Part 2: Reviewing and Retooling Your Privacy Practices


In Part I, we discussed best practices for your business’s privacy policy. Now let’s put the cart back behind the horse—before crafting a new privacy policy or updating an existing one, your starting point should be taking stock of your business’s current privacy practices.

One approach to promoting privacy best practices is to bake in privacy protection at every stage of your business process. Adopting this approach, known as “privacy by design,” can help build consumer trust. Even if your business practices are well established, you can rethink how you handle data throughout your operation to make privacy a priority. Start with these steps:                          

Take inventory 

What types of data does your business collect? If you collect data that can be reasonably linked to a specific customer, computer or device (e.g., cookie data), consider it personal data. Classify information according to privacy risk, paying particular attention to sensitive categories such as social security numbers, credit card or other financial information, and location data. Track the flow of personal data throughout your business to get a complete picture of:

  • How data is collected (e.g., via email, regular mail, online collection).
  • Where it’s stored (e.g., PCs, networks, mobile devices, USB sticks, cloud service providers, file cabinets).
  • Who has access to it (e.g., all employees or only employees who need it, vendors, contractors).
  • Who it’s shared with (e.g., advertisers and marketers, business partners).

Scale down

Collect and store only the data you need to run your business and to meet legal requirements. You may be able to eliminate data elements you don’t need by changing default settings in your online forms or database software. Remember, you have a responsibility to protect all personal data you collect, so limit your burden and your risk.

Stop and think before making a change. Using or sharing personal data in a new way requires forethought. Is it consistent with your privacy policy? Consider a procedure to flag new data uses or sharing for privacy review. Remember, you must obtain customer consent if a new use affects data collected prior to the change and is inconsistent with the privacy policy in place at the time of collection.

Lock it up

Review your data security practices to ensure you’re protecting customer data from identity theft and cyber threats. Address each of the following security must-dos:

  • Use SSL encryption to transmit financial or other sensitive data.
  • Avoid using Social Security Numbers for identification—if you must handle this data, store and transfer it securely.
  • If you process credit cards, ensure that you are PCI compliant, or outsource this process to a reputable PCI service provider. 
  • Never send sensitive personal data by email unless it’s encrypted.
  • Implement strong password policies and do not permit shared passwords.
  • Don’t forget physical security—implement a clean desk policy, and lock file drawers and doors.

You can find more data security tips from the BBB at “Data Security – Made Simpler.” (

Pay attention to special data categories

Certain kinds of data collection and use are subject to specific legal requirements. While we can’t cover all of these here, be aware that you will have additional compliance obligations if your business engages in certain common practices:

  • Collects personal data from children under age 13 (see the Children’s Online Privacy Protection Act)
  • Extends credit to its customers, participates in credit decisions, or operate as a financial institution (see the Red Flags Rule and the Gramm-Leach-Bliley Act)
  • Uses customer data for email marketing (see the CAN-SPAM Act)
  • Uses consumer reports (e.g., credit reports) for background checks and credit decisions or furnishes information to consumer reporting agencies (see the Fair Credit Reporting Act)

The FTC provides useful guidance on these and other privacy topics. You may wish to consult an attorney with any specific questions.

Dispose of data responsibly

Keep data only as long as you need it. A written retention policy will remind you when to discard various categories of data, and help you plan for its secure disposal. Use a commercial shredder for paper records and destroy or wipe PC and server hard drives. Don’t forget copier hard drives, which can store personal data among thousands of digitized images.

Create a privacy culture

Promote privacy as a core value in your business by ensuring privacy policies and procedures are clear and consistently enforced. Identify employees who must have access to customer data to do their jobs and make sure they’re trained and accountable. In your business, this could include receptionists, sales representatives, repair technicians or delivery staff, as well as account managers and bookkeepers. Employees who don’t need access to personal data should never see it. Train your employees using examples related directly to the tasks they perform. Post simple written guidelines and reminders. Require new employees to sign an agreement to follow your company’s privacy and security standards. Finally, designate a privacy contact your employees can go to with questions and concerns.

Do what you say, and say what you do. Having looked under the hood and tinkered a bit, it’s time to take another look at your privacy promises. Make sure your internal practices and procedures align with and tie back to your public privacy policy—if they don’t, you may risk federal or state liability. Review one against the other at least annually, or whenever you make a change in your use of personal data, and update as needed.

Now that we’ve covered the basics, Part 3 will address special privacy topics for small businesses on the move. Whether you’re going global, hosting ads on your website, or launching your first mobile app, we’ll guide you through the privacy challenges and potential pitfalls as you take your business to the next level.