Surprise! Privacy Compliance Does Affect You. What to Expect in 2023.

To read this Alert in PDF format, click here.

Have you recently received notices from vendors, social media platforms, or other service providers about updates to their privacy policies? You might be wondering what all this privacy buzz is about or, better yet, secretly hoping it does not apply to you or your business. If you are the curious type, you may have done a cursory glance and realized the updates apply to California businesses or residents or involve some other state or jurisdiction outside of Kansas. If you thought to yourself, “phew, I am in Kansas, so privacy compliance does not affect me,” you better think again.      

California, Colorado, Connecticut, Utah, and Virginia have all enacted comprehensive consumer data protection laws that go into effect at various points in 2023—with California and Virginia as early as January 1, 2023. Although Kansas has not yet jumped on the comprehensive-privacy-act bandwagon, there are hundreds of federal and state privacy laws and regulations on the books today. There are even industry standards that serve as requirements on businesses operating in a specific industry—banking, tax preparation, healthcare, manufacturing, and education, just to name a few. Chances are at least one of these privacy laws or regulations impacts your business as well as your employees and/or clients, even if you are only in Kansas. 

For example, Kansas merchants who process card payments from customers are likely subject to the Payment Card Industry Security Standards Council’s data security standards, referred to as the “PCI-DSS”. The PCI-DSS applies to merchants, banks, and service providers or processors that store or transmit cardholder or sensitive authentication data during a payment card transaction. If your business allows customers to pay with a credit card or debit card, even via an outside service provider, then compliance with the PCI-DSS is essential.

Are you an employer who offers a retirement plan to your employees?  If find yourself nodding your head up and down, then you need to be performing risk assessments and beefing up your cybersecurity practices. The Department of Labor (“DOL”) published its twelve-point list of cybersecurity program best practices for retirement plan sponsors in April 2021. The DOL has started auditing plan sponsors and bringing enforcement actions against businesses who have not paid heed to the DOL’s recommended cybersecurity practices. No business wants the DOL sniffing around and it is important to get those cybersecurity policies in place.

Do you like to send your customers notices about in-store promotions or discounts on products? Kansas businesses who email marketing materials or advertisements to clients are required to comply with the CAN-SPAM Act, which governs commercial and promotional marketing emails to consumers. And don’t think you get a free pass with text messaging, either. The Telephone Consumer Protection Act provides protections for consumers receiving text messages from businesses and organizations. Essentially, if your customer has not opted-in or expressly consented to receiving marketing or promotional messages or emails from your business, then you better think twice before pushing the send button.

What now, you might be asking. How do I know which laws are applicable to me and my business? Where do I even start? The United States’ patchwork approach to privacy makes it difficult for business owners to know and understand governing privacy laws. Yet, businesses must find a way to navigate through disharmonious privacy laws and standards in hopes of avoiding enforcement actions by regulators such as the Federal Trade Commission, Department of Labor, or state attorney general. Fortunately, once you start focusing on privacy within your business and identifying what security controls you have in place (or possibly the lack thereof) good cybersecurity practices will soon become routine. 

Hinkle Law Firm is here to help you reach privacy compliance and will guide you through this process each step of the way. Our privacy attorneys are knowledgeable about different privacy laws, cybersecurity best practices, and what regulators are gunning for. We will consult with you or your HR and IT departments to evaluate existing cybersecurity measures, provide recommendations on mitigating cybersecurity risks, and assist with implementation of better cybersecurity programs and practices. Watch for more privacy practice tips regarding risk assessments, data minimization and governance programs, and cybersecurity checklists coming soon in 2023. If you are ready to get started with developing or advancing your business’s privacy practices, or want to get added to our list for privacy and cybersecurity compliance assessments or training, please reach out to Krystle Dalke, CIPM and CIPP/US, at 316-631-3181 or kdalke@hinklaw.com today.

To read this Alert in PDF format, click here.