for a business owner is that if they plan to perform data collection or run ads in an area, they should be abreast of the data privacy laws. A data protection officer is there to enforce compliance and assess fines, when necessary. It's possible for a data protection officer to fine a business up to $7,500 for each violation.

Aside from government agencies, in some states, consumers can take it upon themselves to do something about companies not adhering to the law. For example, they can sue.

Create a privacy policy

If you don't already have a company privacy policy, get one immediately. The policy needs to be on the front page of company websites. Most businesses have it listed at the bottom next to the other informative tabs.

Make sure your website has strong security

A data breach can be a massive deal for both companies and consumers. Not only does a data breach risk the safety of your customers personal data, but it can also cost your business a lot of money. Hackers are evolving as fast as technology is and that makes the need for data security paramount. In California, if a company experiences a data breach, consumers can sue them for not protecting their private data.

Know what you can and can’t do with data you collect

We are in a new age of digital transparency, but having good customer care is important for any business. Customers have the right to know who has their info and where their info is being shared, so it’s your responsibility to be transparent about what you’re doing with your customers' data. Use the private info only for what the customers opted in to experience. They also have the right to opt out. Before entities sell any private data, they should check the parameters of every area with goods or services being sold. If you're going to collect personal information from your customers, you need to obtain consent from them first.

According to McKinsey Insights, consumers have more trust in companies that limit the collection of personal data to only information relevant to their products.

Build a secure and ethical website with Mailchimp

When it comes to protecting the privacy of a customer, it's up to the company to do things the right and legal way. At first, it would be easy to see how a small business owner or service provider could feel overwhelmed by these personal data protection laws. But what it boils down to is acknowledging the consumers' right to know what happens with their data. Understanding and acknowledging your consumers’ rights to data privacy can also help to improve your customer retention, as people want to support a business that they can trust.

If you're unsure of where you stand as a company or if you could use some help making a website or building your business, Mailchimp has your back. Whether you need assistance with writing a business plan or figuring out ecommerce business insurance, we’ve got you covered. We can help you build brand loyalty and grow your business into an entity that is ready to promote and collect data, ethically.

Share This Article