Start-ups and emerging businesses need a detailed privacy policy and data privacy plan in place from the outset.
Data Privacy Issues
Data privacy is the relationship between the collection and dissemination of data, along with the determination of what – and under what circumstances – data can be shared with third parties. The issues surrounding data privacy are ever-expanding and becoming more complex as state and national governments enact laws designed to protect the privacy rights of people in the Internet age. Privacy concerns arise whenever personally identifiable information (healthcare records, financial information, criminal information, residence or geographic records, location-based services, biological information, etc.) is collected, used, stored, or disclosed. Virtually every company nowadays would be well served to have a detailed privacy policy and data privacy plan in place from the outset.
U. S. Data Privacy Laws
In the United States, there is currently no universal data privacy law – rather there are a handful of laws dealing with certain specific situations and/or classes of data, including:
COPPA – Children’s Online Protection Privacy Act
COPPA is a law created to protect the privacy of children under the age of 13. In general, it states that a company must obtain parental consent for the collection or use of any data from children and also what must be present in a privacy policy – including the requirement that the policy itself must be posted anywhere data is collected.
HIPAA and HITECH – Health Insurance Portability and Accountability Act
HIPAA is a wide-ranging law that governs the use and disclosure of Protected Health Information (PHI) in healthcare treatment, payment, and related operations. The HITECH Act is a law that was passed to promote health information technology and the use of electronic health records. The HITECH Act also expanded upon the privacy requirements of entities covered by HIPAA, particularly with respect to breach notification requirements.
Gramm-Leach-Bliley Act
The GLBA is a federal law that governs the ways that financial institutions deal with the private information of individuals. Financial institutions include any company that offers consumers financial products or services, including loans, financial or investment advice, or insurance.
Electronic Communications Privacy Act
The ECPA is an extension of the Federal Wiretap laws that prohibits (both civilly and criminally) the intentional intercepting, disclosing, or using any wire, oral, or electronic communication.
Video Privacy Protection Act
The VPPA was originally passed to prevent a videotape service provider from knowingly disclosing an individual’s personally identifiable information to third parties. The law has since been applied to digital video materials and streaming services.
California Consumer Privacy Act (goes into effect January 1, 2020)
The CCPA is the first law in the United States to follow the stringent privacy laws codified in the European Union’s General Data Protection Regulation (GDPR). The Act extends protections to the citizens of California and applies to for-profit entities doing business in California. For the Act to apply to a business, it must meet one of the following criteria: (1) annual gross revenue in excess of $25 million, (2) receive or share the personal information of more than 50,000 California residents annually, or (3) derive at least 50% of annual revenue by selling the personal information of California residents. The U.S. government is currently considering a national data privacy law that will likely borrow some aspects of the CCPA and GDPR.
Every Business Needs a Privacy Policy
A privacy policy is a legal document that discloses the ways a party gathers, uses, discloses, and/or manages a customer’s data.
- Every company needs a privacy policy that specifically outlines the scope of their use of customer and client personal information.
- Personal information can include a person’s name, address, date of birth, marital status, contact information, social security number, driver’s license, financial information, medical history, and location services.
- A privacy policy should inform the customer of which specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises.
- The exact nature of a company’s privacy policy should take into account the nature and use of the information, the nature of the industry, any specific privacy laws that may apply in the jurisdictions where the company operates.
Businesses Must Plan for a Potential Data Breach
A data breach is an incident in which private data is copied, transmitted, viewed, stolen, accessed, or used by an individual unauthorized to do so. Examples include:
- Theft, loss, or unauthorized disclosure of digital media such as computer tapes, hard drives, laptop computers, or cell phones which upon which private data is stored unencrypted.
- Posting private information on the Internet or on a computer otherwise accessible from the Internet without proper information security precautions.
- Transfer of private information to a system that is not completely open, but is not appropriately or formally accredited for security at the approved level, such as unencrypted email.
- Transfer of private information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.
Many jurisdictions have passed data breach notification laws, requiring a company that has been subject to a data breach to inform customers (sometimes within a set time period) and take other steps to remediate possible injuries. Therefore, depending on the nature of your business, it is imperative that your company (ideally with the assistance of an attorney) has developed a plan to detect and report a data breach.
Data Privacy Action Items
- Identify the nature and scope of your company’s collection and use of customer data.
- Identify any specific privacy laws that may be triggered by your company’s collection and use of customer data.
- Prepare a Privacy Policy and prominently display it (or link it) at every point where customer data is collected.
- Review and regularly update your Privacy Policy to comply with changing business conditions and changing laws.
- Have a plan in place to ensure – to industry standards – the security of customer data.
- Have a plan in place to detect and report a data breach.
- Consulting with experienced counsel is highly recommended for most of these steps.
Pittsburgh Intellectual Property Attorneys
The attorneys at The Lynch Law Group have experience assisting businesses in a wide range of industries with intellectual property litigation and transactional matters. Contact Dan Lynch at dlynch@lynchlaw-group.com or (724) 776-8000 for more information about trademarks or other intellectual property matters.
You may also be interested in reading:
- False Advertising Issues For Emerging Businesses
- Copyrights For Start-Ups And Emerging Businesses
- Trade Secrets For Start-Ups And Emerging Businesses
- Patent Checklist For Start-Ups And Emerging Businesses
- Trademark Checklist For Start-Ups And Emerging Businesses