Data Privacy Issues For Emerging Businesses

Start-ups and emerging businesses need a detailed privacy policy and data privacy plan in place from the outset.

computer screen shows data that can be compromised leading to data privacy issues for emerging businessesData Privacy Issues

Basics: Data privacy is the relationship between the collection and dissemination of data, along with the determination of what – and under what circumstances – data can be shared with third parties. The issues surrounding data privacy are ever expanding and becoming more complex as state and national governments enact laws designed to protect the privacy rights of people in the Internet age. Privacy concerns arise whenever personally identifiable information (healthcare records, financial information, criminal information, residence or geographic records, location based services, biological information, etc.) is collected, used, stored, or disclosed. Virtually every company nowadays would be well served to have a detailed privacy policy and data privacy plan in place from the outset.

U. S. Data Privacy Laws

In the United States, there is currently no universal data privacy law – rather there are a handful of laws dealing with certain specific situations and/or classes of data, including:

  • COPPA – Children’s Online Protection Privacy Act 

COPPA is a law created to protect the privacy of children under the age of 13. In general, it states that a company must obtain parental consent for the collection or use of any data from children and also what must be present in a privacy policy – including the requirement that the policy itself must be posted anywhere data is collected.

  • HIPAA and HITECH – Health Insurance Portability and Accountability Act

HIPAA is a wide-ranging law which governs the use and disclosure of Protected Health Information (PHI) in healthcare treatment, payment, and related operations. The HITECH Act is a law that was passed to promote health information technology and the use of electronic health records. The HITECH Act also expanded upon the privacy requirements of entities covered by HIPAA, particularly with respect to breach notification requirements.

  • Gramm-Leach-Bliley Act

The GLBA is a federal law that governs the ways that financial institutions deal with the private information of  individuals. Financial institutions include any company that offers consumers financial products or services,  including loans, financial or investment advice, or insurance.

  • Electronic Communications Privacy Act

The ECPA is an extension of the Federal Wiretap laws that prohibits (both civilly and criminally) the intentional intercepting, disclosing, or using any wire, oral, or electronic communication.

  • Video Privacy Protection Act

The VPPA was originally passed to prevent a video tape service provider from knowingly disclosing an individual’s personally identifiable information to third parties. The law has since been applied to digital video materials and streaming services.

  • California Consumer Privacy Act (goes into effect January 1, 2020)

The CCPA is the first law in the United States to follow the stringent privacy laws codified in the European Union’s General Data Protection Regulation (GDPR). The Act extends protections to the citizens of California and applies to for-profit entities doing business in California. For the Act to apply to a business, it must meet one of the following criteria: (1) annual gross revenue in excess of $25 million, (2) receive or share the personal information of more than 50,000 California residents annually, or (3) derive at least 50% of annual revenue by selling the personal information of California residents. The U.S. government is currently considering a national data privacy law that will likely borrow some aspects of the CCPA and GDPR.

Every Business Needs a Privacy Policy

A privacy policy is a legal document that discloses the ways a party gathers, uses, discloses, and/or manages a customer’s data.

  • Every company needs a privacy policy which specifically outlines the scope of their use of customer and client personal information.
  • Personal information can include a person’s name, address, date of birth, marital status, contact information, social security number, driver’s license, financial information, medical history, and location services.
  • A privacy policy should inform the customer of which specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises.
  • The exact nature of a company privacy policy should take into account the nature and use of the information, the nature of the industry, any specific privacy laws that may apply in the jurisdictions where the company operates.

Businesses Must Plan for a Potential Data Breach

A data breach is an incident in which private data is copied, transmitted, viewed, stolen, accessed, or used by an individual unauthorized to do so. Examples include:

  • Theft, loss, or unauthorized disclosure of digital media such as computer tapes, hard drives, laptop computers, or cell phones which upon which private data is stored unencrypted.
  • Posting private information on the Internet or on a computer otherwise accessible from the Internet without proper information security precautions.
  • Transfer of private information to a system which is not completely open, but is not appropriately or formally accredited for security at the approved level, such as unencrypted email.
  • Transfer of private information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.

Many jurisdictions have passed data breach notification laws, requiring a company that has been subject to a data breach to inform customers (sometimes within a set time period) and take other steps to remediate possible injuries. Therefore, depending on the nature of your business, it is imperative that your company (ideally with the assistance of an attorney) has developed a plan to detect and report a data breach.

Data Privacy Action Items

  • Identify the nature and scope of your company’s collection and use of customer data.
  • Identify any specific privacy laws that may be triggered by your company’s collection and use of customer data.
  • Prepare a Privacy Policy and prominently display it (or link it) at every point where customer data is collected.
  • Review and regularly update your Privacy Policy to comply with changing business conditions and changing laws.
  • Have a plan in place to ensure – to industry standards – the security of customer data.
  • Have a plan in place to detect and report a data breach.
  • Consulting with experienced counsel is highly recommended for most of these steps.
Douglas Hall has more than two decades of experience assisting businesses with intellectual property litigation and transactional matters. Contact Doug at dhall@lynchlaw-group.com or (724) 776-8000 with questions regarding your company’s privacy policy and data privacy plan.
You may also be interested in reading:

 

Share This:
Facebooktwitterredditlinkedinmail
This entry was posted in Legal Watch, Intellectual Property and tagged , , . Bookmark the permalink.