Key Findings

1. Data privacy law is complex and is applied to large corporations and small business equally requiring small business owners to consider the impacts to their customer data and business.

2. There are different laws governing data protection and data privacy depending on the country and geographical locality of both the customer and business.

3. There are significant fines and penalties for data breaches and noncompliance with the new data privacy laws.

4. Privacy law should include graduated compliance when crafting personal data laws to differentiate large and small companies’ capabilities appropriately.

5. Small businesses (in Washington) are subject to the same regulations as larger corporations but have far fewer resources to handle the additional work needed to protect private data and to comply with data privacy laws.

6. Washington State should include language in the Washington Privacy Act for more flexibility for small business compliance, rather than taking the broad, one-size fits all approach that the General Data Protection Regulation and California Consumer Privacy Act have taken.

7. Washington Privacy Act compliance thresholds should be combined with a secondary trigger or measure to avoid penalizing small business.

8. The rules to reach compliance for small business should be more flexible than the rules applied to large business who often are able to scale to handle privacy regulations more cost effectively.

9. Provide more explanatory exception clarification for the type of data that is exempt from the privacy law.

10. Allow documentation and process compliance and not automated systems as the only solution for compliance to privacy law.

Introduction

Over the last few years data privacy has been added to the cost of doing business not only in the United States, but worldwide. With high-profile data breaches becoming more common, companies are increasing their data privacy efforts and governments are introducing new data protection requirements through farreaching statues and legislation.This not only effects large corporations, but also imposes significant data privacy requirements on small business.

Small businesses in Washington are subject to the same regulations as larger corporations but have far fewer resources to handle the additional work needed to protect private data and to comply with data privacy laws.

Existing and proposed privacy law does not appropriately address the financial impact to small business of getting to compliance often forcing a business to spend tens of thousands of dollars in a short amount of time.

Small business owners need to be mindful of these statutes as they do business in Washington, in the U.S. and internationally and to adjust their business policy and practices accordingly. Even if the business is based in Washington and the customer is in a different locale or jurisdiction, there may be additional data privacy requirements with which a business will need to comply.

Read the full Policy Brief here.