Privacy Laws and Your Business Activities Online
What is personal information?
Personal information is typically defined as information that can identify an individual or a household. The definition varies by each law and regulation, but it typically includes name, address, zip code, email address, and types of information like healthcare data, financial records, banking and credit card numbers, and credit information. Each law may define personal information slightly different.
What privacy laws may impact my business?
There are a variety of federal, state, and international laws around privacy and protection of personal information. Since the passage of the California Consumer Privacy Act in 2018, state legislatures have been introducing privacy bills on a regular basis each session. At any time, there may be 10 to 20 privacy bills being considered in states across the U.S. Here are a few of the privacy laws that may impact your business.
Gramm–Leach–Bliley Act (GLBA)— Protects financial information
Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH) — Protects personal health information
Children’s Online Privacy Protection Act (COPPA) — Protects children’s privacy
Family Educational Rights and Privacy Act (FERPA) — Protects students’ personal information
Fair Credit Reporting Act (FCRA) — Governs the collection and use of consumer information
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)— Protect privacy rights for residents of California
Colorado Privacy Act (expected to be signed into law soon) — Protect privacy rights for residents of California
The New York SHIELD Act — Protects personal and private information of residents of the state of New York
Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts - Establishes minimum standards to be met in connection with the safeguarding of personal information of residents of the state of Massachusetts contained in both paper and electronic records
Nevada Consumer Privacy Act — Protects personal and private information of residents of the state of Nevada collected online
Virginia Consumer Data Protection Act — Protects personal and private information of residents of the state of Virginia collected online
General Data Protection Regulation (GDPR) — A European Union (EU) law that outlines data protection and privacy regulations for personal information of people living in the EU and the European Economic Area (EAA). It also addresses the transfer of personal data outside the EU and EEA area.
Each law is slightly different and has different expectations for handling personal information. Additionally, each law may impact only select businesses or it may impact all businesses.
What kind of penalties could I face for not adhering to these laws?
Violations of these provisions may result in fines for your business and sometimes these fines are per consumer impacted by the violation (e.g., $750 per consumer). Privacy laws and penalties are only going to increase over time as more and more states pass privacy laws that are modeled after CCPA.
Why else should I care?
Privacy policies are more than just a legal hoop. With fallout from privacy breaches like those experienced by Facebook, Target, and Equifax, privacy is at the forefront of consumers’ minds. Just this year, companies big and small (Kroger, US Cellular, T-Mobile, Hobby Lobby) have also experienced data breaches.
How do I protect myself and my business?
Who is collecting the personal information?
What personal information is being collected?
Why the personal information is being collected?
When and how the personal information will be collected?
With whom the personal information is or may be shared?
Who can a consumer contact with questions or concerns about their personal information?