In response to advances in technology and the expansion of privacy abuses and data breaches, there has been a proliferation of state legislation on consumer data privacy to grant consumers rights with respect to information about them.

Convenience store retailers need to monitor state and federal laws to understand how these measures will affect their businesses and how they collect, use and store consumer data. California has already passed strict privacy measures that could cost companies hundreds of dollars per incident of misuse.

Due to all of this state activity and checker-board of state regulations on privacy, Congress has been trying to pass a federal privacy law. With the latest high-profile cyber-attacks and ransomware attacks, noted Paige Anderson, director of government relations for NACS, lawmakers around state capitols and Washington have again turned their attention to how protect consumer and business information, along with giving consumers certain rights around their personal information.

Data privacy regulation and legislation are bound to evolve in both volume and complexity as the world becomes more and more digital and consumers become increasingly sophisticated, said Ryan Mathews, principal of Black Monk Consulting in Royal Oak, Mich.

These regulations are likely to follow two paths:
* The first will be generally focused on how consumer data is obtained.
* The second will center around data ownership and issues surrounding how data is monetized — who can sell, buy and resell it, and how consumers can be directly paid for data — and of course how far the government can go in terms of accessing it.

One of the biggest areas coming up for many convenience stores is not only data privacy but also the release of PCI DSS v4.0, which issues requirements on how credit card information should be managed. “This is definitely on your readers’ radar to prepare for, as compliance takes quite a while to transition to new requirements,” said Cindy Kaplan, director of marketing for Halock Security Labs in Glenview, Ill. “A key takeaway from PCI is that organizations would definitely need to review their operations and assess their risk posture.”

NACS has been working with lawmakers in Congress and stakeholders from all industries to pass federal privacy legislation that applies to all industry sectors rather than shifting the requirements onto the retail sector of the economy and that any federal law not pick regulatory winners and losers among different business sectors, nor exempt any industry or business, such as telecommunications or financial service industries.

The association believes any federal data privacy framework should preserve the relationship between businesses and their customers and ensure that customers are able to receive all of the products and services they expect from retailers – including discounts or enhanced services they earn from being loyal customers.