opinion

Will Your Business Need a Data Protection Officer?

Will Your Business Need a Data Protection Officer?

Any online business is either managing the data it collects or needs to learn how quickly, and every business that collects any kind of data needs to become compliant and maintain compliance with data protection laws.

Whether you are selling barbecue sauce or big beautiful women, your business will never reach its potential without big data, and big data imposes big responsibilities

If you collect data from your customers, you need to take steps to comply with various and overlapping data protection laws.

Who your customers are, where they live, how often they visit your site, what they buy, and how often they buy are critical data that can help tailor your offerings and increase sales.

In an increasingly competitive environment, not using big data to improve your bottom line is a mistake that cuts into profits. Collecting information from your customers is a necessary part of doing business online, and proper data management is necessary to make the most of that data.

However, if you collect data from your customers, you need to take steps to comply with various and overlapping data protection laws.

Next May, the E.U.’s General Data Protection Regulation (GDPR) will take effect, and if you collect information, like login name, IP and email addresses from E.U. residents, or if E.U. residents buy your stuff, your business is subject to this law.

The GDPR requires, at minimum, that you post a privacy policy with understandable terms and actually stick to those terms. Additionally, it requires businesses to maintain systems where customers can correct erroneous information or have all their data erased, and under the GDPR, erased really does mean erased.

After a customer requests deletion, deactivating that customer but retaining the customer data in an inactive file is a violation incurring potentially large financial penalties. The penalties are intended to be “effective, proportionate, and dissuasive.” That means they’re intended to make it more financially sensible to comply than not, but if you don’t comply, the penalties will cause pain, no matter how big or small your operation. It does not matter where your business is located – if you have E.U. customers, the GDPR applies to you.

While the GDPR will create relatively uniform requirements across the E.U., the U.S. has a growing number of data security and privacy laws, with different requirements, and no federal unifying code.

As of this writing, 48 states, the District of Columbia and Puerto Rico have some sort of data protection law on the books and it can be a confusing mess, with varying requirements for privacy policy notices, how to define data breaches, and what to do after a data breach is discovered, who must be notified and how, and how much time you have to do it. As a business owner, you need to know what laws apply to you and what you need to do to stay compliant.

Some states require a privacy policy to be published on your website, others don’t. Some jurisdictions define a data breach as someone copying information from your servers, others define a data breach as unauthorized access, even if no copying or altering took place.

Some states require notifying the attorney general if you experience a data breach, most require notification of the persons whose data has been compromised, and most have exceptions to the notice rules if the data that was compromised was encrypted so long as the encryption key was not compromised.

California has comprehensive data protection requirements if you collect information from California residents, and Nevada just passed a law that requires a privacy policy to be published on any website that collects any type of identifying information from Nevada residents, even if all you collect is an email. Nevada is quite nice in that it gives you 30 days to post or correct a Privacy Policy after you have been informed of failure to comply.

Both states make it a violation to not post a privacy policy and also make it a violation if you knowingly violate your own privacy policy, so copying and pasting someone else’s privacy policy can cause you more problems than not posting a privacy policy at all.

With so many different jurisdictions and laws in the online space, attempts at compliance can be intimidating. At minimum, every business should be complying with the laws of the jurisdictions where your company headquarters is located, where it is incorporated, where it is hosted, and where its billing solutions are located.

You will need to post accurate Data Privacy Policies, respond to customer requests to delete or correct data, and have a plan in place to respond to a data breach. Does an affiliate manager selling a USB with 1,000 email addresses trigger notification requirements?

It depends on where you are located. Does your state or country require notifying a data protection authority after a discovered breach? Many do, and the time to notify varies, some within 72 hours. Does an employee losing a laptop with customer information count as a data breach? Most likely, and if you don’t have a response plan, you will waste valuable hours figuring out what your law requires.

Getting off the phone with your webmaster who tells you his laptop was stolen from his car is not the time to figure out if you need to notify an attorney general or what constitutes a reportable data breach. Put an emergency response plan in place before you need it, and run some desk top drills.

The good thing about data privacy laws are that they apply equally to all businesses and don’t single out adult enterprises, but the bad things are that an online business needs to comply with laws from many jurisdictions and the number of professionals that understand data privacy compliance is woefully inadequate, and the number of certified professionals even smaller.

Some online businesses will need a full-time data protection officer, others will only need review and updating of current data policies with regular checkups, but everyone will need to include data privacy issues in business planning. If you haven’t started planning for data protection rule compliance, you are already behind.

Chad Anderson is an Arizona attorney working in the area of cybersecurity and data privacy. He can be reached at chad@chadknowslaw.com.

Related:  

Copyright © 2025 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

WIA Profile: Lainie Speiser

With her fiery red hair, thick-framed glasses and a laugh that practically hugs you, Lainie Speiser is impossible to miss. Having repped some of adult’s biggest stars during her 30-plus years in the business, the veteran publicist is also a treasure trove of tales dating back to the days when print was king and social media not even a glimmer in the industry’s eye.

Women in Adult ·
opinion

Fighting Back Against AI-Fueled Fake Takedown Notices

The digital landscape is increasingly being shaped by artificial intelligence, and while AI offers immense potential, it’s also being weaponized. One disturbing trend that directly impacts adult businesses is AI-powered “DMCA takedown services” generating a flood of fraudulent Digital Millennium Copyright Act (DMCA) notices.

Corey D. Silverstein ·
opinion

Building Seamless Checkout Flows for High-Risk Merchants

For high-risk merchants such as adult businesses, crypto payments are no longer just a backup plan — they’re fast becoming a first choice. More and more businesses are embracing Bitcoin and other digital currencies for consumer transactions.

Jonathan Corona ·
opinion

What the New SCOTUS Ruling Means for AV Laws and Free Speech

On June 27, 2025, the United States Supreme Court handed down its landmark decision in Free Speech Coalition v. Paxton, upholding Texas’ age verification law in the face of a constitutional challenge and setting a new precedent that bolsters similar laws around the country.

Lawrence G. Walters ·
opinion

What You Need to Know Before Relocating Your Adult Business Abroad

Over the last several months, a noticeable trend has emerged: several of our U.S.-based merchants have decided to “pick up shop” and relocate to European countries. On the surface, this sounds idyllic. I imagine some of my favorite clients sipping coffee or wine at sidewalk cafés, embracing a slower pace of life.

Cathy Beardsley ·
profile

WIA Profile: Salima

When Salima first entered the adult space in her mid-20s, becoming a power player wasn’t even on her radar. She was simply looking to learn. Over the years, however, her instinct for strategy, trust in her teams and commitment to creator-first innovation led her from the trade show floor to the executive suite.

Women in Adult ·
opinion

How the Interstate Obscenity Definition Act Could Impact Adult Businesses

Congress is considering a bill that would change the well-settled definition of obscenity and create extensive new risks for the adult industry. The Interstate Obscenity Definition Act, introduced by Sen. Mike Lee, makes a mockery of the First Amendment and should be roundly rejected.

Lawrence G. Walters ·
opinion

What US Sites Need to Know About UK's Online Safety Act

In a high-risk space like the adult industry, overlooking or ignoring ever-changing rules and regulations can cost you dearly. In the United Kingdom, significant change has now arrived in the form of the Online Safety Act — and failure to comply with its requirements could cost merchants millions of dollars in fines.

Cathy Beardsley ·
opinion

Understanding the MATCH List and How to Avoid Getting Blacklisted

Business is booming, sales are steady and your customer base is growing. Everything seems to be running smoothly — until suddenly, Stripe pulls the plug. With one cold, automated email, your payment processing is shut down. No warning, no explanation.

Jonathan Corona ·
profile

WIA Profile: Leah Koons

If you’ve been to an industry event lately, odds are you’ve heard Leah Koons even before you’ve seen her. As Fansly’s director of marketing, Koons helps steer one of the fastest-growing creator platforms on the web.

Women in Adult ·
Show More