It seems like every year brings a data breach that affects more and more people. In 2017 and 2018, we saw the largest data breaches in history. Equifax lost information belonging to 148 million people, Facebook lost more than 87 million records by providing information to Cambridge Analytic, and Marriott Starwood Hotels lost information belonging to 500 million people.
In response, governments across the globe have proposed or passed broad privacy regulations limiting what companies can do with the data gathered from individuals. In 2018, the European Union started enforcing the General Data Protection Regulation (GDPR). US Senators Marco Rubio and Ron Wyden have proposed broad privacy legislation as well.
Finally, in the absence of action from Congress, state legislatures have enacted their own privacy laws. In 2018, California passed the California Consumer Privacy Act (CCPA) and Ohio passed the Data Protection Act (DPA). In 2019, Utah’s and Washington’s state legislatures proposed privacy legislation.
The labyrinth of privacy regulations can make it difficult to figure out how to comply. However, this will discuss some of the main themes in privacy regulation and what companies should do to address their privacy obligations.
Most privacy laws start with the premise that companies must tell consumers how and why they gather personal information. To achieve that goal, privacy laws require companies to post a public notice explaining the following:
1. Why the company is gathering personal information.
2. What the company does with that information.
3. Whether the company shares that information with third-parties.
4. Whether personal information is being used for a company purpose or being sold to third-parties.
5. What the company does to protect personal information.
6. What rights, if any, a consumer has when it comes to processing personal information.
7. How to contact the company in case consumers have questions about how the company handles personal information.
Privacy regulations vary when it comes to consumer rights, but the three recurring rights are:
1. The right to access personal information.
2. The right to delete information.
3. The right to restrict how a company processes information.
Regarding access, companies not only need to provide information in the privacy notice, but they also need to provide information to consumers when the consumer requests it. Companies must provide requested information in a common electronic format and must also provide the information within a reasonable time after the consumer’s request.
A lot of companies worry about the right to delete or restrict personal information because it triggers an obligation to delete or restrict personal information from the company’s network and all the partners who received that personal information from the company. There are, however, exceptions to those rights. Consumers cannot ask companies to delete or restrict processing when personal information is needed to perform a contract between the company and the consumer.
Most privacy laws require some level of administrative privacy within a company. Administrative privacy includes privacy policies and procedures, a privacy charter approved by a company’s board of directors, data protection impact assessments, and a process for responding to consumers’ requests and data breach events. A designated person, who is responsible for a company’s privacy objectives, should routinely report to the highest level of management about data privacy impact assessments, consumer requests, breach events, and progress toward privacy goals.
To make companies pay attention to privacy regulation, most privacy laws levy strict fines for failures to comply. For example, in the European Union, regulators can levy fines of €20,000,000, or four percent of global revenue, whichever is greater. In the United States, the CCPA gives consumers in California the right to file class action lawsuits against companies. Those class action lawsuits can quickly add up to millions of dollars in claims and millions of dollars in litigation defense costs.
Given these privacy obligations, what can a company do to address these laws? At a minimum, companies need to draft policies and procedures explaining how the company governs personal information, preserves privacy, allows consumers to exercise their rights and monitor their privacy objectives.
Regarding governance, a designated executive should provide regular reports to the board about security assessment results, progress on addressing security matters, audits of the security system, privacy and security awareness campaigns, and data breach incidents.
Executives and board members should have an opportunity to review these items, recommend solutions, and communicate regular privacy directives to employees. In line with the duty of care, executives and board members must reasonably address privacy and security issues raised during these meetings. If executives and board members fail to hold these meetings, they may breach their fiduciary obligations to the company.
Companies should also post clearly written privacy notices explaining how an organization gathers information, why the organization gathers that information, the business partners who receive that information, an explanation of consumers’ rights, and contact information so that consumers can reach someone responsible for privacy at the company.
Tsutomu Johnson is a privacy attorney at Parsons Behle & Latimer and is the CEO of Parsons Behle Lab, a software company that provides automated legal documentation for complying with privacy laws such as the GDPR and the CCPA. His email is tjohnson@parsonsbehle.com and his phone number is 801-536-6903.