3 Things Business Owners Need to Know to Protect Customer’s Information

by Robert Goodman

New privacy policies for business owners responsibility is growing to ensure consumer’s personal privacy and information rights

Editor’s note: This is a third, in a series of three articles, on privacy policies note 

In Part 1 we covered The Corporate Transparency Act for Small Business Owners- 4 Tips , in our last article, “The Protection of Consumers’ Online Privacy: A Revolution of Rights,” we discussed what rights a consumer has to manage their Personal Identifying Information (“PII”) and what terms should  be included in a privacy policy.

In this article, I would like to explore three items, two of which involve mandates that can require additional notifications under the California Consumer Privacy Act (“CCPA”):

1. When PII is procured from minors and, in particular, consumers under the age of 13 years

2. When a company provides incentives, such as discounts, rewards, or other benefits, to their customers to part with their PII

3. The need for businesses to create a privacy rights infrastructure to address customer privacy rights concerns.

1. Minor Children and Children under the Age of 13 years:

In the e-commerce context,  minors, generally persons under the age of 18 years (but this can vary depending on State law), normally do not have the legal  capacity to enter into contracts. As such, it is recommended that businesses should clarify in their websites’ Terms of Use, that it is required that minors purchasing  goods and services obtain the permission of their parents or legal guardians to engage in such transactions and that the vendor shall not be responsible for minors who misrepresent their age and identities.

  • Businesses should reserve to themselves the right to inquire whether a minor is authorized to make online purchases and to provide that parents and guardians shall guaranty and be responsible for paying for the goods and services purchased by the minor child. Businesses should also make it explicit in their Terms of Use that the unauthorized purchase by a  minor child may serve as the basis for terminating the online account in question.
  • In addition to addressing transactions with minors in the Terms of Use, the business should make sure that its privacy policy provides that should a  parent or guardian discover that a minor has disclosed their PII to the business pursuant to a purchase and sale transaction that the parent or guardian may have such PII deleted and expunged.
  • Where minor children under the age of 13 (“young minors”) are involved, specific laws at the state and Federal levels may also come into play.  The most significant law in this regard is the national Children’s Online Privacy Protection Rule (“COPPR”). The COPPR is a federal law that can require, among other things, that “vendors,” which are marketing to young minors, post online notices advising parents and guardians that the business is  targeting this demographic and an explanation concerning the information that is  being collected and how it is being used. The law also requires such vendors to set up a  mechanism to allow parents and guardians to consent to the disclosure of PII by a young minor and afford parents and guardians a reasonable opportunity to review the PII collected and to preclude or restrict its use.

As for other businesses who do not target minors and young minors, their privacy policies should specifically include a provision clarifying that they do not direct their products, services, and marketing efforts to children.

2. Financial Incentive Notices:

In addition to a privacy policy, delineating the rights of costumers to manage their PII, businesses that offer their customers incentives, such as discounts, rewards, or benefits, in consideration for a customer’s parting with their personal information, have  an  added duty to notify customers concerning the existence of a financial incentives program and the terms governing it.

  • Among the representations a Financial Incentive Notice is required to provide is an estimate concerning the monetary value of the incentive being offered. For example, if the financial incentive provided to customers is a 20% discount on the first $1,000.00 of product purchased, the monetary value being offered for the PPI would be $200.00. Not only is it necessary to represent the estimated value of the financial  incentive being offered but the methodology concerning how that value is determined also needs to be explained.
  • Additionally, the terms and conditions  governing the offer of a financial incentive needs to be discussed, i.e., how  would customers qualify for the incentive; when would their incentives expire, how would they be able to opt out of the program.
  • Finally, a Financial Incentives Notice needs to include a non-discrimination statement explaining that customers who decide not to participate in an incentives program will not be discriminated against for not providing their PII, such as by way of limiting their rights vis a vis other customers.

According to one source, the regulatory body charged with enforcing the privacy protection laws of California has recently issued citations to businesses operating in California who have failed to include in their online materials an adequate Financial Incentives Notice.

3. Developing a Privacy Rights Infrastructure

It is important that businesses have privacy policies that clearly explain to customers what their privacy rights are, but it is equally important to be able to process requests from customers concerning their privacy-related concerns. The best privacy policy is worthless if there is no one monitoring the air waves  to see if customers are registering a concern. To be able to develop an infrastructure for handling privacy policy inquiries is, therefore, critical. Email contact information needs to result in a person  receiving the customer email and then a  protocol needs to be in place to guide personnel on how to manage the inquiry. While there is no legal requirement to do so, privacy policy inquiries should be funneled to a designated person (an “Administrator”), who would be responsible initially for vetting the inquiry and then sending it on to legal counsel to assess whether it triggers an obligation on the part of the business.

At the same time, it is important that a business knows  where its customer PII is being held within its information network. Customer PII should be segregated from other information and encrypted or otherwise password protect so that hacking risks  are minimized.

At bottom, the objective in creating a PII infrastructure is to afford a  business the capacity, readily, to locate a customer’s PII and to address customers’ privacy concerns in a timely fashion, which could include expunging, limiting the use of, or even transferring PII to another location.

The take away:

The protection of consumer privacy rights is expected to be a major growth industry that is sure to visit upon businesses more responsibility to protect and manage their customers’ personal identifying information. Such responsibility does not end with posting a comprehensive privacy policy. Other types of notices may also need to be posted. Finally, the development of a  privacy rights infrastructure is recommended, not only to safeguard customer PII but to allow a business expeditiously and effectively to address the privacy rights concerns of its customers.

Related content:

Part 1: The Corporate Transparency Act for Small Business Owners- 4 Tips

Part 2:  The Protection of Consumers’ Online Privacy: A Revolution in Rights

Data Privacy Rights: An Evolving Area That Cannot Be Ignore

Does your Data Asset have an Ownership Certificate?

Who Owns Your Emails?