Overview of Samantha Peaslee’s Webinar, Dealing with Data
Chances are that as a business owner, you are collecting some kind of information about your customers. Maybe it is their payment information when they make purchases on your website, maybe it is their address to deliver your product to, or maybe it is just their email address to add to your newsletter. Whatever it may be, as a business owner you need to be aware of the laws surrounding data collection and how they impact your business. What are the best practices to keep your business safe? Keep reading for information from Samantha Peaslee’s recent webinar session, Dealing with Data.
Who does the law apply to?
First, let’s start with who the laws apply to. Each state has a different set of rules governing commerce in their state. This post is primarily concerned with Colorado’s laws, but the California Consumer Privacy Act is the strictest set of rules in the country, so if you conduct business outside of Colorado and want to be safe, you can use California’s standards. Currently in effect are the Colorado Consumer Data Security Laws which impacts any business that maintains, collects, or owns Personally Identifiable Information of Colorado residents in the course of its business.
Personally Identifiable Information (PII) has many definitions depending on the particular law, but according to Samantha, PII is is generally information that if someone else had, they could steal your identity, take money from your bank account, conduct fraud, get into your email, etc.
Another category of customer data that is important to be cognizant of, but is not as strictly protected, is Personal Information. Most small businesses are collecting Personal Information more often than PII and it is important to know what you are responsible for depending on the type of information you are collecting. Some examples of PII and Personal Information are in the table below.
PII | Personal Information |
Social Security Numbers/ Personal Identification Numbers | First Name + Last Name with a piece of PII |
Passwords/Passcodes | Username or email address with password security question and answer |
Driver’s License Numbers/Passport Numbers | Account number or credit/debit card number with a security code/password |
Financial Account Numbers |
Note: Information that is lawfully available to the general public is not protected under PII or Personal Information.
What are Consumer Rights?
- Opt-Out Right: Consumers have the right to say how their personal data will be used and your business must offer a clear way for customers to opt-out of giving their personal data for certain uses. This must be written in your privacy notice as well as in a readily accessible location outside of your privacy notice.
- Unsubscribe: Consumers must be able to easily unsubscribe from your communications.
- Access: Consumers have the right to confirm whether your business is processing any of their personal data and can ask to be told what data your business has on file for them.
- Correction: Consumers have the right to correct inaccuracies in their personal data.
- Deletion: Consumers have the right to ask your business to delete the personal data you have on file for them.
- Data Portability: Consumers can ask you for a copy of the data your business has on file for them up to two times per calendar year, according to the Colorado Privacy Act effective July 2023.
What are your Obligations?
- Internal Privacy Policy: Your business is required to have a written policy ensuring PII is properly disposed of when it is no longer needed and you must have security measures in place to protect PII based on the nature and size of your business as well as the type of PII collected.
- External Privacy Policy: Your privacy policy cannot be within your terms and conditions if customers only interact with the policy through your website. The policy must be written so that it is clear, meaningful, and reasonably accessible. It must include categories of personal data collected or processed, the purposes for processing personal data, how and where consumers can exercise their rights, how to appeal company’s actions, the personal data shared with third parties (and who those third parties are), and must include a disclosure of sale or processing of personal data.
What are your Duties and Best Practices?
- Be transparent: Specify why you are collecting the data and how you will use it.
- Minimize collection: Only collect data that your business needs and has a purpose for.
- Avoid secondary use of information: Don’t bait and switch your customers (e.g. using an email for a newsletter if you haven’t disclosed using their information in that way).
- Obtain consent: Process sensitive data only with consumer consent.
- Maintain your policies: Follow your internal and external privacy policies.
- Third party vendors: Know what third party vendors you are using.
- Give customers options: Provide the ability for customers to easily opt-out, unsubscribe, change, or limit their information..
Where To Go From Here
Have more questions about your privacy policies, how you handle customer data, or what you need to do to be ready to comply with the new Colorado Privacy Act? Reach out to schedule an appointment with an SBDC Legal Consultant here! You can also check out Samantha’s full presentation for more details on our YouTube channel here.