As a business owner, you’re likely already aware of the PCI compliance rules governing payment data security.
However, payment information isn’t the only thing worth protecting from fraud and abuse. In fact, there exists a host of data protection laws around the globe designed to safeguard sensitive personally identifiable information (PII). These privacy acts are becoming increasingly important given the speed and ease with which we send, receive, and store data in the digital world.
Moreover, new data protection rules are introduced regularly to help plug holes and vulnerabilities left unaddressed by previous legislation. The California Consumer Privacy Act (CCPA) is a prime example. When it goes into effect in 2020, it will be one of the largest “overhauls” of data privacy the United States has ever seen.
In this article, we’ll look at three of the biggest privacy acts to date — and how they can potentially impact your business. First, let’s explore why data protection laws exist.
Why We Need Privacy Acts More Than Ever
There was a time when people stored their most valuable possessions in physical safes or vaults. Today’s data lives in the cloud, making it accessible to anyone with enough computer savvy.
Worse still, much of this information is shared freely with others (with or without your permission). Not only does this create even more potential vulnerabilities for your data, but it also raises a host of ethical concerns. Should companies, such as Facebook or Google, be allowed to monetize your relationships, browsing history, or medical information?
For a growing number of consumers and regulators around the globe, the answer is “no.” The privacy acts below are designed to limit access to and prevent abuse of your personal information.
Signed into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is the oldest data protection law on our list. It was created to:
- Make it easier for patients to transfer and continue their healthcare coverage even if they changed jobs or moved to a new location
- Prevent sensitive billing information and payment data from falling into the wrong hands (even before PCI compliance ever existed)
- Standardize electronic billing, medical pricing, and other administrative tasks throughout the larger healthcare industry
- Ensure that confidential patient information is accessible only to those healthcare stakeholders who need to use this data
HIPAA compliance not only applies to hospitals and support staff, but it also includes insurance companies, HMOs, governmental organizations, marketing companies, lawyers, accountants, and anyone else who might come into contact with sensitive patient information.
Approved in April 2016, the European Union’s General Data Protection Regulation (GDPR) is a sweeping privacy act that grants EU citizens unprecedented control over how their personal information is collected, stored, and used by organizations. This protection law became enforceable on May 25, 2018.
In addition to payment information, GDPR also protects names, addresses, pictures, DNA, and even IP addresses.
There are more than 99 separate articles under GDPR. As a business owner, here are four of the most important:
- You must ask for permission before collecting each user’s data. This request must use clear and simple language (i.e., no more hidden clauses or complex legalese).
- You must notify users within 72 hours of a data breach.
- At each user’s request, you must explain what information is being collected, how it is being used, and with whom it is being shared.
- At each user’s request, you must erase any information that you may have collected in the past.
What sets GDPR apart from previous privacy acts, however, is the sheer reach of this legislation. These data protection laws follow EU citizens — no matter where they travel or with whom they do business. This means U.S. e-commerce merchants that sell to European customers are also subject to GDPR rules.
Legislation this broad could hurt many business models, but that’s precisely the point. The architects of GDPR believe that secretly collecting, sharing, and monetizing personal data shouldn’t be a business model. This message is spreading, with countless other nations — from Canada to Argentina to Australia — introducing their versions of GDPR.
And as you’ll soon see, countries aren’t the only ones who are taking note.
The California Consumer Privacy Act is very similar to the EU’s GDPR. But rather than prevent all businesses from collecting personal information, CCPA focuses on the biggest offenders (i.e., Facebook, Amazon, and Google).
That’s why this privacy act applies to your business only if it meets one of the following criteria:
- You generate more than $25 million annually
- You earn at least half of your revenue from selling personal information
- You collect personal data from 50,000+ customers, devices, or households
Just like with GDPR, California’s new privacy act will enjoy global reach — applying to all businesses that have a physical presence, employees, or customers in the state.
Although CCPA doesn’t go into effect until January 1, 2020, it has already prompted copycat legislation from several other states, including New York, Nevada, and Maryland.
What All of These Data Protection Rules Mean for Your Business
You went into business to sell products and services to customers, not to navigate the complex world of privacy laws. But noncompliance carries significant costs. Under the current GDPR framework, for example, penalties can go as high as 4% of the offending company’s global revenue for that calendar year.
As such, compliance is both the cheaper and safer option.
But how do you remain in good standing, especially given the growing number of overlapping privacy acts that continue to emerge? It isn’t easy. One effective strategy involves minimizing the amount of information you collect and keep.
For example, imagine you’re a merchant that wants to capture a new sale. You also want the ability to process future sales if that customer signs up for recurring billing.
You can accomplish both of these goals if you enable:
- Tokenization, which eliminates the need to “store” credit card details within your payment environment. Instead, you can use randomly generated token IDs to replace each user’s 16-digit credit card number.
- Hosted payment pages, which remove the need to “capture” credit card info in the first place. Instead, your customers upload their payment details using a secure form hosted on your payment processor’s server.
Neither of these data security tools will automatically make you compliant with any of the aforementioned privacy acts. But you can’t be in violation of data security guidelines if you don’t capture or store data.
To explore how our suite of payment processing solutions can help minimize your PCI, HIPAA, CCPA, and GDPR scope, schedule a free consultation with our merchant services team today.