Bloomberg Law
Oct. 5, 2020, 8:01 AM

Crafting a Federal Privacy Law to Benefit Small Businesses

Paula Bruening
Paula Bruening
Casentino Strategies LLC

As policymakers renew the debate about federal privacy legislation, small businesses continue to face the effects of the Covid-19 crisis and struggle to find a way toward recovery. Confronted with reduced demand, new customer expectations, and operational changes required by health and safety restrictions, returning to a semblance of normal will take time and many small businesses will need to make significant changes to survive.

As small business adopt new business models, invest in talent and technology, and adjust staffing and labor practices, it might be understandable if they greet the prospect of additional regulation in the form of privacy law with skepticism. Proposals for privacy laws tend to be written with larger enterprises in mind—companies with the resources, operational expertise and legal teams necessary to support compliance. Small business might easily view privacy law as yet one more set of requirements that slows recovery

Size alone should not exempt small companies from legal requirements. While a company may have few employees, or may generate lower revenues, they may, and often do, collect, store, and sometimes sell vast amounts of information, much of it personal and often sensitive. Adherence of smaller companies to privacy law is important not only to protect consumers, but to foster responsible data practices across all business sectors.

Concerns about the burden of compliance are real, but small businesses could benefit from compliance with federal privacy legislation—if the law takes into account the practical realities those companies face.

Potential Benefits of Privacy Law

How can a privacy law benefit small business?

  1. A privacy law establishes a predictable legal landscape. A federal privacy law would create predictable rules across the country with respect to privacy, creating greater legal certainty and easing the burden of compliance with a potential mosaic of varying laws across 50 states. It would also help foster a marketplace in which consumers can expect that their data will enjoy an established level of protection. With greater legal certainty and consumer trust, data will move smoothly, and companies will be better positioned to take advantage of business opportunities.
  2. It positions smaller companies for business opportunities. Compliance with privacy law can help companies position themselves for business opportunities where data protection compliance and accountability are necessary. Larger companies increasingly seek service providers that are prepared to process, store, and secure data consistent with legal requirements, and include such requirements in contracts with vendors. Companies that comply with a new law can more readily enter into new business relationships.
  3. It enhances consumer trust. Compliance can enhance companies’ trust relationship with customers, allowing them to innovate and use data robustly. It also fosters trust by promoting a marketplace where data protection and consumer privacy are priorities and guide companies’ data practices.

Structuring a Privacy Law that Works for Small Companies

How might privacy law be structured to work for small businesses?

  1. Adapt requirements to the needs and resources of small business. Current proposals for privacy law are often written with large, well-resourced companies in mind. New law should include provisions that adapt requirements for smaller companies and recognize the need to accommodate compliance infrastructures and processes that may differ based on a company’s size, data activities, and resources.
  2. Structure penalties in a way that support effective enforcement but are appropriate for small companies. Appropriate penalties are fundamental to effective enforcement. When applied to small businesses they must be significant enough to have teeth, but not so onerous as to place a company in financial peril. Penalties should be scaled to the potential harm to consumers of a violation and designed to encourage companies to take steps to ensure future compliance.
  3. Create incentives for compliance. Because technology and the way companies use data evolve rapidly, compliance will be an ongoing process that requires companies to respond to changes in a company’s data collection, processing, and management practices. In establishing guidelines for sanctions, any new law should recognize companies’ good-faith efforts to adhere to requirements.
  4. Provide for certification programs. Certification programs can encourage compliance by providing guidance specifically tailored to the needs of smaller companies. Small companies that meet program requirements and represent their certification are recognized by businesses as potential trusted business partners and by consumers as businesses that respect their privacy.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Write for Us: Insight Guidelines

Author Information

Paula Bruening is a founder and principal at Casentino Strategies LLC and former global director of privacy policy at Intel. She is also currently an Innovators Network Foundation Privacy Fellow.