Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Is Your Massachusetts Business Addressing Impending Privacy Laws?

Written by: John Weaver

Co-authored by Annie Cho, a student at Northeastern University School of Law.

Published in the Boston Business Journal (March 2020)

From across the country and the Atlantic Ocean, the future of information regulation has been announced to Massachusetts: privacy. This trend first gained widespread recognition in 2018, when the General Data Protection Regulation, or GDPR, became effective in the European Union and imposed requirements on organizations that collect and use the personal information of EU residents.

More recently, the California Consumer Privacy Act, or CCPA, imposed obligations on how businesses collect and use the personal information of California consumers. Although many Massachusetts companies looked at the GDPR and CCPA and concluded they do not apply, others took a longer view, deciding to incorporate privacy in their business operations because privacy laws are coming to Massachusetts, in one form or another.

Before understanding what addressing privacy means operationally, it is important to understand two things: the difference between security and privacy, and the difference between personally identifiable information, or PII, and personal information, or PI.

1.     Data security is concerned with the measures organizations take to keep their information from unauthorized access and use. Data privacy is concerned with how an organization may use an individual’s information and how that organization discloses those uses to individuals. A firewall is a data security issue; an individual instructing a company to stop sending him or her emails is a data privacy issue.

2.     Personally identifiable information is traditionally a person’s name combined with other sensitive information, like a Social Security number, bank account number, driver’s license number, etc. Personal information is much broader and includes all information about an identified or identifiable individual, such as name, address, email, browsing activity, etc.

Massachusetts has data security regulations, 201 CMR 17.00, which require a business to conduct a comprehensive risk assessment, remediate risks, and adopt a written information security program containing appropriate administrative, technical, and physical safeguards. While these security regulations are themselves broad, privacy laws create even broader, new operational requirements that do not exist under security regulations.

For example, the GDPR requires organizations to make disclosures and, in some cases, obtain consent with respect to the personal information they collect, what they do with that personal information, and who they disclose or transfer personal information to, among other things. The GDPR also gives certain rights to individuals, like instructing organizations to correct or erase their personal information and to restrict an organization’s use of their personal information.

The CCPA similarly requires businesses to tell consumers about the personal information they collect and the uses of it. Consumers have the right under the CCPA to instruct businesses not to sell and to delete their personal information.

These privacy laws afford remedies for governments and individuals that can be very costly. The GDPR permits governments to fine violators the greater of 4% of their annual worldwide revenue or 20 million euro. The CCPA permits an individual to pursue statutory damages whenever a business permits unauthorized access or use of that individual’s personal information due to the business’s failure to implement and maintain reasonable security procedures.

As mentioned above, some might look at these laws and conclude they do not apply. But the privacy operations required by the GDPR and the CCPA are coming everywhere, including Massachusetts. Senate Bill 120, currently in committee on Beacon Hill, includes many of the same terms as the CCPA, including granting individuals the right to tell businesses to delete their personal information and the right to opt out of disclosures of personal information to third parties. Even if SB 120 does not become law, a bill like it will, requiring that organizations in Massachusetts disclose their personal information practices and, more significantly, incorporate individuals’ privacy rights into their business and information maintenance operations.

Additionally, because of the notoriety of burgeoning privacy laws, consumers are increasingly concerned about their rights to control their personal information. Additionally, it is easier and less expensive to incorporate privacy principles into technology and information management earlier rather than later. The sooner your organization begins to understand and adopt the concepts that have consistently been in privacy laws, the better off you will be.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.