Privacy is the newest frontier in cybersecurity. The European Union sparked the movement in 2018 with the adoption of the General Data Protection Regulation. Other countries followed suit, some of the more prominent being the United Kingdom, Canada, Australia, and China.
Although federal privacy bills in this country have all stalled, states rapidly filled the void. California led in 2020 with the California Consumer Privacy Act. That initiative then spread across the country. Twelve other states now have privacy laws: Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Oregon, Tennessee, Montana, Texas, Utah, and Virginia.
Privacy laws apply across borders, so a business can be subject to laws adopted in other states and countries. For example, if the business has a facility or employees in those places, it will likely be subject to their privacy laws. Similarly, if a business provides meaningful products or services to residents of such states or countries, it may be subject to privacy laws adopted there.
Given the expansive geographic reach of privacy laws and the growing number of states and countries with them, many of our clients already need to comply. Moreover, privacy bills are currently pending in numerous state legislatures, including New Hampshire, Massachusetts, and Maine. Thus, many purely local New Hampshire business will become subject to such regulations if and when our State adopts a privacy law.
Complying with privacy laws entails the following four step process.
- Conduct a privacy assessment.
- Create a privacy rights request webpage, and a management structure and internal procedure to fulfill privacy rights requests made by individuals.
- Empower a privacy officer, train employees about privacy and cybersecurity law compliance, and (if the business handles sensitive personal information) prepare a data privacy impact assessment (DPIA) report.
Privacy laws also require businesses to obtain consent in some situations, including to make certain disclosures of personal information, use information in ways that are not permitted by privacy laws, and collect and use sensitive personal information, such as health information, information about children, and information about sensitive characteristics like race, national origin, religion, political affiliation, and sexual orientation or identity. Consent can be secured only by expressly informing individuals about the organization’s privacy practices, and then obtaining an affirmative act of consent and recording and retaining records of such consent.
Honoring Privacy Rights Requests. Fulfilling privacy rights requests can be the most daunting step to comply with privacy laws. It is daunting because businesses are unaccustomed to altering their activities or information use and management practices based on preferences of individuals, and because they often lack centralized mechanisms to do so. To effectively fulfill privacy rights requests, an organization should empower a privacy officer with authority and responsibility for the process, create a webpage and email address and phone number for individuals to use to exercise their privacy rights, and design and implement a methodical procedure outlining the steps the organization will take to address privacy rights requests.
Management, Training and DPIAs. The last steps to comply with privacy laws are to create a management structure for cybersecurity and privacy, and train employees about it. Also, if the business handles sensitive personal information, it must prepare a DPIA report. The primary purposes of such a report are as follows.
- Identify the standard(s) used for the privacy assessment.
- Summarize the scope of and process for that assessment.
- Identify all personal information and sensitive personal information handled by the business, all uses of it, and the legal bases for such activity.
- Map the flow of the organization’s collection and use of such information, including all internal and third party systems used to do so.
- Identify the employees, vendors, services providers and other third parties responsible for handling the information.
- Identify risks to the privacy and security of the information, the safeguards implemented to mitigate those risks, and any additional steps to further do so.
- Classify the levels of mitigated risks.
Privacy and security of personal information is a critical societal and business issue. Individuals are rightfully interested in managing their personal information. Businesses are also rightfully interested in using the information they have to serve customers and generate revenue. Privacy laws balance those interests. Given the expansive scope and increasingly widespread adoption of these laws, businesses should act now to comply with them.