Data privacy has become a necessary ingredient in the business fabric for retailers, especially those in the convenience/petroleum industry. Whether you look purely at your customer’s personal information, or broaden your perspective to include employee and business data as well as payment data, the amount of data flowing through your business requires increasing attention to its security — and ensuring its privacy.
Data privacy relates to how a piece of information—or data—should be handled based on its relative importance. In the digital age, we typically apply the concept of data privacy to critical personal information, also known as personally identifiable information (PII) and personal health information (PHI). This can include Social Security numbers, health and medical records, financial data, including bank account and credit card numbers, and even basic, but still sensitive, information, such as full names, addresses and birthdates. The list of personal information can be pretty extensive, especially as it relates to convenience retailing.
Why is Data Privacy Important?
For a business, data privacy goes beyond the PII of its employees and customers. It also includes the information that helps the company operate, whether it’s proprietary research and development data or financial information that shows how it’s spending and investing its money. When data that should be kept private gets in the wrong hands, bad things can happen. A data breach at a government agency can, for example, put top secret information in the hands of an enemy state. A breach at a retail business can put proprietary data in the hands of a competitor or in the hands of hackers in the dark web where it can be sold and exploited.
As of Jan. 1, 2020, the most comprehensive state law in the U.S. became effective — the California Consumer Privacy Act (CCPA). Enforcement of the CCPA is technically underway, but other states are poised to follow the lead of California. At least Massachusetts, Washington state, Florida, Texas, Nevada, Virginia, Minnesota and Maine have been trying to pass privacy legislation — many of them building on the California model. Regardless of which states c-stores do business in, you are likely to have customer data from around the nation, so you will need to figure out how to comply with the growing number of state laws.
In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law amends New York’s existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. As of March 2020, the law is fully enforceable. This law broadens the scope of consumer privacy and provides better protection for New York residents from data breaches of their personal information.
What Businesses Need to Know
There is no one comprehensive federal law that governs data privacy in the United States. There’s a complex patchwork of sector-specific and medium-specific laws, including laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing.
The Federal Trade Commission Act has broad jurisdiction over commercial entities under its authority to prevent unfair or “deceptive trade practices.” While the FTC does not explicitly regulate what information should be included in website privacy policies, it uses its authority to issue regulations, enforces privacy laws, and take enforcement actions to protect consumers. For example, the FTC might take action against organizations that…
* Failing to implement and maintain reasonable data security measures.
* Failing to abide by any applicable self-regulatory principles of the organization’s industry.
* Failing to follow a published privacy policy.
* Transferring personal information in a manner not disclosed on the privacy policy.
* Making inaccurate privacy and security representations (lying) to consumers and in privacy policies.
* Failing to provide sufficient security for personal data.
* Violating consumer data privacy rights by collecting, processing, or sharing consumer information is a violation of the FTC’s consumer privacy framework or national privacy laws and regulations.
* Engaging in misleading advertising practices.
Even if your company is based in a jurisdiction that has not implemented comprehensive data privacy legislation, it is essential to consider where your potential users might reside and what regulations apply. If you intend to do any business in California, New York, or the European Union, you should be familiar with the requirements of the CCPA or the SHIELD Act. In most cases, it’s simpler and less expensive for your organization to adhere to these standards for all of your customers rather than applying different rules based on location.
Data protection is becoming more important and will affect users’ decisions about where they do their online browsing and shopping. Increasingly, a company’s reputation for the responsible handling of personal data will be an asset that can lead to more website traffic, conversions, and a positive impact on profits.