According to Professor Ari Ezra Waldman, “Privacy policies have been around since the 1990s. It was then that widespread internet use created popular concerns about privacy and led to several privacy-related litigations … Privacy policies have since become ubiquitous, developing first as industry’s way to stave off regulation.”
First, what do you do? Are your customers children? Are you in or affiliated with the health care business? Are you in any form of finance? If you deal with any types of “sensitive” information or special categories of personal data, certain specific laws may require you to outline details of processing related to this sensitive data.
Second, where do you do business? Certain states have enhanced their privacy laws to require that businesses operating under their jurisdiction meet specific privacy and cybersecurity standards. If you do business in, or target citizens of, California, Connecticut, Delaware, Michigan, or Nevada, you may be subject to certain laws that require you to outline details of data processing.
However, publishing a policy can subject you to increased scrutiny. Many organizations that create privacy policies don’t want to fulfill their promises, can’t fulfill their promises, or are unaware of what they promised.
For the past decade, the FTC (Federal Trade Commission) has used its power to prevent unfair or deceptive trade to fine organizations such as LifeLock, Twitter, Facebook, Google, Wyndham Hotels, Fandango, Credit Karma, and Uber, usually for not doing what their published privacy policies promised.
U.S. firms may not need to worry about EU regulators, but they should be concerned about the FTC. All 50 states have UDAP (Unfair and Deceptive Acts and Practices) statutes, which are enforced by state attorney generals, and some have serious teeth (many have mandatory treble damages). In the past 15 years, a core group of states – California, Connecticut, Illinois, Indiana, Maryland, Massachusetts, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Texas, Vermont, and Washington – have taken the lead on UDAP enforcement. Recently, all 50 states prosecuted Uber under UDAP statutes, and collectively obtained a $148 million settlement against the organization.
- COPPA 15 U.S.C. §§ 6501-6506 (2012) (protecting information websites gather from children)
- Requires operators of websites and online services to provide notice of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information
- Family Educational Rights and Privacy Act of 1974, 20 U.S.C. §§ 1221, 1232g (2012) (school records)
- GLBA 15 U.S.C. §§ 6803(2012) 12 CFR 332.9 (delivering privacy and opt-out notices)
- HIPAA 42 U.S.C. § 300gg (2012), 29 U.S.C. § 1181 (2012), and 42 U.S.C. § 1320 d (2012) 45 CFR 164.520 (notice of privacy practices for protected health information)
- Privacy Act of 1974, 5 U.S.C. § 552a (2012) (covers only personal information maintained by federal government)
- Right to Financial Privacy Act of 1978, U.S.C. §§ 3401-3422 (2012) (bank records)
- Cable Communications Policy Act of 1984, 47 U.S.C. § 551 (2012)
- A cable operator shall provide notice in the form of a separate, written statement to subscribers that informs the subscriber of the nature of personally identifiable information collected (e.g. television viewing habits)
- The Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2522, 2701- 2709 (2012) (protection against federal surveillance and electronic searches)
- The Americans With Disability Act, 42 U.S. Code § 12115
- Requires an employer to post written notices in an accessible format to employees
- E-Government Act,880. E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899 (regulating federal agencies that gather and store personal data)
- Florida Statutes §501.171 (covers breaches)
- Its protection clause requires businesses to take “reasonable measures to protect and secure data”
- BUS. & PROF. CODE (CalOPPA) §§ 22575-22579
- California Ed. Code § 99122
- Connecticut CONN. GEN. STAT. ANN. § 42-471(b)
- Requires any person or entity that collects Social Security numbers in the course of business to have a “publicly displayed” policy on a web page that must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers
- Delaware’s Online Privacy and Protection Act. DEL. CODE ANN. § 1201 (2000)
- Requires operators of commercial websites and other providers to make their privacy policies conspicuously available on their website
- Michigan MICH. COMP. LAWS § 445.84(1) (2005)
- Nevada S.B. 538
- Requires certain operators of websites or online services that collect certain information from state residents to provide notice of certain provisions relating to the privacy of the information
- Unfair & Deceptive Acts & Practices (UDAP)
- All states have a consumer protection law that prohibits deceptive practices. Some have rights of private action and some allow for treble damages. These statutes can and have been used to punish organizations for failing to fulfill promises on their website privacy policies. However, almost all of them have exemptions and some have been seriously weakened by courts
- State governments in 17 states require state government websites or state government portals to establish privacy policies and procedures, or to incorporate machine-readable privacy policies into their websites
Register for our upcoming webinar
Join us on Tuesday, March 19, 2019, 1:00 p.m. – 2:00 p.m. (EDT) for our free webinar, “How will my organization be penalized if it fails to adhere to the CCPA?”
Affecting organizations both in and out of California, the California Consumer Privacy Act (CCPA) could potentially incur millions in legal costs to your organization if you collect and process the personal data of California residents.
This webinar will cover:
- Penalties for breach of the CCPA
- Penalties for loss of records in a breach
- Breach notifications
- The use of ISO 27001, ISO 27002, ISO 22301, and ISO 27035
- The benefits of an ISO 27001 framework vs. SOC 2 concepts