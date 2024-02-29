The first-of-its-kind order levies new restrictions on how personal American data can be sold. That means more work for small businesses.

President Joe Biden signed an executive order on Wednesday that sets up novel restrictions on how companies sell the sensitive personal data of Americans–and it could result in more upkeep for small businesses.

Wednesday’s order, which asks federal agencies to establish more guardrails to protect sensitive health, financial, and location data, is meant to strengthen the country’s data security by limiting the collection and subsequent sale of personal data by companies and data brokers. The White House’s concern is that data brokers may sell Americans’ sensitive data to foreign entities, like Russia or China, which could escalate risks the U.S. faces.

FEATURED VIDEO An Inc.com Featured Presentation

In the order, Biden is asking the Department of Justice to ink out a framework to protect personal data. That would include information like biometrics, personal health and financial data, as well as geolocation and genomic data. The order also directs certain government agencies to verify that federal grants, contracts, or other awards cannot be used to give so-called countries of concern access to American data. Beyond Russia and China, other countries of concern include Iran, North Korea, and Venezuela.

The case of TikTok jumps to the fore here. The U.S. may not have been able to pull off a nationwide ban of the app, but locking down its data usage could get squirrelly. China’s cybersecurity laws dictate that Chinese-owned apps must turn over user data to the Chinese Communist party if requested to do so.

“From my standpoint, this [could] be maybe even the beginning of the American version of the [General Data Protection Regulation], but grounded in national security principles versus privacy principles,” says Matthew Radolec, a vice president at Varonis, a New York City-based data protection company. (GDPR is the landmark European data protection law that laid out a slew of requirements for how data can be collected, stored, and more.) For smaller U.S.-based businesses, the shift may be less foundational but still transformative. The order effectively pushes more responsibility onto small businesses and larger companies to manage customer data as they await new security standards that will prevent countries like Russia and China from buying American data.

Firms should be prepared to review data collection and storage practices, especially if they’re processing or selling any specific personal data of customers. While the exact regulatory framework isn’t yet set, small businesses will need to account for their own data practices to make sure that they’re not inadvertently selling data to a company located in a country of concern.

“They’re going to have to protect this data if they weren’t protecting it already,” says Radolec. “[I]f they were potentially exchanging or selling it, they’re going to have to evaluate whom they’re doing that with and whether or not it’s even permissible. It raises the standards for what these security controls need to be.” While the practice of selling sensitive information off to a data broker may still go on, businesses will need to be more careful about where those parties take that data. (Data brokers gather large amounts of sensitive data, analyze and clean the information, and then sell it to other businesses or entities, typically advertisers.)

Even firms that don’t work with so-called adversarial governments may need to adjust their operations. At the very least, companies could be expected to better shield their data, requiring them to sanitize or anonymize it, Radolec adds. Again, the DOJ has yet to write the rules here, so the full extent of the law that companies may face is not clear.