opinion

Will Your Business Need a Data Protection Officer?

Will Your Business Need a Data Protection Officer?

Any online business is either managing the data it collects or needs to learn how quickly, and every business that collects any kind of data needs to become compliant and maintain compliance with data protection laws.

Whether you are selling barbecue sauce or big beautiful women, your business will never reach its potential without big data, and big data imposes big responsibilities

If you collect data from your customers, you need to take steps to comply with various and overlapping data protection laws.

Who your customers are, where they live, how often they visit your site, what they buy, and how often they buy are critical data that can help tailor your offerings and increase sales.

In an increasingly competitive environment, not using big data to improve your bottom line is a mistake that cuts into profits. Collecting information from your customers is a necessary part of doing business online, and proper data management is necessary to make the most of that data.

However, if you collect data from your customers, you need to take steps to comply with various and overlapping data protection laws.

Next May, the E.U.’s General Data Protection Regulation (GDPR) will take effect, and if you collect information, like login name, IP and email addresses from E.U. residents, or if E.U. residents buy your stuff, your business is subject to this law.

The GDPR requires, at minimum, that you post a privacy policy with understandable terms and actually stick to those terms. Additionally, it requires businesses to maintain systems where customers can correct erroneous information or have all their data erased, and under the GDPR, erased really does mean erased.

After a customer requests deletion, deactivating that customer but retaining the customer data in an inactive file is a violation incurring potentially large financial penalties. The penalties are intended to be “effective, proportionate, and dissuasive.” That means they’re intended to make it more financially sensible to comply than not, but if you don’t comply, the penalties will cause pain, no matter how big or small your operation. It does not matter where your business is located – if you have E.U. customers, the GDPR applies to you.

While the GDPR will create relatively uniform requirements across the E.U., the U.S. has a growing number of data security and privacy laws, with different requirements, and no federal unifying code.

As of this writing, 48 states, the District of Columbia and Puerto Rico have some sort of data protection law on the books and it can be a confusing mess, with varying requirements for privacy policy notices, how to define data breaches, and what to do after a data breach is discovered, who must be notified and how, and how much time you have to do it. As a business owner, you need to know what laws apply to you and what you need to do to stay compliant.

Some states require a privacy policy to be published on your website, others don’t. Some jurisdictions define a data breach as someone copying information from your servers, others define a data breach as unauthorized access, even if no copying or altering took place.

Some states require notifying the attorney general if you experience a data breach, most require notification of the persons whose data has been compromised, and most have exceptions to the notice rules if the data that was compromised was encrypted so long as the encryption key was not compromised.

California has comprehensive data protection requirements if you collect information from California residents, and Nevada just passed a law that requires a privacy policy to be published on any website that collects any type of identifying information from Nevada residents, even if all you collect is an email. Nevada is quite nice in that it gives you 30 days to post or correct a Privacy Policy after you have been informed of failure to comply.

Both states make it a violation to not post a privacy policy and also make it a violation if you knowingly violate your own privacy policy, so copying and pasting someone else’s privacy policy can cause you more problems than not posting a privacy policy at all.

With so many different jurisdictions and laws in the online space, attempts at compliance can be intimidating. At minimum, every business should be complying with the laws of the jurisdictions where your company headquarters is located, where it is incorporated, where it is hosted, and where its billing solutions are located.

You will need to post accurate Data Privacy Policies, respond to customer requests to delete or correct data, and have a plan in place to respond to a data breach. Does an affiliate manager selling a USB with 1,000 email addresses trigger notification requirements?

It depends on where you are located. Does your state or country require notifying a data protection authority after a discovered breach? Many do, and the time to notify varies, some within 72 hours. Does an employee losing a laptop with customer information count as a data breach? Most likely, and if you don’t have a response plan, you will waste valuable hours figuring out what your law requires.

Getting off the phone with your webmaster who tells you his laptop was stolen from his car is not the time to figure out if you need to notify an attorney general or what constitutes a reportable data breach. Put an emergency response plan in place before you need it, and run some desk top drills.

The good thing about data privacy laws are that they apply equally to all businesses and don’t single out adult enterprises, but the bad things are that an online business needs to comply with laws from many jurisdictions and the number of professionals that understand data privacy compliance is woefully inadequate, and the number of certified professionals even smaller.

Some online businesses will need a full-time data protection officer, others will only need review and updating of current data policies with regular checkups, but everyone will need to include data privacy issues in business planning. If you haven’t started planning for data protection rule compliance, you are already behind.

Chad Anderson is an Arizona attorney working in the area of cybersecurity and data privacy. He can be reached at chad@chadknowslaw.com.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Navigating Age-Related Regulations in Europe

Age verification measures are rapidly gaining momentum across Europe, with regulators stepping up efforts to protect children online. Recently, the U.K.’s communications regulator, Ofcom, updated its timeline for implementing the Online Safety Act, while France’s ARCOM has released technical guidance detailing age verification standards.

Gavin Worrall ·
opinion

Why Cyber Insurance Is Crucial for Adult Businesses

From streaming services and interactive platforms to ecommerce and virtual reality experiences, the adult industry has long stood at the forefront of online innovation. However, the same technology-forward approach that has enabled adult businesses to deliver unique and personalized content to consumers worldwide also exposes them to myriad risks.

Corey D. Silverstein ·
opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
Show More