Privacy is the newest frontier in cybersecurity. The European Union sparked the movement in 2018 with the adoption of the General Data Protection Regulation. Other countries followed suit, some of the more prominent being the United Kingdom, Canada, Australia, and China.
Although federal privacy bills in this country have all stalled, states rapidly filled the void. California led in 2020 with the California Consumer Privacy Act. That initiative then spread across the country. Twelve other states now have privacy laws: Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Oregon, Tennessee, Montana, Texas, Utah, and Virginia.
Privacy laws apply across borders, so a business can be subject to laws adopted in other states and countries. For example, if the business has a facility or employees in those places, it will likely be subject to their privacy laws. Similarly, if a business provides meaningful products or services to residents of such states or countries, it may be subject to privacy laws adopted there.
Given the expansive geographic reach of privacy laws and the growing number of states and countries with them, many of our clients already need to comply. Moreover, privacy bills are currently pending in numerous state legislatures, including New Hampshire, Massachusetts, and Maine. Thus, many purely local New Hampshire business will become subject to such regulations if and when our State adopts a privacy law.
Complying with privacy laws entails the following four step process.
- Conduct a privacy assessment.
- Create a privacy policy, and implement appropriate notice of and consent to it.
- Create a privacy rights request webpage, and a management structure and internal procedure to fulfill privacy rights requests made by individuals.
- Empower a privacy officer, train employees about privacy and cybersecurity law compliance, and (if the business handles sensitive personal information) prepare a data privacy impact assessment (DPIA) report.
Privacy Assessment. The primary purposes of a privacy assessment are to identify all personal information and sensitive personal information that the business handles, all points at which it collects such information, and the functionality that it will use to delivery notice of its privacy policy and obtain and record consents from individuals. This process involves gathering information not only from personnel who manage the organization’s information technology infrastructure, but also doing so with management and other key sales, marketing, customer service, finance, and other operational personnel.
Privacy Policy, and Notice and Consent. A privacy policy accurately describes how the business handles personal information and sensitive personal information, including whether such information is disclosed to unaffiliated third parties for use in marketing to individuals, and informs individuals about their privacy rights and the mechanisms to exercise them. Privacy laws require businesses to provide certain notice to individuals, which is typically accomplished by delivering the privacy policy or a link to it at the initial acquisition of personal information, and when the business collects additional or meaningfully different types of personal information.
Privacy laws also require businesses to obtain consent in some situations, including to make certain disclosures of personal information, use information in ways that are not permitted by privacy laws, and collect and use sensitive personal information, such as health information, information about children, and information about sensitive characteristics like race, national origin, religion, political affiliation, and sexual orientation or identity. Consent can be secured only by expressly informing individuals about the organization’s privacy practices, and then obtaining an affirmative act of consent and recording and retaining records of such consent.
Honoring Privacy Rights Requests. Fulfilling privacy rights requests can be the most daunting step to comply with privacy laws. It is daunting because businesses are unaccustomed to altering their activities or information use and management practices based on preferences of individuals, and because they often lack centralized mechanisms to do so. To effectively fulfill privacy rights requests, an organization should empower a privacy officer with authority and responsibility for the process, create a webpage and email address and phone number for individuals to use to exercise their privacy rights, and design and implement a methodical procedure outlining the steps the organization will take to address privacy rights requests.
Management, Training and DPIAs. The last steps to comply with privacy laws are to create a management structure for cybersecurity and privacy, and train employees about it. Also, if the business handles sensitive personal information, it must prepare a DPIA report. The primary purposes of such a report are as follows.
- Identify the standard(s) used for the privacy assessment.
- Summarize the scope of and process for that assessment.
- Identify all personal information and sensitive personal information handled by the business, all uses of it, and the legal bases for such activity.
- Map the flow of the organization’s collection and use of such information, including all internal and third party systems used to do so.
- Identify the employees, vendors, services providers and other third parties responsible for handling the information.
- Identify risks to the privacy and security of the information, the safeguards implemented to mitigate those risks, and any additional steps to further do so.
- Classify the levels of mitigated risks.
Privacy and security of personal information is a critical societal and business issue. Individuals are rightfully interested in managing their personal information. Businesses are also rightfully interested in using the information they have to serve customers and generate revenue. Privacy laws balance those interests. Given the expansive scope and increasingly widespread adoption of these laws, businesses should act now to comply with them.