Small business and ‘The right to be forgotten’

Mar 20, 2020

Over the last few years data privacy increasingly has become a cost of doing business not only in the United States, but worldwide. With high profile data breaches becoming more common, companies are tightening their data privacy policies and governments are introducing new requirements on data protection through broad statues and legislation. This not only effects large corporations, but also has signification data privacy requirements on small business.

Small businesses in Washington are often subject to the same regulations as larger corporations but have far less resources to handle the additional work needed to protect private data.

Traditionally, data privacy was considered in the context of Personally Identifiable Information (PII), Payment Card Information (PCI), Health Insurance Portability and Accountability Act of 1996 (HIPAA) and various other data protection standards such as NIST-800 and ISO/IEC 27001.

However, while these statutes are critical to data protection, they focus on the protection of the data and not the consumer rights for data that has been collected. This gave rise to several new laws focused on individual privacy rights.

The first of these privacy protection statutes is the European Union (EU) General Data Protection Regulation (GDPR) which places requirements on data privacy and data handling on companies doing business in the EU. Since many US companies do business in the EU, several have adopted GDPR and have operate under GDPR requirements inside the US as well.

In response to GDPR, several US states began drafting legislation that broadly followed the GDPR requirements.

The first US state to pass data privacy legislation was California. The California Consumer Privacy Act (CCPA) went into effect in 2020. CCPA is broadly based on the GDPR statute but has some differences that are specific to California.

Washington State has been working on its own version of data privacy, the Washington Privacy Act (WPA). The Washington legislation, while still a work in progress, came close to passing during the 2020 legislative short session and will undoubtedly be re-introduced in 2021.

Many of these statutes introduce a concept called the ‘Right to be Forgotten’. This requires companies that collect personal data to provide to the data owner or customer, the policy they use to manage the data and the ability for the data to be removed from their data store. There are severe penalties for non-compliance that can bankrupt a business.

The Washington proposal includes the right to be forgotten, the right to have errors corrected and the right to receive a copy of the data being collected by a business.

The average financial cost for a data breach in the US can be as high as $150 per row of personal data. The majority of the $150 is spent in notification costs, staff time and offering credit monitoring services to the effected party. There often is an additional, significant cost associated with the damage to the business brand and reputation.

The data collection and storage of private data has requirements which, if ignored, can be a large financial cost and a loss of reputation to small business. A data breach or violation of the new privacy laws can literally put them out of business and cause financial distress or identity theft issues to the owner of the data.

Businesses now need to handle private data differently than they did just a few years ago or run the risk of significant fines and penalties.

The new data privacy laws have a profound effect on the way both small and large business do business.

Small business should not ignore these requirements even when dealing with small amounts of data.