Why Your Virginia Small Business Must Comply with New FTC and GDPR Data Protection Regulations… Before It’s Too Late!
Virginia Business Brief
By Chip Cooper, Esq | September 07, 2018 12:00 PM
Let's say, you’re the owner of a small online business in Ashburn, VA, and you’re vaguely familiar with FTC regulations affecting ad claims, testimonials, and substantiation. But, are you up to date with the latest regulations that went into effect just last month, that every Virginia small business that has a website must comply with?
Probably not, unless you visited an internet compliance attorney last month.
And, do you understand that the FTC is now focusing on data protection, even for small online businesses? Also, do you really understand how the European Union’s General Data Protection Regulation (GDPR) may regulate your online business, and subject you to massive fines?
Why You and Other Virginia Businesses Can’t Fly Under the Radar Any More
Just a few years ago, the FTC focused primarily on big businesses. Many small online businesses believed they could “fly under the radar”, so to speak. They believed they could operate without the level of scrutiny reserved for the big players.
In 2014, this changed.
In 2014, the FTC brought several enforcement actions that illustrate the shift to enforcement actions against small businesses. One target was Apply Knowledge, a small online business which the FTC alleged was involved in deceptive testimonials. The enforcement action also named Apply Knowledge’s officers as defendants.
The result: a $500,000 settlement. Both the business and its officers were jointly and severally liable. It was a big hit against the officers’ personal assets.
In 2017 with its Operation Tech Trap, the FTC demonstrated the power of one of its most effective, new enforcement tools. Begun in 1997, the FTC’s Consumer Sentinel database was reaching critical mass due to the massive number of consumer complaints in Virginia, many of which involved complaints against small online businesses.
Using Consumer Sentinel, the FTC coordinated over 40 law enforcement agencies at the federal and state levels, including the U.S. Department of Justice, with enforcement actions against small tech support companies that were allegedly involved in deceptive marketing practices.
The FTC Has Continued the Trend Regarding Small Online Businesses with Data Protection Regulation
Over the last few years, the FTC has brought over 500 enforcement actions involving privacy claims and over 50 enforcement actions involving data security claims. Although, most of these claims were against relatively big companies in Virginia.
It didn’t take long for the FTC to shift its focus to small business, including several businesses regarding data protection.
In 2017, the FTC hosted small business owners in a series of public roundtable discussions across the United States for purposes of discussing the most pressing challenges small businesses face in protecting the security of their computers and networks.
“The FTC has been a leader in guiding businesses of all sizes on how to protect the data in their care,” Acting Chairman Ohlhausen said. “Companies with only a few employees face unique challenges when it comes to cybersecurity. We’ll use what we learn in the roundtables to tailor our practical resource materials for small businesses.”
Not only did the FTC learn how to tailor resources for small business owners, it also clearly communicated via the FTC website precisely what the FTC requires small business to do. According to the FTC website:
“Many companies keep sensitive personal information about customers or employees in their files or on their network. Having a sound security plan in place to collect, only what you need, keep it safe, and dispose of it securely, can help you meet your legal obligations to protect that sensitive data”. (emphasis supplied).
So, the FTC has now spoken directly to small business owners that data protection regulations apply to them as well as to the big players. And a fundamental element in a sound security plan is a Data Security Policy for your business.
The Europeans Enter the Fray Regarding Data Protection with GDPR, and Now California Has Just Passed a Similar Regulation
Effective on May 25, 2018, GDPR ushered in new legislation designed to give European Union (EU) residents (data subjects) significantly more control over their personal data. GDPR regulations bring tough, new requirements affecting personal data, consent, privacy, and security.
The catch is that GDPR affects U.S.-based companies of all sizes, even if the U.S. companies don’t have a presence in the EU. All that’s required for GDPR to regulate your business, is that your business processes personal data of EU data subjects.
Depending on circumstances, you could be regulated by GDPR as a data “controller” if you collect personal data directly from EU data subjects. GDPR may also apply to you as a data “processor” if you receive and process personal data indirectly from a controller, such as for example from your customers.
And you could also be regulated as both as a controller and a processor depending on how you collect and process personal data of EU data subjects.
The big concern regarding GDPR regulation for businesses in Virginia, of all sizes, are the consequences for non-compliance. Controllers and processors that are not GDPR compliant could be liable for administrative fines up to (i) 20 million Euros (approximately $25 million), or (ii) 4 percent of annual gross revenues, whichever is higher.
Processors are subject to liability to controllers for failure to comply with their contractual obligations to their controllers under the relevant controller-processor agreement, including liability to the controller for the actions or inactions of any sub-processor appointed by the processor.
In addition, individual EU data subjects will be able to take action and claim damages where they have suffered “material or immaterial damage” (i) by controller non-compliance, or (ii) by a processor’s failure to perform its obligations under a controller-processor agreement. In addition, data subjects may file legal claims for damages directly against processors that have breached any lawful instructions by the controller.
And there’s another little-known consequence of non-compliance at this time: the negative public relations effect on your business. Many small businesses are reporting that their customers and prospects are asking if they’re GDPR compliant.
Due to the overwhelming amount of press coverage regarding GDPR and the massive amount of emails from businesses reporting GDPR-compliant privacy policies, your customers know that GDPR compliance is a sign that you’re taking data protection seriously, even if you’re not regulated by GDPR. Failure to embrace GDPR could lead to a critical decrease in trust and confidence in your business.
Small businesses are at significant risk – both for enforcement actions with significant fines and with the negative public relations image associated with non-compliance – if they don’t understand and take action in response to the critical shift by the FTC and the EU regulators regarding enforcement of data protection regulations.
For small businesses that don’t have the budget for law firms to assist with data protection compliance, the best solution is access to a combination of relevant compliance training and the required compliance documents.
Chip Cooper, Esq. is a practicing e-commerce and compliance attorney with the Atlanta law firm of Jones & Haley, P.C. Mr. Cooper is also CEO of FTC Guardian, Inc. (www.ftcguardian.com), #1 in online training for FTC and GDPR compliance.
Here’s How To Make Sure You, Your Virginia Business and Website Are FTC & GDPR Compliant
By now it should be clear how important it is for you to be FTC compliant. But how can you do that without spending $7,500-$8,000 or more on Internet Attorneys?
Smart business owners around the world are doing it with the help of FTC Guardian.
FTC Guardian is a service that is 100% focused on helping to keep you get and stay FTC & GDPR compliant and fully protected. And right now, we are offering a free training to give you the knowledge, information, and guidance that you need to stay out of trouble with the Federal Trade Commission and the new GDPR guidelines.
Here are some of the things you’ll discover on the training:
- Real-Life Examples of People Who Didn’t Think They Were At Risk, But Who Got Nailed By The FTC, And Why It Could Happen To You, Too
- The 3 Enormous Powers The FTC Has That Can Change Your Life – And Your Family’s Life – Forever!
- How to Avoid FTC Claims When Collecting Leads With Optin Forms
- And Much More…
Remember: legal protection is a massively important part of your business, and it’s one you cannot afford to ignore any longer.
Disclaimer: This article is provided for informational purposes only. It’s not legal advice, and no attorney-client relationship is created. Neither the author nor FTC Guardian, Inc. is endorsed by the Federal Trade Commission.