Maintaining customer privacy is one beast every company has to learn to tame—and small businesses are no exception. However, building a privacy culture with limited budgets and resources is an entirely different animal.
“A lot of times smaller businesses don’t have the time or the resources to dedicate to having somebody on staff to keep a abreast of all the new rules and regulations, and they’re just unaware of them,” says Sal Tripi, Online Trust Alliance (OTA) chairman and assistant VP of digital operations and compliance at multichannel direct marketing organization Publishers Clearing House. “I think the education of the small business owner or the small site operator is probably one of the biggest obstacles facing the industry.”
When it comes to forming a privacy policy, Tripi says one of the biggest misconceptions small businesses have is that privacy policies are a one-time deal that can be drawn up by an attorney and then locked away. However, OTA executive director Craig Spiezle says privacy policies should be updated “at least once a year if not more” to align with a business’s technological and strategic growth.
“If you think of how quickly technology and companies are evolving, and things are getting more and more complex, it’s not a stretch to think that the world that you’re operating in today is going to be very different 365 days from now,” Tripi says. “If you’re leveraging the new technologies and the things that are out there, your privacy policy has to evolve with your site.”
However, Spiezle views this lack of awareness as an opportunity rather than an obstacle.
“I think small businesses, if anything, need to differentiate themselves,” Spiezle says. “This becomes an opportunity because I think they can out-innovate larger companies in data privacy.”
Spiezle recommends that small businesses revalidate what data they’re collecting, why they’re collecting it, and how the organization intends to protect it. He adds that there are three rings of accountability when collecting and sharing data: business, consumer, and government.
When it comes to a corporate responsibility, data collection and sharing should be an industry-wide matter, Spiezle says. In addition, consumers need to not only be aware of what data they’re giving out and why, but to also be conscious of the value they’re receiving from distributing their data. “All too often, consumers take it for granted,” Spiezle says. “Finding that balance of increasing awareness, using it as a differentiator, and also promoting the value that consumers are getting back from these services is really important.”
Finally, he advises businesses to view the government as a friend rather than a foe, particularly after a data breach. “They’re not there to disclose to the press. They’re not there to disclose to regulatory authorities. They’re there to investigate,” Spiezle says. “Businesses need to have that collaboration with government agencies and government in turn has to make sure that this is understood how they can help.”
Both Spiezle and Publishers Clearing House’s Tripi acknowledge that data breaches do occur and stress the importance of having an emergency plan in place.
“Before a data breach occurs, it’s important that [businesses] understand what data they have, where they have it, and classify that data into the various types: whether it be sensitive data, personal data, or general data,” Tripi says. “That’s actually one of the biggest fundamental issues that we see with small business. They’re not even aware of what is sensitive data.”
“As someone said to me, you don’t rewrite the fire code when your house is on fire,” Spiezle says.
The two also acknowledge that abiding by state data collection guidelines can be daunting. And while they agree federal legislation would provide a more uniform playing field, they encourage companies to rise above the law.
“When it comes to self regulation or privacy law, I think we would certainly endorse the right laws…as at least not the standard that we should follow, but at least we understand what the legal implications are,” Tripi says. “My thought would be there would be self-regulation and best practices that rise above that, and then certain businesses will choose what level they want to do business on.”
“The right thing to do is for businesses not to wait to be legislated, but help shape that legislation by adhering to best practices,” says Spiezle. “Look at these [practices] as the floor, not the ceiling, of that you should be doing.”