Data is the 21st century key, unlocking the potential for businesses to make highly informed decisions to better connect with their customers and serve their needs. By leveraging data, businesses can provide products and services that tailor to individuals, rather than the masses, while still serving their customers at scale.

But with such an opportunity, data is a prime target for bad actors looking to take advantage of insecure systems for personal gain. Government agencies across the world have sought to introduce regulations that help businesses to be more aware of the risks of collecting, storing, and using consumer data.

This post will introduce you to many of these regulations, focusing on bringing awareness to the regulations your business may need to adhere to. In our next post, we’ll follow up with some actionable considerations for how to effectively secure your customers data.

Note: While Boxhouse Consulting is not a specialized provider of cybersecurity services, these concepts are crucial to the work that we do to develop top-quality web-based software solutions.

Regulations

GDPR

Maybe you’ve heard of the term GDPR before, or not—that’s okay too. GDPR is the Global Data Protection Regulation, and one of the most important regulations to be aware of if you operate a business online. Although this policy is enacted and enforced within the European Union, it’s often best to adhere to its standards due to the global nature of operating online, as it applies to any business collecting data on EU citizens.

Here are some key points to keep in mind with GDPR:

• Collect only necessary customer data and process it lawfully, fairly, and transparently
• Obtain explicit, informed consent for data collection, as well as enabling users to withdrawal consent
• Users control their data, with a right to access, rectify, erase, and retrieve their data, as well as the right to object from certain practices performed on that data.
• Implement sufficient security standards (More on these in our next post) and report data breaches within 72 hours.

Failure to comply with these standards can cost businesses up to 20 Million Euros (20.8M USD as of the time of publishing this post), or 4% of global annual revenue, whichever is higher, according to European company Intersoft Consulting.

CCPA

CCPA is the California Consumer Privacy Act. This standard applies to all businesses providing goods or services in California on a repeated and ongoing basis, or those that operate a website or app that allows California residents to provide personal information. Additionally, these businesses must meet at least one of the following criteria

• Annual gross revenues in excess of $25MM
• Buys, sells, or shares the personal information of 50,000 or more consumers, households, or devices
• Derives 50% or more of its annual revenue from selling customers PI

Failure to comply to these standards can result in fines ranging from $2,500 to $7,500 per violation, depending on if the violation is deemed unintentional or intentional respectively. This means that a violation compromising the data of only 1,000 customers can result in fines ranging from $2.5 million to $7.5 million. You can read more about CCPA at the official filing here.

Additional Regulations

Although GDPR and CCPA are the big two to pay attention to, we’ll briefly list some other regulations that you may want to be aware of, in addition to the circumstances in which they apply.

• CPRA (California Privacy Rights Act) - Expansion of CCPA, relevant if doing business in California
• HIPAA (Health Insurance Portability and Accountability Act) - Relevant in healthcare or if doing business with health-related data
• PIPEDA (Personal Information Protection and Electronic Documents Act) - Relevant if doing business in Canada
• PCI DSS (Payment Card Industry Data Security Standard) - A global standard, relevant if your business processes payments online
• LGPD (Lei Geral de Proteção de Dados) - Relevant for businesses operating or doing business in Brazil
• ePrivacy Directive (Cookie Law) - European Union regulations around cookie usage, often discussed alongside GDPR. Often globally relevant if your business uses cookies, trackers, or personalized online advertising.
• FERPA (Family Education Rights and Privacy Act) - Relevant to businesses working with educational institutions or handling student data.

This is not a comprehensive list of all regulations that exist, but this overview should lay the foundation for next steps you may take when it comes to questions you need to ask. Now, let’s talk a little bit about some less regulation-specific consequences your business could face if data protection isn’t taken seriously.

Business Impact

Beyond regulation implications for proper handling of user data, there are also many consumer-first impacts that businesses will want to be aware of when it comes to the proper handling of user data. In general, customers have the ability to seek recourse for being impacted by negligent practices. In the courtroom, these may include private or class-action lawsuits.

Outside of the courtroom, reputational damage could have massive negative consequences for businesses. A survey by Ping Identity, surveying over 3,000 customers across the US, UK, France, and Germany, found that just a single data breach can cause a business to lose customer engagement from as many as 78% of their customers.

Customers depend on businesses like yours to take care of the information they provide to your company. And when it comes to their private and personal data, trust is everything.

Conclusion

Hopefully you’re now feeling a little more confident in your business’s position when it comes to data collection, storage, and management. By making your customers’ data a priority, you can build trust with them, empowering them with the true value that your business strives to offer.

In our next post, we’ll discuss how your business can confront this confusion head on, providing you with actionable insights that you can use to secure your customers data and ensure your compliance with local and global regulations.

Does your business have a website or use web-based software? Let Boxhouse ease the stress of regulatory compliance by scheduling a free consultation today. We will work closely with you and your business to ensure that your current, and future, offerings bring safety and security to your valued customer data.