As privacy lawyers, we are frequently asked, “Does my company really need a privacy notice?” We always give the same answer: It absolutely does! A customer-facing privacy notice clarifies how you will use your customers’ data and, as long as you comply with your policy, can reduce your legal risk. . . making it easier for you to focus on running your business and build your brand’s value.
The U.S. legal landscape is a patchwork of state and federal privacy laws, which vary by jurisdiction and industry. More and more states are also passing laws with complex privacy and data security requirements, and it has become more challenging for companies to keep track of these requirements. In the data security law space alone, the number of states with privacy laws on the books doubled from 2016 to 2018 and continues to multiply.
Federal Laws and Enforcement
In addition, the HIPAA Privacy Rule, a regulation under the federal healthcare privacy law Health Insurance Portability and Accountability Act (“HIPAA”) similarly sets out the requirements for notices of privacy practices by covered entities. Businesses that fall into either of these industries should be certain to comply with the requirements of these privacy laws regarding the content, placement and disclosures in their customer facing privacy notices.
Those companies that are conducting business outside of the United States must also be aware of other countries’ laws, such as the General Data Protection Regulation (“GDPR”) in Europe or the Brazilian General Law for the Protection of Personal Data (or in Portuguese the Lei Geral de Proteção de Dados Pessoais) (“LGPD”), before collecting and using any kind of consumer or business data from individuals in those countries. Each of these laws has privacy and data security requirements which may or may not be consistent with the laws in the United States.
One important note to remember is that there are often different laws governing the disclosures needed for data collected through a website from casual visitors as opposed to the disclosures needed for data collected from the businesses’ customers. Again, a carefully drafted policy will set forth exactly what data is being collected from whom, and what the company collecting this data intends to do with it, and in many jurisdictions, allowing the consumer to control whether or not the company can collect and use this this data.
What It All Means