Perhaps you run your business by yourself as a solopreneur, have only a few clients, a dozen people on your email list and just a few hundred dollars in revenue. It would be natural to assume that you are not subject to the same privacy law requirements as giants such as Facebook or Google. However, while some privacy laws do exempt small businesses from compliance requirements, many privacy laws can apply to businesses regardless of their revenue amount, the number of employees that they have or the amount of personal information that they collect. It is important to also note that privacy laws can apply to small businesses even if they are not located in the state or country that passed the privacy law. In this article, we will discuss the privacy laws that can apply to small businesses, requiring them to have a comprehensive and up to date Privacy Policy so that you can learn how to protect your business from privacy-related fines and lawsuits.
Table of Contents
California Online Privacy and Protection Act (CalOPPA)
The first privacy law that can require small businesses to have a Privacy Policy is CalOPPA, which protects the privacy of residents of California by requiring certain businesses to have a Privacy Policy that makes the specific disclosures required by this law. CalOPPA applies to any operator of a website that collects the personal information of residents of California, regardless of whether the operator is located in California. Thus, if your website is collecting or could be collecting the personal information such as names, emails or phone numbers of residents of California, you may be subject to CalOPPA, even if you are a small business.
Nevada Revised Statutes Chapter 603A
The second privacy law that can apply to small business owners is Nevada Revised Statutes Chapter 603A, which applies to you if you:
- Own and operate a website for commercial purposes;
- Collect and maintain the personal information of consumers who reside in Nevada and use or visit your website; and
- Do business in Nevada.
Thus, if you have customers located in Nevada and have a website where visitors from Nevada could submit their personal information, then you may be required to have a Privacy Policy that contains the disclosures required by this privacy law.
Delaware Online Privacy and Protection Act (DOPPA)
Another privacy law that can apply to small businesses is DOPPA, which requires certain business websites to have a Privacy Policy that complies with the disclosure requirements of this law. DOPPA applies to any person that owns a website that collects the personal information of residents of Delaware. Since virtually anyone can fill out a contact form with their personal information on a website or be tracked through analytics when using a website, this privacy law also has a very broad reach and can apply to small businesses.
General Data Protection Regulation (GDPR)
While GDPR aims to protect the privacy of residents of the European Union, it is also a very broad-reaching privacy law in the sense that it can apply to businesses outside of the European Union, regardless of their revenue size, employee size or the amount of personal information that they collect. GDPR will apply to your business if you:
- Are located in the European Union;
- Offer goods or services to European Union residents, regardless of your location;
- Monitor the behavior of European Union residents through your website (e.g. through features such as cookies, tracking pixels or analytics), regardless of your location.
GDPR is one of the most highly enforced privacy laws in the world, with fines being issued not just to large companies but small businesses as well.
United Kingdom Data Protection Act (UK DPA)
The UK DPA is a privacy law that aims to protect the privacy of residents of the United Kingdom by providing them with privacy rights and by requiring businesses of any size to have a compliant Privacy Policy. The UK DPA applies to you if you:
- Are located in the United Kingdom;
- Offer goods or services to residents of the United Kingdom, regardless of your location;
- Monitor the behavior of residents of the United Kingdom through features such as cookies, analytics or tracking pixels, regardless of your location.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The sixth privacy law that can require small businesses to have a Privacy Policy is PIPEDA, which protects the privacy rights of residents of Canada. PIPEDA applies to any organization (regardless of location) that collects, uses, or discloses the personal information of residents of Canada in the course of a commercial activity. As “commercial activity” is defined as any conduct that is part of a commercial character, this privacy law does exempt nonprofits but does not exempt small businesses from its requirements.
Quebec Law 25
The seventh privacy law that can apply to small businesses is Quebec Law 25, which went into effect on September 1st, 2023. This law applies to persons who collect, hold, use or share the personal information of residents of Quebec, Canada. This privacy law differs from PIPEDA in the sense that it can apply to nonprofits, as well as for-profit businesses. Quebec Law 25 will require small businesses that need to comply with this law to have a comprehensive Privacy Policy that includes all of the disclosures required by this law.
Australia Privacy Act 1988
The final privacy law that can apply to small businesses is Australia Privacy Act 1988. This law can apply to Australian businesses, regardless of their revenue if they are:
- Private sector healthcare providers;
- Businesses that sell or purchase personal information;
- Credit reporting bodies;
- Contracted service providers for Australian government contracts;
- Employee associations registered or recognized under the Fair Work (Registered Organisations) Act of 2009;
- Businesses that have opted in to comply with the law;
- Businesses that are related to a business covered by the law; and
- Businesses prescribed by the Privacy Regulation 2013.
This privacy law can also apply to businesses outside of Australia, regardless of their size, if they have an Australian link. Your business has an Australian link if you do business in Australia and collect and hold the personal information of residents of Australia.
Small business Privacy Policy requirements
As demonstrated above, there are numerous privacy laws that can apply to small businesses, regardless of their revenue size, employee size or the amount of personal information that they collect. These privacy laws require small businesses to have a comprehensive and up to date Privacy Policy that contains the disclosures required by each privacy law. That is why it is so important to first determine what privacy laws apply to your business as your Privacy Policy must include the disclosures required by those laws to avoid fines and potential lawsuits. In addition, multiple privacy bills have also been proposed that can apply to small businesses, some of which would even allow consumers to sue businesses directly for violations. Thus, you must not just have a Privacy Policy that complies with today’s privacy laws, you must also have a strategy to keep it up to date with future legislation. If you do not currently have a Privacy Policy or do not have a strategy to keep it up to date, make sure to check out the auto-updating Termageddon Privacy Policy generator.
