As privacy lawyers, we are frequently asked, “Does my company really need a privacy notice?” We always give the same answer: It absolutely does! A customer-facing privacy notice clarifies how you will use your customers’ data and, as long as you comply with your policy, can reduce your legal risk. . . making it easier for you to focus on running your business and build your brand’s value.
The U.S. legal landscape is a patchwork of state and federal privacy laws, which vary by jurisdiction and industry. More and more states are also passing laws with complex privacy and data security requirements, and it has become more challenging for companies to keep track of these requirements. In the data security law space alone, the number of states with privacy laws on the books doubled from 2016 to 2018 and continues to multiply.
Federal Laws and Enforcement
Although there is no one federal privacy law on the books at this time that provides clarify in what must be included in a privacy policy, there are two key federal statutes that govern sector-specific privacy requirements. Gramm Leach Bliley Act (“GLBA”), which is the federal financial law, states specific requirements that must be included in any financial institutions’ privacy policy.
In addition, the HIPAA Privacy Rule, a regulation under the federal healthcare privacy law Health Insurance Portability and Accountability Act (“HIPAA”) similarly sets out the requirements for notices of privacy practices by covered entities. Businesses that fall into either of these industries should be certain to comply with the requirements of these privacy laws regarding the content, placement and disclosures in their customer facing privacy notices.
In addition, the Federal Trade Commission has jurisdiction over most companies and individuals conducting business in the U.S., such as those that are not subject to the more robust GLBA and HIPAA (although these entities may additionally be subject to the FTC Act for violations of their privacy policies). The FTC may use its “unfair or deceptive acts and practices” authority to bring actions against companies who have violated their privacy policies or deceived consumers in some way regarding the protection or use of consumer data, underscoring that a company must carefully draft its privacy policy to ensure that it can comply with the terms of that policy.
In addition, there are numerous state privacy laws either on the books or under consideration, which may not have the same requirements regarding disclosures and standards. Additionally, some states have separate laws that require commercial websites or apps that collect personally identifying information to conspicuously post a privacy policy, even though the state may not have a comprehensive law regarding privacy itself. A carefully drafted privacy policy should include the specific requirements for the states in which the business is subject.
Those companies that are conducting business outside of the United States must also be aware of other countries’ laws, such as the General Data Protection Regulation (“GDPR”) in Europe or the Brazilian General Law for the Protection of Personal Data (or in Portuguese the Lei Geral de Proteção de Dados Pessoais) (“LGPD”), before collecting and using any kind of consumer or business data from individuals in those countries. Each of these laws has privacy and data security requirements which may or may not be consistent with the laws in the United States.
One important note to remember is that there are often different laws governing the disclosures needed for data collected through a website from casual visitors as opposed to the disclosures needed for data collected from the businesses’ customers. Again, a carefully drafted policy will set forth exactly what data is being collected from whom, and what the company collecting this data intends to do with it, and in many jurisdictions, allowing the consumer to control whether or not the company can collect and use this this data.
What It All Means
Creating and maintaining a privacy policy instills discipline for your business regarding privacy risks and helps ensure that you are addressing and taking steps to comply with the law. It tells everyone at the company that privacy matters to the company and helps to create a culture of privacy and data protection. It also helps you keep your customers informed about what data you collect and how you use it, which, in turn can enhance your brand value. These things all go a long way to helping you manage and reduce your privacy risk. By having your privacy requirements buttoned up you can focus on what is really important — running your business.
