As privacy lawyers, we are frequently asked, “Does my company really need a privacy notice?” We always give the same answer: It absolutely does! A customer-facing privacy notice clarifies how you will use your customers’ data and, as long as you comply with your policy, can reduce your legal risk. . . making it easier for you to focus on running your business and build your brand’s value.
The U.S. legal landscape is a patchwork of state and federal privacy laws, which vary by jurisdiction and industry. More and more states are also passing laws with complex privacy and data security requirements, and it has become more challenging for companies to keep track of these requirements. In the data security law space alone, the number of states with privacy laws on the books doubled from 2016 to 2018 and continues to multiply.
Federal Laws and Enforcement
In addition, the HIPAA Privacy Rule, a regulation under the federal healthcare privacy law Health Insurance Portability and Accountability Act (“HIPAA”) similarly sets out the requirements for notices of privacy practices by covered entities. Businesses that fall into either of these industries should be certain to comply with the requirements of these privacy laws regarding the content, placement and disclosures in their customer facing privacy notices.
Those companies that are conducting business outside of the United States must also be aware of other countries’ laws, such as the General Data Protection Regulation (“GDPR”) in Europe or the Brazilian General Law for the Protection of Personal Data (or in Portuguese the Lei Geral de Proteção de Dados Pessoais) (“LGPD”), before collecting and using any kind of consumer or business data from individuals in those countries. Each of these laws has privacy and data security requirements which may or may not be consistent with the laws in the United States.
One important note to remember is that there are often different laws governing the disclosures needed for data collected through a website from casual visitors as opposed to the disclosures needed for data collected from the businesses’ customers. Again, a carefully drafted policy will set forth exactly what data is being collected from whom, and what the company collecting this data intends to do with it, and in many jurisdictions, allowing the consumer to control whether or not the company can collect and use this this data.
What It All Means
About the Authors
Practus Attorney Andrea Shaw specializes in bank and regulatory compliance. She has extensive knowledge in consumer finance, bank regulation, and privacy law with more than 15 years advising both state and federally chartered banks.
Andrea has a deep understanding of the unique challenges clients face, and guides them through the process with clear communication and focus. As a regulator and counsel, Andrea has a passion for helping clients solve their most complex problems.
Janet V.Hallahan is certified as a CIPP/US information privacy professional by the International Association of Privacy Professionals. Janet focuses on supporting corporate, technology, privacy/data security & intellectual property legal matters.
Janet helps companies navigate complex corporate, technology, privacy/data security, and intellectual property legal matters, including the structuring of corporate and technology transactions as well as the licensing, protection, and sale of intellectual property and related commercial agreements.
|Andrea Shaw||(207) 512-2683||Andrea.Shaw@Practus.com|
|Janet Hallahan||(609) 236-3458||Janet.Hallahan@practus.com|
Practus, LLP provides this information as a service to clients and others for educational purposes only. It should not be construed or relied on as legal advice or to create an attorney-client relationship. Readers should not act upon this information without seeking advice from professional advisers.