Co-authored by Annie Cho, a student at Northeastern University School of Law.
Published in the Boston Business Journal (March 2020)
From across the country and the Atlantic Ocean, the future of information regulation has been announced to Massachusetts: privacy. This trend first gained widespread recognition in 2018, when the General Data Protection Regulation, or GDPR, became effective in the European Union and imposed requirements on organizations that collect and use the personal information of EU residents.
More recently, the California Consumer Privacy Act, or CCPA, imposed obligations on how businesses collect and use the personal information of California consumers. Although many Massachusetts companies looked at the GDPR and CCPA and concluded they do not apply, others took a longer view, deciding to incorporate privacy in their business operations because privacy laws are coming to Massachusetts, in one form or another.
Before understanding what addressing privacy means operationally, it is important to understand two things: the difference between security and privacy, and the difference between personally identifiable information, or PII, and personal information, or PI.
1. Data security is concerned with the measures organizations take to keep their information from unauthorized access and use. Data privacy is concerned with how an organization may use an individual’s information and how that organization discloses those uses to individuals. A firewall is a data security issue; an individual instructing a company to stop sending him or her emails is a data privacy issue.
2. Personally identifiable information is traditionally a person’s name combined with other sensitive information, like a Social Security number, bank account number, driver’s license number, etc. Personal information is much broader and includes all information about an identified or identifiable individual, such as name, address, email, browsing activity, etc.
Massachusetts has data security regulations, 201 CMR 17.00, which require a business to conduct a comprehensive risk assessment, remediate risks, and adopt a written information security program containing appropriate administrative, technical, and physical safeguards. While these security regulations are themselves broad, privacy laws create even broader, new operational requirements that do not exist under security regulations.
For example, the GDPR requires organizations to make disclosures and, in some cases, obtain consent with respect to the personal information they collect, what they do with that personal information, and who they disclose or transfer personal information to, among other things. The GDPR also gives certain rights to individuals, like instructing organizations to correct or erase their personal information and to restrict an organization’s use of their personal information.
The CCPA similarly requires businesses to tell consumers about the personal information they collect and the uses of it. Consumers have the right under the CCPA to instruct businesses not to sell and to delete their personal information.
These privacy laws afford remedies for governments and individuals that can be very costly. The GDPR permits governments to fine violators the greater of 4% of their annual worldwide revenue or 20 million euro. The CCPA permits an individual to pursue statutory damages whenever a business permits unauthorized access or use of that individual’s personal information due to the business’s failure to implement and maintain reasonable security procedures.
As mentioned above, some might look at these laws and conclude they do not apply. But the privacy operations required by the GDPR and the CCPA are coming everywhere, including Massachusetts. Senate Bill 120, currently in committee on Beacon Hill, includes many of the same terms as the CCPA, including granting individuals the right to tell businesses to delete their personal information and the right to opt out of disclosures of personal information to third parties. Even if SB 120 does not become law, a bill like it will, requiring that organizations in Massachusetts disclose their personal information practices and, more significantly, incorporate individuals’ privacy rights into their business and information maintenance operations.
Additionally, because of the notoriety of burgeoning privacy laws, consumers are increasingly concerned about their rights to control their personal information. Additionally, it is easier and less expensive to incorporate privacy principles into technology and information management earlier rather than later. The sooner your organization begins to understand and adopt the concepts that have consistently been in privacy laws, the better off you will be.