Data, Privacy & Cybersecurity

Data, privacy and cybersecurity issues are critical for companies that collect, use, process, store, license and/or disclose personally identifiable information (“Personal Information”), whether from customers or prospects, employees, business partners or other third parties. The regulation of privacy and data security continues to rapidly evolve. Many of these laws may be sector specific or intended to address specific uses, for example the collection and use of biometric data, personal data in the advertising sector or financial services sector, or products and services that are child directed or can prompt young children to provide their personal information.

If you are doing business in the European Union (“EU”), you should consider the whether your company is subject to EU privacy and data protection requirements, including the General Data Protection Regulation or GDPR other EU rules governing marketing communications or other specific data driven activities.

If you collect personal information from California consumers you may be subject to the recently enacted California Consumer Privacy Act is intended to give individuals control significantly enhanced control over their data and restrict certain downstream uses of personal data.

Amid a growing number of high-profile data breaches (Equifax, Marriott, Facebook, etc.), which can be incredibly costly and damaging to corporate reputation, you need to be aware of regulatory regimes affecting your processing of Personal Information and vigilant as to ongoing compliance.

As a result, we recommend consulting with a lawyer that has expertise in this field prior to processing Personal Information.

U.S. Federal Privacy Laws

There is no single U.S. federal privacy regime. Instead, U.S. federal privacy laws tend to be based upon a company’s industry. Some of the key federal laws that may impact your company are highlighted below.

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) 
HIPAA deals with the protection of certain kinds of health information, known as protected health information (“PHI”). PHI is information that can be used to identify an individual and that relates to an individual’s physical or mental health, the provision of health care to him or her, or payment for that provision. HIPAA applies to health plans, healthcare providers, healthcare clearinghouses (each, a “Covered Entity”), and third parties that perform services for Covered Entities involving PHI (“Business Associates”).

A Covered Entity may only disclose PHI as required or permitted by HIPAA. A Covered Entity is required to disclose PHI to individuals or their personal representatives in most situations, and to the Department of Health and Human Services (“HHS”) if it is undertaking a compliance investigation, review, or enforcement action. HIPAA also allows discretionary disclosures in certain situations, including for treatment or payment operations, disclosures incidental to other permitted uses and when in the public interest (such as for law enforcement purposes or relating to victims of abuse or domestic violence). If a disclosure is not required or permitted under HIPAA, the individual’s authorization must be obtained in writing before the disclosure can be made. Disclosures must normally be limited to the minimum amount necessary to satisfy the purpose of the request for the information.

Covered Entities are required to create policies and procedures for routine or recurring disclosures, as well as for disclosure requests. A privacy policy must also be created, describing possible uses and disclosures of PHI as well as duties and practices for protecting that information. The Covered Entity must deliver a notice describing this policy to all individuals with whom it has a direct treatment relationship. Covered Entities must designate privacy personnel, train employees and management to follow the policy, create reasonable data safeguards, and maintain documents and records.

Failure to comply with HIPAA can subject the Covered Entity and individuals within it to both civil and criminal penalties. The Health Information Technology for Economic and Clinical Health Act (“HITECH”) a measure included in the American Reinvestment and Recovery Act (“ARRA”) signed into law in 2009, increases the requirements and liability of both Covered Entities and Business Associates.

The Gramm-Leach-Bliley Act (“GLBA”) 
The GLBA applies to any business that is significantly engaged in financial activities, such as lending money or providing financial advisory services, including potentially fin tech companies. Whether a company is “significantly engaged” in financial activities depends on whether there is a formal arrangement and how often the company engages in that activity.

Under the GLBA, financial institutions must provide their customers with a privacy notice disclosing what categories of nonpublic personal information (“NPI”) are collected, what categories of NPI are disclosed, third parties to whom it will be disclosed, any disclosures required by law and any disclosures otherwise permitted by law.

Customers must also be given a reasonable opportunity (such as a toll-free number or a simple form) to opt out of any NPI-sharing agreement. The privacy notice and the opt-out usually must be provided to the customer at the time the customer relationship is established, and at least once annually thereafter. An opt-out does not need to be given if NPI is disclosed only to certain third-party service providers or to a financial institution that you have entered into a joint agreement to provide financial services with.

Consumers (customers who are commercial clients or individuals using your product or service for a business purpose) must only be provided with a privacy notice if the company significantly engaged in financial activities will share their NPI with nonaffiliated third parties outside of any exception (such as where necessary for a transaction authorized by a consumer or where necessary to comply with applicable laws). This privacy notice must only explain a reasonable way for the consumer to get the full privacy notice and must include an opt-out.

Children’s Online Privacy Protection Act (“COPPA”) 
COPPA establishes rules for the collection, use, and distribution of information about children under 13 that could be used to identify the child. COPPA applies to operators of websites or online services that are directed in whole or in part at children under 13 or that are directed at a general audience but knowingly collect information from children under 13 (each, an “Operator”).

Every Operator must clearly and prominently display a link to a privacy notice on the home page of its website and at each area where personal data is collected from children. This notice must contain the name of all Operators collecting or maintaining personal information from children as well as the contact information of an Operator who will respond to all privacy inquiries. It must also describe the types of information collected, how the information will be used, and to whom and for what purposes it will be disclosed. Parents must be given the option to consent to collection without disclosure.

Before collecting most kinds of Personal Information, Operators must also give direct notice to parents including the information in the privacy notice, as well as a request for consent to collect information from the parent’s child. The method for consent depends on how the information will be used, with internal uses requiring less rigorous methods such as email, and external uses requiring stricter methods. Parental consent may always be revoked.

Operators who violate the policies of COPPA are subject to enforcement actions and civil penalties by the Federal Trade Commission (“FTC”). Individual states can also bring enforcement actions against companies for violating COPPA. Operators can meet safe harbor criteria by establishing self-regulatory programs to govern compliance with COPPA that are approved by the FTC and include independent monitoring and disciplinary provisions.

U.S. State Privacy Laws

Many states have begun to enact their own laws to protect Personal Information. This is an area that is changing rapidly, so it will be important to work with legal counsel to obtain the most up-to-date information about the requirements of the states in which you will do business and/or collect Personal Information. Notably, even if you do business in only one state, you may be subject to the laws of any states of residence of the individuals from whom you collect Personal Information. By way of illustration only, consider the following:

• California requires all operators of commercial websites or online services that collect personally identifiable information to conspicuously post a privacy policy. This policy must identify the categories of personally identifiable information collected and the categories of third parties to whom it may be shared. The policy must also describe the process by which the Operator will notify consumers of changes to the privacy policy.

• California also is rolling out a comprehensive privacy law, the California Consumer Privacy Act (“CaCPA”), effective January 1, 2020. The CaCPA regulates how organizations can use the personal information of California consumers by granting California consumers new rights and control over their information, including: (i) the right to access their personal information and know how it is used; (ii) the right to request deletion of their personal information, and (iii) the right to opt out of the sale/disclosure of their personal information. The law also will require organizations to provide transparency through privacy policies with prescribed content and contain restrictions on the sale and disclosure of personal information. We anticipate revisions to the law and regulations to clarify and detail its requirements in advance of it going to effect on January 1, 2020.

• Connecticut regulates the use of Social Security numbers collected from consumers. Under its policy, an individual’s Social Security number may not be publicly displayed or printed on a card required to access services. It further may not require individuals to transmit unencrypted Social Security numbers or use a Social Security number to access a website unless another authentication device is also required. The law also mandates the creation and public display of a privacy protection policy that protects the confidentiality of Social Security numbers and prohibits their unlawful disclosure.
• Massachusetts requires businesses that handle personal information belonging to Massachusetts residents to institute a comprehensive written information security program (“WISP”) containing administrative, technical, and physical safeguards designed to protect personal information. The policies must be tailored and appropriate to the nature and type of data collected and the organization’s size and resources. Failure to institute such a program can result in regulatory penalities and enforcement by the Massachusetts Attorney General.
• Nebraska and Pennsylvania have dealt with privacy through their deceptive trade practices laws, with identical statutes imposing penalties for knowingly making false or misleading statements in privacy policies regarding the use of personal information. Minnesota and Nevada have passed laws governing when Internet service providers can disclose private information. Utah requires all businesses, whether online or otherwise, to disclose to customers what personal information it will share to third parties. Review with legal counsel applicable laws of states in which your company will do business and/or in which you will collect Personal Information.

U.S. Data Breach Notification Laws

While there is no federal data breach notification law, all 50 states have now enacted their own laws requiring notification to individuals whose personal information has been accessed or acquired without authorization due to a security breach. Importantly, the which law or laws apply depend not on the location of the company but on the state of residence of the impacted individuals. As a result, dozens of different laws can apply to any given situation. While the laws are broadly similar in nature, there are differences that require careful evaluation in the event of a security incident to determine whether and to what extent they apply, and what notices are required to both individuals and government entities.

Europe’s Data Privacy Laws

The GDPR
Companies doing business in the EU must be aware of the General Data Protection Regulation 2016/679 (“GDPR”), which came into effect across the member states of the EU on May 25, 2018. The GDPR provides enhanced obligations on companies dealing with personal data, whilst giving individuals (“data subjects”) greater control over their data.

The GDPR protects “personal data”, defined broadly as any information relating to an identified or identifiable person. IP addresses, device IDs, location data and information gathered by means of cookies can be considered personal data.

The GDPR applies to businesses based in the EU and to those based outside the EU that (i) provide goods or services to data subjects in the EU, or (ii) monitor their behavior (for example, through online tracking), wherever the processing (e.g. storage) takes place.

GDPR compliance obligations flow from the status of your company as a “data controller” (i.e., an entity making decisions about personal data that is processed for its own purposes, for example marketing) or as a “data processor” (i.e., an entity processing personal data solely on behalf of and at the direction of a controller, generally SaaS/cloud providers). Most of the GDPR’s obligations fall on controllers, including the requirement to provide data subjects with detailed privacy policies and to notify data breaches to EU authorities and data subjects. Processors are subject to (i) contractual obligations that the controller imposes through a data processing agreement; and (ii) certain direct, independent legal obligations, including notifying controllers of data breaches and cooperating with EU authorities.

The GDPR grants data subjects rights and control over their data, including (i) the right to access their data, (ii) the right to erasure (“right to be forgotten”), (iii) the right to object to the processing under certain circumstances, and (iii) the right to “data portability” (the right to easily move one’s data to another service provider). Businesses are required to respond to data subjects within tight timeframes.

The GDPR also restricts the transfer of personal data to certain countries outside the EU which are not considered to be “adequate” for data protection (such as the U.S.), by requiring companies to implement an approved transfer mechanism (e.g., executing EU Standard Contractual Clauses; self-certifying to the EU-U.S./Swiss-U.S. Privacy Shield frameworks).

Member states of the EU might provide specific requirements for certain types of data, such as employee data, health data and children data.

The GDPR provides potential fines for violation of core data protection requirements (including processing without valid consent, breach of individuals’ rights, or unlawful data transfers) of up to the higher of 20 million euros or 4% of global annual revenues, or up to the higher of 10 million euros or 2% of global annual revenues for violations regarding notification of data breaches, data processor terms, and other requirements. Data subjects have also a private right of action. Moreover, non-profit organizations can bring claims on behalf of data subjects, which might give rise to US-style class actions.

Other EU Laws
Companies doing business in the EU should also consider other EU regulations governing specific aspects, for example:

(i) the use of cookies/other tracking technologies and marketing activities (regulated by the EU “e-Privacy” Directive 2002/58/EC), and

(ii) security and data breach requirements under the EU Directive on security of network and information systems (NIS Directive) applicable to operators of “essential services” in specific sectors (e.g., transport, energy, health, banking, financial markets infrastructure) and “digital service providers” (i.e. online marketplaces, search engines and cloud computing providers).

Companies targeting consumers should also consider the application of EU consumer protection legislation to their business.

Other Foreign Data Privacy Laws

Data protection requirements in other countries vary greatly in the level of protection required, with some countries opting for national protection schemes and others allowing industries to regulate themselves. Be sure to perform a review of applicable laws before doing business in any foreign country.