While the U.S. does not have one federal law that regulates the protection of personally identifiable information (PII), PII is protected by several sector-specific laws. The major players are the Federal Trade Commission Act (FTC Act), the Telephone Consumer Protection Act (TCPA), the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), and the EU’s General Data Protection Regulation (GDPR). These are just some examples of laws that apply to customer protection, financial institutions, telemarketing, commercial emails, and European markets.
While there is much to consider, businesses in the U.S. can be data compliant by fulfilling the requirements of the GDPR, understanding state-specific regulations, creating a comprehensive and detailed privacy policy, and employing data encryption and security. Please find more detail on how to be a “smart marketer” below (including bonus tips!).
Comply with GDPR. For a U.S.-based business to comply, the organization must do so under one of the following legal grounds outlined by the GDPR. While a business usually has a legitimate interest to process personal data, obtaining the subject’s consent is the easiest way to ensure compliance in the U.S. It is helpful to know that the fundamental rights and freedoms of the person always overrides the company’s interests, especially if it’s a child’s data.
Tip: You should make it easy for individuals or visitors to revoke consent at any time.
Be Familiar with State-Specific Laws. While there is no singular federal law on data compliance, several states in the U.S. have created laws to ensure regional protection. Here is a summary of some important state-specific data compliance laws:
Image sources: Varonis
Tip: Please note that a state’s data compliance law does not just affect businesses in the state, but also affects businesses that deal with their residents.
Offer a Privacy Policy. Businesses must present a privacy policy while being transparent about the use of PII. Easily understood policies will resonate more effectively with customers in terms of branding and loyalty. Learn more about what a business’ privacy policy should include here.
Tip: Be aware that a business’ privacy policy must also identify categories of PII that the operator collects from an individual who uses or visits its website and third parties with whom the operator shares the information.
Understand “Do Not Track” (DNT). Today, site visitors are increasingly using DNT signals to let businesses know not to track them. This information is linked by a browser to a website being visited about the fact they are saying not to track them. Currently, only some states recognize DNT, but we recommend including whether a business accounts for DNT in its privacy policy.
Tip: We highly recommend that businesses serving California residents include DNT disclosure in their privacy policies.
Employ Security and Encryption Processes. Businesses need to enforce safety measures that will prevent unauthorized access or theft of PII data offered by a client right now. We recommend that staff with data access be trained on sensitive data handling, security, and protocols. A background check is also required. If a breach occurs, it is important to communicate it to the individual as soon as possible, which will leverage a business’ transparency to ultimately aid in branding efforts.
Tip: Incorporating the above best practices will more effectively protect a business if there is a data breach. Your business is less likely to face penalties as the offenders will not be able to easily decipher the encrypted text.
We understand that being a smart marketer in 2021 can be overwhelming. Our goal is to help drive your success. From data compliance to keeping privacy at the forefront of your omnichannel strategy, we are here to help.
Research provided by Ask Wonder. Additional sources include Thompson Reuters, Iubenda, Varonis, and Kaspersky.
