Data privacy compliance in the 21st century
For a business, an ounce of prevention is definitely worth a pound of cure
Like it or not, we live in a digital world. And even if one were inclined to go off the grid, so to speak, there really is no escaping the fact that our personal information is still accessible.
Banks, credit card companies, even the merchants we deal with, are holding our information and are “on the grid” — and have a responsibility to keep that information confidential and to protect it from unauthorized disclosure. In many cases, they have that obligation pursuant to their own privacy policies. However, they can also be obligated by law to maintain confidentiality of, and to protect, our personal information.
Interestingly, unlike Europe or Canada, the United States does not have a national data privacy law of a general nature, but it does have privacy laws that are specific to particular industries.
For instance, the Health Insurance Portability and Accountability Act of 1996 (HIPPA) applies to the use and disclosure of individuals’ health information by such organizations as healthcare providers, health plans and healthcare clearinghouses.
The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Family Educational Rights and Privacy Act (FERPA) affords parents the right to have access to and some control over their children’s education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student.
Unlike the U.S., some countries or regions have their own privacy laws. The European Union recently enacted the General Data Protection Regulation (GDPR). Our neighbor, Canada, has the Personal Information Protection and Electronic Documents Act.
In the United States, protection of personal information, apart from the specific situations identified above, is left to each individual state. One of the most comprehensive state data privacy and security laws is the recently enacted California Consumer Privacy Act of 2018 (CCPA). In some respects it is similar to the GDPR. It applies to the collection of personal information about natural persons who are California residents.
What kind of personal information is covered by these laws? Virtually any that can directly or indirectly identify a natural person. Obviously, personal information includes name, address, telephone number, email address, Social Security number and bank account and credit card numbers, but that is not all. For instance, laws such as the GDPR say that personal information also includes IP addresses (even though IP addresses in reality identify a device rather than a particular person).
Even if particular personal information alone could not be used to identify an individual, if different pieces of information could be combined to identify a person, then each piece of information is considered personal information under the applicable law.
It is important to remember the GDPR applies processing or monitoring of any individuals’ data while they are in the European Economic Area and is not limited to citizens of the EEA. In comparison, the CCPA applies to any for-profit “business” that meets certain financial and legal thresholds and collects consumers’ personal information, and does business in California.
Some questions a business might be pondering are:
1. Why do I even need to worry about these laws?
Businesses that fall within the scope of coverage of the various data privacy and security laws must comply with their requirements or risk substantial liability from both governmental enforcement authorities and individuals. For example, financial penalties under the GDPR for failure to comply can be as high as the greater of 4% of the business’s annual revenues for the prior year or 20 million euros. In California, each violation of the law can cost the business up to $2,500, and if intentional, up to $7,500. Additionally, the business could potentially be subject to injunctive relief or other types of sanctions. Furthermore, compliance likely will instill confidence in the minds of individuals doing business with the company as to security of their personal information.
2. What are the chances that a government authority or individual would come after us if we don’t comply?
The answer is unknown. As to the GDPR , for example, while conceivably a small- or medium-sized business in the United States might not be high on the priority list for the GDPR enforcement authorities (at least at present), noncompliance is a gamble with extremely high stakes. There is some indication that fines might be the preferred method for gaining compliance. If there is a good faith effort at compliance but literal noncompliance, perhaps a warning would be given before a fine or other more serious action is taken. Obviously, it would be significantly easier for an action to be taken by a California governmental authority or individual, as the existence of lawsuits against out-of-state companies in other contexts indicates.
3. How would the liability even be enforced against us in our home state?
With regard to the GDPR, conceivably various international treaties could be invoked to enforce an order or judgment obtained in the EEA against a business located in the United States. It is also conceivable that the EEA authorities could prohibit a business from transacting business in the EEA or impose other sanctions.
With regard to California, risk of enforcement is substantially higher. There are procedures in place for enforcement of judgments in states other than the state where the judgment has been obtained. Risk of enforcement of the CCPA is probably not negligible.
The saying “an ounce of prevention is worth a pound of cure” is very pertinent in the case of complying with various data privacy and security laws. Not only will compliance afford a business protection against potential financial (and other) exposure, it will instill confidence in the minds of individuals dealing with the business. Compliance should not be ignored, but rather something to be embraced.
Attorney Douglas Verge, a former chair of Sheehan Phinney’s Intellectual Property Practice Group, now chairs the firm’s Franchise and Distribution Law Practice Group. He can be reached at 603-627-8119 or firstname.lastname@example.org.