{"id":6585,"date":"2018-06-19T00:12:45","date_gmt":"2018-06-19T00:12:45","guid":{"rendered":"https:\/\/www.ftcguardian.com\/articles\/?p=6585"},"modified":"2019-08-12T13:19:57","modified_gmt":"2019-08-12T13:19:58","slug":"ftc-gdpr-compliance","status":"publish","type":"post","link":"https:\/\/www.ftcguardian.com\/articles\/ftc-gdpr-compliance\/","title":{"rendered":"Why Your Ohio Small Business Must Comply with New FTC and GDPR Data Protection Regulations\u2026 Before It\u2019s Too Late!"},"content":{"rendered":"

Ohio Business Brief<\/strong>
\nBy Chip Cooper, Esq | April 16, 2026 09:13 PM\n

Let's say, you\u2019re the owner of a small online business in Columbus, OH, and you\u2019re vaguely familiar with FTC regulations affecting ad claims, testimonials, and substantiation. But, are you up to date with the latest regulations that went into effect just last few month<\/strong>, that every Ohio small business that has a website must comply with?<\/u><\/p>\n

Probably not, unless you visited an internet compliance attorney recently.<\/p>\n

And, do you understand that the FTC is now focusing on data protection, even for small online businesses? Also, do you really understand how the European Union\u2019s General Data Protection Regulation (GDPR) may regulate your online business, and subject you to massive fines?<\/p>\n

Why You and Other Ohio Businesses Can\u2019t Fly Under the Radar Any More<\/strong><\/p>\n

Just a few years ago, the FTC focused primarily on big businesses. Many small online businesses believed they could \u201cfly under the radar\u201d, so to speak. They believed they could operate without the level of scrutiny reserved for the big players.<\/p>\n

\"\"<\/a><\/p>\n

In 2014, this changed.<\/p>\n

In 2014, the FTC brought several enforcement actions that illustrate the shift to enforcement actions against small businesses. One target was Apply Knowledge, a small online business which the FTC alleged was involved in deceptive testimonials. The enforcement action also named Apply Knowledge\u2019s officers as defendants.<\/p>\n

The result:<\/strong> a $500,000 settlement. Both the business and its officers were jointly and severally liable<\/u>. It was a big hit against the officers\u2019 personal assets.<\/p>\n

In 2017 with its Operation Tech Trap, the FTC demonstrated the power of one of its most effective, new enforcement tools. Begun in 1997, the FTC\u2019s Consumer Sentinel database was reaching critical mass due to the massive number of consumer complaints in Ohio<\/u>, many of which involved complaints against small online businesses.<\/p>\n

Using Consumer Sentinel, the FTC coordinated over 40 law enforcement agencies at the federal and state levels, including the U.S. Department of Justice, with enforcement actions against small tech support companies that were allegedly involved in deceptive marketing practices.<\/p>\n

The FTC Has Continued the Trend Regarding Small Online Businesses with Data Protection Regulation<\/strong><\/p>\n

Over the last few years, the FTC has brought over 500 enforcement actions involving privacy claims and over 50 enforcement actions involving data security claims. Although, most of these claims were against relatively big companies in Ohio.<\/p>\n

It didn\u2019t take long for the FTC to shift its focus to small business, including several businesses regarding data protection.<\/p>\n

In 2017, the FTC hosted small business owners in a series of public roundtable discussions across the United States for purposes of discussing the most pressing challenges small businesses face in protecting the security of their computers and networks.<\/p>\n

\u201cThe FTC has been a leader in guiding businesses of all sizes on how to protect the data in their care,\u201d Acting Chairman Ohlhausen said. \u201cCompanies with only a few employees face unique challenges when it comes to cybersecurity. We\u2019ll use what we learn in the roundtables to tailor our practical resource materials for small businesses.\u201d<\/p>\n

Not only did the FTC learn how to tailor resources for small business owners, it also clearly communicated via the FTC website precisely what the FTC requires small business to do. According to the FTC website:<\/p>\n

\u201cMany companies keep sensitive personal information about customers or employees in their files or on their network. Having a sound security plan<\/u> in place to collect, only what you need, keep it safe, and dispose of it securely, can help you meet your legal obligations<\/u> to protect that sensitive data\u201d. (emphasis supplied).<\/p>\n

Have you kept up to date with the latest fines the FTC has issued Facebook? Facebook<\/b> was hit with $5-billion federal fine<\/b> for privacy violations…<\/p>\n

This is going to have a huge trickle down effect for ALL small businesses.<\/p>\n

So, the FTC has now spoken directly to small business owners that data protection regulations apply to them as well as to the big players. And a fundamental element in a sound security plan is a Data Security Policy for your business.<\/p>\n

The Europeans Enter the Fray Regarding Data Protection with GDPR, and Now California Has Just Passed a Similar Regulation<\/strong><\/p>\n

Effective on May 25, 2018, GDPR ushered in new legislation designed to give European Union (EU) residents (data subjects) significantly more control over their personal data. GDPR regulations bring tough, new requirements affecting personal data, consent, privacy, and security.<\/p>\n

The catch is that GDPR affects U.S.-based companies of all sizes, even if the U.S. companies don\u2019t have a presence in the EU. \u00a0All that\u2019s required for GDPR to regulate your business, is that your business processes personal data of EU data subjects.<\/p>\n

Depending on circumstances, you could be regulated by GDPR as a data \u201ccontroller\u201d if you collect personal data directly from EU data subjects. GDPR may also apply to you as a data \u201cprocessor\u201d if you receive and process personal data indirectly from a controller, such as for example from your customers.<\/p>\n

And you could also be regulated as both as a controller and a processor depending on how you collect and process personal data of EU data subjects.<\/p>\n

<\/a><\/p>\n

The big concern regarding GDPR regulation for businesses in Ohio, of all sizes, are the consequences for non-compliance. Controllers and processors that are not GDPR compliant could be liable for administrative fines up to (i) 20 million Euros (approximately $25 million), or (ii) 4 percent of annual gross revenues, whichever is\u00a0higher.\u00a0<\/em><\/p>\n

Processors are subject to liability to controllers for failure to comply with their contractual obligations to their controllers under the relevant controller-processor agreement, including liability to the controller for the actions or inactions of any sub-processor appointed by the processor.<\/p>\n

In addition, individual EU data subjects will be able to take action and claim damages where they have suffered \u201cmaterial or immaterial damage” (i) by controller non-compliance, or (ii) by a processor\u2019s failure to perform its obligations under a controller-processor agreement. In addition, data subjects may file legal claims for damages directly against processors that have breached any lawful instructions by the controller.<\/p>\n

And there\u2019s another little-known consequence of non-compliance at this time: the negative public relations effect on your business. Many small businesses are reporting that their customers and prospects are asking if they\u2019re GDPR compliant.<\/p>\n

Due to the overwhelming amount of press coverage regarding GDPR and the massive amount of emails from businesses reporting GDPR-compliant privacy policies, your customers know that GDPR compliance is a sign that you\u2019re taking data protection seriously, even if you\u2019re not regulated by GDPR. Failure to embrace GDPR could lead to a critical decrease in trust and confidence in your business.<\/p>\n

Bottomline…<\/strong><\/p>\n

Small businesses are at significant risk \u2013 both for enforcement actions with significant fines and with the negative public relations image associated with non-compliance – if they don\u2019t understand and take action in response to the critical shift by the FTC and the EU regulators regarding enforcement of data protection regulations.<\/p>\n

For small businesses that don\u2019t have the budget for law firms to assist with data protection compliance, the best solution is access to a combination of relevant compliance training and the required compliance documents.<\/p>\n

—<\/p>\n

Chip Cooper, Esq. is a practicing e-commerce and compliance attorney with the Atlanta law firm of Jones & Haley, P.C. Mr. Cooper is also CEO of FTC Guardian, Inc. (www.ftcguardian.com<\/a>), #1 in online training for FTC and GDPR compliance.<\/p>\n

Here\u2019s How To Make Sure You,\u00a0Your Ohio Business and Website Are FTC & GDPR Compliant<\/h2>\n

By now it should be clear how important it is for you to be FTC compliant. But how can you do that without spending $7,500-$8,000 or more on Internet Attorneys?<\/p>\n

Smart business owners around the world are doing it with the help of FTC Guardian.<\/p>\n

FTC Guardian is a service that is 100% focused on helping to keep you get and stay FTC & GDPR compliant and fully protected.\u00a0And right now, we are offering a free training to give you the knowledge, information, and guidance that you need to stay out of trouble with the Federal Trade Commission and the new GDPR guidelines.<\/a><\/p>\n

Free Compliance Workshop:\u00a0Join Chip Cooper, Esq., the #1 FTC Compliance & GDPR trainer in the World, for a one-of-kind, completely free online compliance workshop.<\/strong><\/a><\/p>\n

Workshops fill up quickly, so register now.<\/strong><\/a><\/p>\n

Here are some of the things you\u2019ll discover on the training:<\/p>\n