Data Privacy and Security Blog Post
Nothing in this blog post should be construed as legal advice. You should seek legal advice from a licensed attorney before using or relying on the information presented in this blog post.
Introduction
Ventures that collect information from consumers should be aware of laws and regulations related to data privacy and security. Currently, data privacy and security laws can be thought of as a patchwork of numerous federal and state laws because there is no comprehensive federal data privacy and security law. In general, whether a specific law will apply to a business depends on the characteristics of the business, the characteristics of the consumers that data is collected, and the types of data that are collected. This blog post is intended to give ventures a brief overview of the data privacy and security laws that may be applicable.
Federal Laws
The main federal agency that oversees data privacy and security is the Federal Trade Commission (FTC). The FTC Act grants the agency the authority to prevent unfair or deceptive trade practices. Deficiencies in data privacy or security measures have been found to constitute either unfair or deceptive practices. For example, failure to implement reasonable security measures, failure to follow the privacy policy, and failure to inform consumers of how data are used have been found to violate the law. In addition to the FTC Act, there are other federal laws that are related to data privacy and/or security. For example, the Children’s Online Privacy Protection Act (COPPA) may apply to a business that collects data from children under age 13, the Gramm-Leach-Bliley Act (GLBA) may apply to financial institutions (defined broadly) that collect information from consumers, and the Health Insurance Portability and Accountability Act (HIPAA) may apply if a business collects health information. The FTC has published many guidance documents related to data privacy and security that ventures can find on the agency’s website.
State Laws
Regarding state laws related to data privacy and/or security, in general, states have data breach notification laws. These laws may apply if a business acquires, owns, or licenses “personal information” from residents from a specific state. States may define “personal information” differently. For example, in MA, personal information is defined as “a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or © financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”[1] These data breach notification laws may require businesses to implement reasonable procedures and practices that protect “personal information.” Also, these laws require businesses to notify consumers and/or other parties in the event of a data breach within a specified time frame.
While states have data breach notification laws, currently, only some states have comprehensive laws related to data privacy and/or security. Some states, such as California, have comprehensive data privacy and/or security laws that give consumers broad rights and impose substantial duties on businesses. For example, the California Consumer Privacy Act (CCPA) grants California consumers certain rights related to their personal information that is collected by businesses, such as the right to opt out of the sale of personal information. In general, these comprehensive data privacy and/or security laws do not apply to all businesses. For example, the CCPA only applies to for-profit businesses that do business in California that meet certain requirements, such as if the business derives 50% or more of its yearly revenue from selling personal information of California residents. In general, states also have laws that protect consumers against unfair and deceptive acts and practices (UDAP). Similar to the FTC Act, unfair and deceptive acts may include deficiencies in data privacy and security.
International Laws
Internationally, many countries have their own data privacy and security laws that might be of relevance to US-based businesses if they collect data from international consumers. Of note to ventures is most likely the General Data Protection Regulation (GDPR). The GDPR protects the privacy of consumers from the European Union (EU) by requiring regulated entities to adhere to strict rules regarding the collection and use of consumer data. The GDPR may apply to a business not located in the EU if the business offers goods or services to consumers in the EU, or if the business is involved in the monitoring of the online behavior of EU consumers. Note that smaller businesses (in general, a business with fewer than 250 employees) may be exempt from certain requirements of the GDPR.
Conclusion
To conclude, laws and regulations related to data privacy and security can be highly complex because there is no single comprehensive federal law. Ventures that collect information from consumers should be aware that they may be subject to the laws of the federal government, multiple US states, and/or multiple countries. Ventures can find guidance documents related to data privacy and security on FTC’s website and state government websites. Ultimately, ventures should be prepared to contact an attorney to find out how the law might apply to the ventures’ specific facts and circumstances.
Additional Resources
1. https://www.ftc.gov/business-guidance/privacy-security
2. https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html
3. https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
IDEA ventures can also contact the IDEA Legal Officer at idealegalofficer@gmail.com for more information or receive assistance regarding data privacy and security.
Robin Chu
Legal Officer
