The need to keep data privacy in mind when acquiring customers
Masha Komnenic CIPP/E, CIPM, CIPT, FIP - Guest Author Jun 28 2022
If you run a SaaS business, you need to know how data privacy may affect your company. Around the world, data privacy regulations are being enacted to protect people from unfair and illegal data practices.
If you aren't aware of these laws, your company could unintentionally be non-compliant and face the risk of severe fines and lawsuits. Keep reading to learn how data privacy laws affect your business.
What is data privacy?
The issue of privacy became a substantial global legal issue decades ago. In 1948, the Universal Declaration of Human Rights was adopted, which included the Right to Privacy as the 12th fundamental right.
Online data privacy as we know it today was perhaps born out of the Children's Online Privacy Protection Act (COPPA), which entered US federal law in 1998. Since then, there has been a proliferation of various laws, acts, and directives regulating the gathering of consumer data online.
Data privacy and information security boil down to the idea that businesses that collect or store people's personal information have a legal duty to those people. Therefore, companies must keep that personal information private and secure and offer certain rights to the people to whom the collected data belongs.
This is a simplistic definition of data privacy, but it gets more complicated as you delve deeper into it.
Many data privacy laws share characteristics, including rules on:
- Collecting sensitive personally identifiable information (PII)
- Collecting non-sensitive PII
- Collecting customer data from different states, countries, or regions
Of course, there are other aspects of data privacy laws that may affect your business, but the above facets are pervasive and affect many SaaS companies.
Let's dig a bit deeper into these three areas.
Collecting sensitive PII
Various regulations define PII differently, but it generally refers to information that someone can use to identify someone.
All PII is considered somewhat sensitive, but some types of PII are considered more sensitive than others. Therefore, PII can be broken down into sensitive and non-sensitive PII.
Sensitive PII is sometimes called linked PII because it is tied to a person's identity, like their name or Social Security number.
Sensitive PII can directly or nearly directly reveal a person's identity and can be used to harm a person. For example, if the information falls into the wrong hands, the person may fall victim to identity theft or public embarrassment for associating with certain websites or products.
Examples of sensitive PII include:
- First and last name
- Email address
- Phone number
- Driver's license
- Social Security number
- Credit card number
- Biometric data
- Financial information
- Medical records
Collecting non-sensitive PII
Non-sensitive PII is sometimes called linkable PII. It’s data that could be linked to a person's identity, but more information is necessary to make that link.
Some examples of non-sensitive PII include:
- First name
- Common last name
- Age range, like 30 to 39
- Account password
- Date of birth
- Geographic indicator
If your customers make a purchase on your website, the information they enter would consist of sensitive and non-sensitive PII. For example, the cookies saved in the customer's browser and their IP address are PII.
But not everything associated with your customers is considered PII. Likewise, not all PII is classified the same, and some information is considered non-PII entirely.
Collecting customer data from different states, countries, and regions
This is where customer data privacy laws begin to get confusing for many.
Depending on your website's reach, you may find your company falling under the jurisdiction of more than one data privacy law. For example, if you collect data from customers in different states, countries, or regions, you may be subject to the data privacy laws of each of those places — if they have any.
US state regulations
Aside from COPPA — which protects the data privacy of children under the age of 13 — there isn't a single federal regulation covering US online data privacy. At the moment, each state is responsible for enacting its own online data privacy laws.
Right now, four US states have enacted comprehensive consumer data privacy regulations. Those states are:
- California Online Privacy Protection Act of 2003 (CalOPPA)
- California Consumer Privacy Act of 2018 (CCPA)
- California Consumer Privacy Rights Act (CPRA)—effective in 2023
- Colorado Privacy Act
- Utah Consumer Privacy Act
- Consumer Data Protection Act
California, Nevada, and Vermont have also enacted less comprehensive consumer data privacy regulations:
- Data Broker Registration
- NRS § 603A.300 — mandates that websites operating in Nevada must let users opt out of having their data sold
- Nevada 2021 S.B. 260, Chap 292 — relates to internet privacy
- Protection of Personal Information: Data Brokers
A few other countries — such as India — are currently implementing state or provincial laws rather than one national law.
Most countries around the world have enacted some form of data privacy legislation to protect the rights of their residents.
According to the United Nations Conference on Trade and Development, 137 of 194 countries have created legislation to protect data and privacy. The remaining 57 countries have either no legislation or no data on their legislation.
The European Union's General Data Protection Regulation (GDPR) is currently the only law extending to cover multiple countries. It applies to every website that targets residents from the European Economic Area (EEA) and Switzerland.
Currently, the EEA includes 30 countries: the 27 EU member states, plus Iceland, Liechtenstein, and Norway.
The GDPR is the data privacy law with the broadest geographic scope of people being protected.
Which data privacy laws impact SaaS customer acquisition?
SaaS applications are used by businesses worldwide to share and collaborate on various types of data, including data from customers, employees, and other companies. Protecting SaaS data has become a top concern for many companies. As SaaS companies acquire customers, some of the customers' data is inevitably also acquired.
Depending on your customers ' geographic locations and your products, many data privacy laws could impact your SaaS company's customer acquisition.
Here are some of the laws you are most likely to be affected by:
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- The EU's GDPR
- The UK’s GDPR
- The EU's ePrivacy Directive
Of course, this list is not exhaustive. Other data privacy laws may impact your business for unique reasons. For example, laws like COPPA or Guayana's Electronic Communications and Transactions Bill (2018) may affect some companies.
Under CalOPPA, PII includes data such as your customers':
- Social Security numbers
- Phone numbers
- Email addresses
- Street addresses
- First and last names
The CCPA is the strictest data protection law in the US. The CCPA was enacted in 2020 and was designed to give Californian consumers more power over how their personal information is used.
While CalOPPA applies to anyone with a website that reaches California residents, the CCPA is aimed at big businesses with more than $25 million in revenue and businesses that buy, sell, share or receive PII of 50,000 or more California residents.
The CCPA gives Californians the right to:
- Know about the personal information businesses collect
- Know how businesses use their personal information
- Delete personal data businesses collect
- Refuse the sale of their personal information
- Expect nondiscrimination when employing their CCPA rights
Canada's PIPEDA was enacted in 2001 as a federal act covering all Canadian residents. PIPEDA defines PII as information about an identifiable individual.
Any SaaS company that conducts business in Canada is subject to PIPEDA.
It's also worth noting that although PIPEDA is a federal law, some Canadian provinces have enacted their own privacy laws.
The EU's GDPR applies to all websites targeting EEA residents. The GDPR requires several things from SaaS companies, including:
- Data-processing agreements
- Third-party vendor compliance
- Adequate security
It's worth noting how the UK falls under the GDPR. The GDPR has been enclosed in UK domestic law as the UK GDPR. It retains the same rights, obligations, and fundamental principles as the EU's GDPR.
ePrivacy directive (or EU Cookie Law)
The EU Cookie Law was enacted to regulate companies processing personal data, particularly website cookies. It's responsible for many of the cookie-consent pop-ups that you see on websites today.
It went into force in 2002, and was amended in 2009.
Again, it's worth pointing out that these data privacy regulations affect companies with customers in the applicable regions. So, if you run a company in the US but also have customers in the EU and Canada, then you will be beholden to the GDPR, the ePrivacy Directive, and PIPEDA, in addition to various US laws, depending on the locations of your customers within the US.
How to adhere to data privacy laws when acquiring SaaS customers
Without a doubt, compliance with data privacy laws should be considered an investment by any SaaS company. The fines are steep, the rulings harsh, and the gamble of tiptoeing around compliance isn't worth it.
So how can SaaS companies adhere to data privacy laws when acquiring customers?
Depending on how much time and money you have on your hands, you can decide which of these three viable options are right for your business:
Take the project on yourself (not recommended)
You'll have to spend countless hours poring over your data and figuring out which laws apply to your country. Then you'll have to analyze the laws for their specific requirements and then combine those requirements.
Finally, you'll need to draw up documents that meet all compliance requirements.
Be ready to repeat this process when your company moves into a new region or when countries pass new regulations or update old laws.
Delegate to your in-house legal team
Delegate the issue to your in-house legal team or hire a legal team if you don't have one in-house.
Your legal team will be sure to get everything done right, but it may not be fast, especially if this isn't your team's standard field of expertise. Although this may be an expensive route to go, it may be an acceptable option if it's already built into the company's budget.
Work with a professionally managed data privacy solution
This option is affordable and within most companies' budgets while being a comprehensive, fast, and safe solution to data privacy concerns.
While the first two options are suitable for a few businesses, most companies today turn to privacy-oriented service providers that give them peace of mind and help avoid legal headaches.
Consequences of disregarding data privacy laws
It's tempting to think that ignoring the issue of data privacy can make it vanish, but that would be an unwise decision. Pleading ignorance of data privacy laws isn't an acceptable excuse for failing to comply, and the consequences can be harsh.
For example, the CCPA charges maximum penalties of $7,500 per intentional violation. Companies that plead ignorance but did not put any privacy protections in place would still be charged with a $7,500 fine per violation.
Each individual whose privacy was inadequately protected is considered a separate violation. So if you deal with thousands of customers, you could end up with thousands of fines.
Another problem with getting slapped with US regulatory violations —besides the immediate fines — is that you open the door to class-action lawsuits. Every consumer whose privacy was violated can now band together to take their joint claim to court.
For example, in 2021, TikTok agreed to a consumer privacy class-action settlement for a $92 million payout.
GDPR fines are even more aggressive, charging more than 10 million euros or 2% of annual revenue for minor violations. Major violation fees double, at 20 million euros or 4% of annual revenue.
Notable examples of GDPR fines include:
- Marriott International was fined 18.4 million euros in 2020.
- H&M was fined 35.3 million euros in 2020.
- Amazon was fined 746 million euros in 2021.
In summary, if you're a SaaS company, it's essential to understand how various data privacy laws can impact your company and the penalties for failing to comply. Having a knowledgeable, high-quality, and efficient data privacy team can help you focus on the other critical aspects of your business while knowing your company is safely complying with all relevant data privacy laws.
By Masha Komnenic CIPP/E, CIPM, CIPT, FIP - Guest Author
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer who studied Law at Belgrade University. After passing the Bar examination in 2016, she specialized in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD).