Data Privacy Regulations Must Not Burden Small Businesses

February 22, 2021


Governments both domestically and internationally are enacting internet privacy rules that
could prove complex and burdensome for many unsuspecting small businesses.

  • Several U.S. states, most notably California, Nevada and Vermont, have recently introduced and passed legislation on consumer data privacy, similar to the EU’s General Data Protection Regulation (GDPR).
  • These state laws are intended to provide consumers with greater transparency and control over their personal data but go beyond breach notification and require companies to make significant changes in their data processing operations.
  • The 2018 California Consumer Privacy Act is enforceable in California and applies to California users, but given the nature of data processing, most companies will need to consider whether to apply the rules to all users.
  • While these state laws give consumers unprecedented control over their personal information, it creates new and onerous challenges for companies of all sizes that do business in California.
  • Managing personal data and keeping it secure will continue to get more expensive for business owners, forcing businesses to look for other technological solutions to help ease their compliance burden and manage risk when they engage in buying and selling of personal data.
  • All 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers if their personal information is compromised. These new and amended state data breach laws expand the definition of personal information and specifically mandate that certain information security requirements are implemented.
  • The U.S. lacks national data privacy legislation, leaving small businesses alone in figuring out which laws apply to them.


Small businesses need clear guidelines that fit the U.S. legal system, one that targets abuses, encourages innovation, and permits reasonable flexibility.

  • While Congress has not yet enacted a comprehensive national privacy law, it does have a long history of passing privacy laws to protect some of the most sensitive types of personal data, such as financial and medical information and data concerning children.
  • Any such legislation must consider the burden on small business—direct and indirect—and take steps to avoid stymieing innovation and competitiveness.