Data privacy laws are complex and ever-evolving, and there is no one-size-fits-all solution. However, there are some best practices that every business (or organization) should consider regarding data privacy. By following these, organizations can create a strong foundation for protecting their customers’, employees’, partners’ or other individuals’ data handled by the organization.
This article provides an overview of current data privacy laws in the United States, outlines six privacy law best practices that will set up your business for success, and explains why implementing a solid privacy policy is critical for your company's future.
What Is Data Privacy?
Data privacy considers how individuals or organizations control personal information collection and use. Data privacy is often confused with data security, the two terms are related but not interchangeable.
Data security for businesses refers to the measures taken to protect all data—not just personal information—from malicious threats, while data privacy deals with rules that must be followed for handling personal information.
In this post we focus on data privacy and protecting personal information, our other recent blog talks more specifically on types of data and required protections.
There are various ways to protect data privacy, including encrypting data, restricting access to authorized individuals, only sharing with third parties when authorized, and securely destroying data that is no longer needed. Organizations must take data privacy seriously and develop a holistic data privacy program in order to protect the sensitive personal information of their employees, customers, and partners from the moment the organization receives the information (usually referred to as “collecting” the information).
Data Privacy Laws In The US
No matter the industry or the size of the organization, most companies must follow reasonable data privacy practices under U.S. state laws. Indeed, small businesses are generally subject to those that apply to larger organizations. Certain laws only apply to companies with a certain amount of gross revenue or that handle data of a certain number of state residents. However, in the United States, no single law covers the privacy of personal information for all types of organizations. Instead, the US has a medley of federal and state laws protecting the privacy of personal information based on a company’s sector (e.g., insurance, financial institutions, government agencies), the types of personal data held, or the quantity of personal data held. As a result, businesses operating in the US need to be aware of a complex legal landscape surrounding data privacy that changes rapidly.
At the federal level, the most comprehensive law applies only to government agencies. The Privacy Act of 1974 established rules around collecting, storing, and using personal information. However, this law does not apply to private companies.
In addition, some laws govern specific types of personal data. To name a few, for example, the Health Insurance Portability and Accountability Act (HIPAA) generally requires certain providers and insurers (and their third-party vendors and partners) to safeguard the confidentiality of medical and insurance records, while the Gramm-Leach-Bliley Act requires financial institutions to protect the privacy of consumers’ financial information entrusted to the institutions. Meanwhile, the Children’s Online Privacy Protection Rule (COPPA) prohibits online service providers from collecting certain types of personal information from children under the age of 13 without parental consent.
At the state level, as of the end of 2022, five states have passed comprehensive privacy laws protecting consumer personal information held by entities who are subject to the laws and establishing certain specific rights individuals may exercise regarding their personal information, such as the right to delete information or to prevent a company from selling their personal information. For example, the first comprehensive privacy law was the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) ballot initiative), which together set out rules around how companies can collect and use consumers’ personal data. At present, the CCPA has a limited exemption for employee personal information. The exemption may be extended or may lapse. Since then, four other states have followed suit.
By taking steps to comply with data privacy laws, companies can help ensure that they are protecting the personal information of their customers and employees.
Even though you may not be subject to a specific privacy law or regulation, it’s still important to prioritize devising a solid privacy program and policy. The laws mentioned above can provide a strong starting point.
6 Data Privacy Law Best Practices
Businesses of all sizes increasingly collect, store and use customer personal data. At the same time, consumers are becoming more aware of their rights when it comes to data privacy. Data privacy laws are evolving to keep up with these changes and should be viewed as a guide when devising your organization’s privacy policy. In addition, keep in mind these data privacy best practices:
1) Know Your Obligations
Know your obligations or a lawyer who is well-versed in both cybersecurity and privacy law. Depending on your state and industry, there may be different laws and regulations that you need to consider. Every few months one or more states pass new laws or regulations imposing privacy obligations on entities subject to the laws This trend will continue and may increase in pace. The best way to stay up-to-date is to consult with a cybersecurity and privacy lawyer who follows the latest developments and can help you navigate the ever-changing landscape. In addition to staying informed about the law, it’s vital to prioritize data privacy and security in your organization. Taking a proactive approach can help protect your customers’ data and avoid costly fines or penalties and reputational harm.
2) Be Transparent
Transparency goes a long way in proving the organization complies with data privacy laws and respects consumer rights. Businesses should always be clear and upfront about how they intend to use customer data.
This means customers must be provided with a clear and understandable explanation of why their data is being collected and how it will be used. Multiple privacy laws and regulations include requirements for consumer notices. Contact ZeroDay Law directly for more information on this.
In general, in the U.S., organizations should obtain consent from customers before collecting or using their data and provide customers with the opportunity to opt in or out of having their data collected and used in different ways. Businesses should develop, follow and publish a privacy policy that outlines their commitment to protecting customer data and meets privacy policy obligations under U.S. statutes, common law (e.g., FTC guidance) and other applicable global laws.
3) Only Collect What’s Important
There is no need to collect data for the sake of collecting it (for example, in case of some future but unknown use case), and companies should only collect data they need. Collecting excess information increases the potential fallout of a breach. While many businesses assume more data is better, be thoughtful about what you collect and retain, and for how long you retain it.
Determine what personal information you need to collect and have a clear understanding on why you’re collecting it, and remember to relay this to the customer.
4) Protect Your Data
Data collection brings with it a risk of data breaches and cyber attacks, whether caused inadvertently or intentionally. Fortunately, there are several steps you can take to protect data from these threats. One of the most important is to set strong cybersecurity controls in your organization. This might include enabling and forcing multi-factor authorization for logging into accounts, keeping sensitive or confidential information in specific, secure locations (folders, cloud applications), encrypting sensitive information at rest and in transit, and implementing strict access controls to prevent unauthorized access. We often refer to the holistic set of policies and controls as your cybersecurity program or privacy program.
5) Train Your Employees
It's not enough to simply have a data privacy policy and program in place—you also need to ensure that your employees are aware of it and trained on best practices. Otherwise, your program won't be effective and you can be exposed to liability for having stated in your privacy policy that you follow certain practices when, in reality, you do not. Federal and state regulators often view that as an unfair or deceptive practice towards consumers worthy of investigations and/or enforcement actions. To create a privacy-first culture, start by providing training for your employees. Cover topics such as the definition of personal data, specific to the personal data handled in your organization, how to handle it responsibly, and the consequences for violating policies. You should also make sure that your employees understand the importance of data privacy and why it's essential to protect the personal information handled in your organization.
6) Look At The Big Picture
Having a solid privacy policy in place is a great start, but you need to ensure the policy is easy to adapt as the business grows and new laws and regulations come into play. Organizations should regularly review their privacy policies and practices to ensure they are up to date with the latest changes in the law.
Diving Deeper: Common Privacy Law Questions
What are the potential penalties or legal implications associated with non-compliance to data privacy laws?
Non-compliance with data privacy laws can lead to serious legal implications and penalties. The specifics can vary based on the jurisdiction and the particular law in question, for example:
- Under the General Data Protection Regulation (GDPR) in the European Union, non-compliance can result in fines of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
- In the United States, violating the California Consumer Privacy Act (CCPA) can result in civil penalties of up to $7,500 per intentional violation.
How frequently should an organization review and update its data privacy policies to stay current with evolving laws and regulations?
The frequency of reviewing and updating data privacy policies can greatly depend on various factors, such as changes in legislation, technological advancements or shifts in business operations. However, a good rule of thumb is to review these policies at least once a year.
Are there any industry-specific data privacy considerations that need to be taken into account?
While there are some universal data privacy considerations that all businesses must adhere to, industry-specific considerations depend on the type of data handled and the jurisdiction in which a company operates.
It's crucial for businesses to understand the specific data privacy laws and regulations that apply to their industry. Connect with your privacy law attorney who can help you understand the data privacy needs of your specific organization based on all relevant criteria.
Importance of Implementing a Strong Data Privacy Program
The importance of implementing a strong data privacy program cannot be understated. In today's digital age, companies are amassing vast amounts of data on their customers. This raises serious concerns about how that data will be used and protected.
A well-crafted data privacy program can help mitigate these concerns by specifying how customer data will be used and limiting how it can be shared.
A strong data privacy program can also help protect a company from legal risks. In the event of a data breach, an organization with a robust data privacy program will be better positioned to defend against any resulting lawsuits. In addition, a solid data privacy program can help to restore public trust. By being transparent in your privacy policy about how data is used and taking steps to ensure its protection, companies can demonstrate their commitment to safeguarding customer information.
Do you need help devising your company’s data privacy policy, program and controls? Contact us today to speak with an expert.