In today’s day and age, there is an inherent tension between privacy concerns and your business’s marketing needs. The collection and use of personal data is both a potential goldmine and an existential threat.
From a marketing perspective, even if certain data is not useful in the near term, it could become useful and valuable in the future. The more personal data available to your business, the better you’ll be able to market personalized experiences, make more targeted and compelling offers, and capitalize on opportunities for cross-marketing and up-selling your customers. From a privacy perspective, the collection and maintenance of unnecessary data exponentially increases your potential liability and is a burden on the people and systems charged with protecting it. This creates a natural dichotomy between the desire–from a privacy perspective–to minimize the amount of customer data collected with the desire–from a marketing perspective–to maximize the amount of customer data collected, maintained, and mined for information. However, as a result of massive data breaches and abusive data collection and use practices, data privacy rights and protection (and consequences for failure) have become a consistent theme in the national discourse.
It is important to be aware that the more personal data your organization collects, the more important and complicated the protection of personal data and compliance with privacy laws becomes for your organization. For example, as of mid-2018, every state had enacted its own varying legislation requiring notification of breaches involving personal data (with many differing requirements for the content of such notices), and proposals for new 
state and federal data privacy laws are legion. Moreover, in the European Union, the most sweeping and stringent data privacy legislation ever enacted, the General Data Privacy Regulation (“GDPR”), went into effect in May of 2018. While the GDPR only applies to businesses that control the personal data of residents of EU member states, many of the concepts embodied therein are recognized as best practices that are being adopted in new legislation, such as the rights of individuals to know about and control the use of their personal data, the right to erasure of personal data, and the obligations of businesses to adopt reasonable, risk-based security measures to protect personal data. For example, the California Consumer Privacy Act of 2018, which goes into effect in less than one year, mirrors the rights and obligations created by the GDPR in many respects, and applies to certain organizations that collect and control the personal data of California residents. These newly-enacted laws, and others in the pipeline, are a minefield that well-meaning business owners must be aware of and navigate.
It’s the things that you don’t know that will get you into trouble. Due to the web of overlapping (and often contradicting) data privacy laws that have come into existence and supplemented previously-existing state and federal deceptive and unfair trade practices laws, you should be regularly considering at least each of the following questions and reevaluating your data collection and storage practices based on the needs of your evolving business: What types of personal data are you collecting and how you are protecting it, both physically and digitally? Is the data encrypted or anonymized after collection? Does your website use analytical cookies and/or functional cookies (and do you even know the difference)? Do you know 
everything that your business does with the personal data it collects? Do you have a valid business reason for collecting, storing, and using each piece of that personal data? Do you know how long you keep personal data you’ve collected, and do you have a reason for keeping it that long? Do you have an established data privacy policy and data breach/incident response plan, and are those plans up to snuff?
Data privacy legislation is in a near constant state of flux as legislators scramble to protect individuals’ rights with respect to the vast amounts of personal data collected by businesses every day. As a business owner, you regularly collect and maintain the personal data of employees, website visitors, potential customers, individual customers, points of contact at business customers, and others. Your business’s personal data collection and storage practices could represent significant risks to the individuals who trust you with their personal information. As a result, the collection, protection, and storage of that data implicates various state, federal, and foreign laws, and could give rise to civil liability to the individuals from whom you’ve collected data and to state or national supervisory authorities. What’s more, beyond the potential exposure to fines and civil damages, your lack of familiarity, understanding, and compliance with the various applicable regulations could cause significant and irreversible damage to your brand name and your hard-earned goodwill with your customers and peers.
Is your organization doing what is necessary to stay abreast of this constantly-changing regulatory landscape?
About the Author: Peter J. Klock, II practices in the area of complex commercial litigation. Before joining Bast Amron, Peter served as a judicial law clerk to the Honorable James Lawrence King in the Southern District of Florida for nearly four years. In that role, he drafted numerous published opinions and enjoyed primary responsibility for all aspects of the odd-numbered civil and criminal cases on Judge King’s docket, as well as a multi-district litigation matter involving over thirty national banks, In re: Checking Account Overdraft Litigation, MDL No. 2036. Peter’s extensive experience working with the Court has given him a unique insight into federal courtroom procedure, effective legal argumentation, and efficient use of motions and pleadings.