Privacy myths that small business owners still believe

Remember the forbidden light on the ceiling of your parents’ car? Growing up, the three worst things I could do were:

1. Drugs 
2. Drugs
3. Turn that light on at night or even during the day if the weather was somewhat overcast

Time after time, my parents would tell me that turning that little light on at night was illegal and I’d go to prison for a very long time if a police officer saw me do it.

22 years.

That’s how long I believed that. It took a late-night Wendy’s fries and frosties run with my college roommates to finally find out it was all made up. It was a myth.

Despite looking it up for myself and even asking a police officer about it one time, part of me has always remained convinced this is what would happen if anyone were to turn that light on any later than 7:35 p.m.:

Point of the story… myths can stick.

And when it comes to website privacy, a lot of small business owners are still navigating around with myths hanging over their heads. Unfortunately, unlike our little car light, believing in these myths could actually result in some serious legal trouble.

So, let’s shine some light on some of the most common ones. Please note, this is not legal nor parenting advice.

Myth #1: “My business is too small to worry about privacy laws”

Many small business owners assume privacy laws are aimed at giant corporations with entire legal departments. That’s because these businesses ARE too small for the headlines, but not the privacy laws.

The news is riddled with the Metas, TikToks, and Googles of the world getting fined for privacy violations, but you never see Larry’s Light Fixtures getting sued. That’s because $100,000 isn’t as click-worthy as $100 million. However, for Larry, that $100,000 is likely more detrimental than Meta scrounging around its pockets for $100 million. 

The truth is numerous privacy laws that require a small business to have a Privacy Policy. These laws focus on what a business is doing rather than how big a business is. Over the last few years that have also been a massive surge in CIPA demand letters that specifically target small business websites.

Speaking of what a business is doing…

Myth #2: “I only collect names and emails, that doesn’t really count”

Privacy laws see data collection as an on/off light switch. Data is either being collected or it is not. No dimming switch here.

The issue is that small businesses often mistake “personal information” as Social Security numbers or medical information

The reality is, privacy laws also consider the following to be personal information that’s to be protected:

• Emails
• Phone Numbers
• Names
• Addresses
• IP Addresses
• Payment information

Small businesses are regularly requesting this type of information through forms, newsletters, eCommerce tools, analytics, and digital advertising to run their businesses effectively. And, before you say it, let’s get to Myth #3. 

Myth #3: “Well, I’m not sharing this data with anyone”

Remember the first two things I mentioned earlier in the blog wasn’t allowed to do as a child: Drugs and drugs? Well, many small businesses have been led to believe that sharing personal information is like selling drugs. It’s a shady practice where you meet with a data broker on the dark web and exchange ‘the goods’ for money

Yes, selling personal information does happen, and yes privacy laws care about that behavior. However, sharing data is far more common and there’s nothing shady about it. In fact, small businesses almost need to share data to operate, but they also need to disclose this information via proper policies.

Here are just a few examples of sharing personal information with third parties:

Example 1: Someone signs up for your newsletter. You are now sharing that person’s email address and name with your email service provider (e.g. Mailchimp or HubSpot).

Example 2: You are using Google Analytics to see how users are behaving on your website. You are now sharing the IP address of these users with Google. 

Example 3: You have a Google Maps embed on your website that shows users where your business is located. People using this map will have their IP address also shared with Google. 

Sharing data is normal, but privacy laws demand that a small business let users know about this behavior via the proper policies. 

Myth #4: “People are submitting their information to my website voluntarily so that means I don’t need policies.”

While some websites use illegal dark patterns to trick people into giving up their data, it’s true that most websites either don’t do this on purpose or not at all. Which means people are willingly allowing websites to use their data. They key word is “use” and not “have.”

Even if users knowingly offer a website their data, the data remains their personal property – not the property of the business. Therefore, certain polices and consent measures need to be in place to give users the tools they need to understand and control how a website uses their property (in this case, data).

Myth #5: “There are no privacy laws in my state, so this doesn’t apply to me”

It is true that a handful of U.S. states currently don’t have a privacy law. However, the privacy laws of other states/countries don’t care about where a business is located. They just care about their residents and if a website is recognizing their privacy rights.

So, if a website doesn’t actively prevent users from areas with privacy laws from accessing it, that business may need to comply with those laws. For example, a website visitor from California could access your site and submit their personal information on a form or be tracked through tools like GA if you are not blocking them from accessing your site. This means California’s laws like CPRA and CIPA might apply to you. 

Myth #6: “I haven’t been sued yet, so my Privacy Policy must be good”

As with literally every other law out there, you only get punished if you get caught breaking it. A small business should never assume that their Privacy Policy is correct just because they haven’t been fined or sued yet.

This happens all the time with small businesses that:

• Have had the same Privacy Policy for years (with no updates)
• Copied a Privacy Policy from a template or a competitor
• Have had Lorem Ipsum text on their page this whole time and never really noticed

Much like pet insurance, proper policies are worth having in case your website takes a dump on a rattlesnake and you discover just how expensive website vet bills and antivenom are… Yes, my dog pooped on a rattlesnake. 

Myth #7: “Fine, at least any Privacy Policy will suffice”

Many policies out there are nothing more than placebos for your website. They might make you feel nice, but they aren’t actually doing anything. In fact, improper policies could harm your business as it could look like you’re actually trying to hide sketchy privacy practices.

With the rise of privacy-savvy website users, more and more people know what needs to be included in a Privacy Policy.

And guess who extra knows what needs to be in a Privacy Policy? Those enforcing privacy laws. Privacy laws are very specific on what disclosures must be included to comply. It’s extremely easy for an attorney or enforcement office to identify if these are missing from a generic template or a copy & paste job.

Myth #8: “Good thing there’s AI to crank me out some policies”

AI may be great at spelling words like Strawberry… oh, wait. No it’s not.

But even AI knows that a website shouldn’t approach it for legal documents. Simply asking AI if it can will have it like:

Our president, Donata, worked on seeing if she could use her attorney know-how to get Chat GPT to eventually draft a legally-sound Privacy Policy. If she told it what laws to address and listed the specific disclosures required, it could get very close to drafting one. Unfortunately, most small business owners aren’t reading through every single privacy law and its requirements for kicks and giggles on the weekend. 

Myth #9: “Privacy compliance is too complex for a small business owner to handle”

Once upon a time, this was probably true. It was an expensive attorney or nothing.

While an attorney is still the best option for business owners seeking legal advice, there are now more affordable tools like Termageddon that are specifically designed to help small-biz websites keep up with this stuff. That being said, Termageddon isn’t the only Privacy Policy Generator out there. It’s just important for a business owner to pick a generator that:

• Asks specific questions about the business before determining which laws apply;
• Has a legal expert on staff;
• Regularly monitors privacy laws and updates policies as they change;

Final thought: Don’t fall for the light thing

Turns out, turning on that little car light was never illegal. It just felt like it was because we kept hearing it over and over again.

Privacy myths work the same way. They sound right. They spread easily. And they stick around long after they stop being accurate.

The difference is, believing the car light myth didn’t actually do anything except make reading comic books in the backseat extremely frustrating. Believing privacy myths? That can.

P.S. Now that I’m a parent of a child who can reach that super annoying middle light… Well, let’s just say I’ve decided to keep the tradition alive.