What do we need to know and understand to take control?

Which Privacy Laws Impact My Business?

Privacy Law in California

On June 28, 2018 Governor Brown signed off on the strictest set of data privacy laws to date in the United States – the California Consumer Privacy Act of 2018 (CCPA), effective January 1, 2020. In 2020, California voters approved the California Privacy Rights Act (CPRA), which will mark a significant expansion of California’s existing privacy laws when it takes effect on January 1, 2023. While the CPRA maintains the core framework of its predecessor California Consumer Privacy Act (CCPA), it introduces a number of substantive changes.

The California Consumer Privacy Act gives Californians unprecedented rights to know what information businesses collect about them, where that information comes from, and control how that information is shared. It applies to all companies that “do business” in California and that exceed one of the following thresholds:

  • Annual gross revenues of more than 25 million dollars
  • Processes the personal information of 50,000 or more California residents, households or devices annually (this number will increase to 100,000 on January 1, 2023 under CPRA).
  • Receives 50% or more annual revenue from selling the personal information of California residents

Want to learn more?

The European Union passed the General Data Protection Regulation (GDPR) in April 2016, effective May 25, 2018. The GDPR generally applies to all entities that process the data of EU residents, target services to EU residents, or monitor the behavior of EU residents. The GDPR provides consistent rules addressing the retention, processing, and security for all personal data. In addition, EU subjects have the right to access, rectify, transfer, and in many cases, erase any of their personal data stored by businesses and other entities. The GDPR provides for enforcement by data protection authorities within each EU member country, and private rights of action.

Want to learn more?

The Health Insurance Portability and Accountability act of 1996 (HIPAA), as updated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), mandates basic privacy and security requirements for “covered entities” such as healthcare providers, insurers, and their business associates. HIPAA provides key privacy protections for protected health information (“PHI”) such as privacy notices, patient rights to access and amend their health records, and administrative, physical, and technical safeguards for electronic PHI. These rules also require breach notification in certain circumstances. HIPAA and HITECH are generally enforced by the Office for Civil Rights in the Department of Health and Human Services, in civil cases, and by the DOJ for criminal cases.

Want to learn more?

In 2003, Congress created rules governing unsolicited commercial e-mail in the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. The CAN-SPAM Act prohibits false, misleading, and deceptive e-mail communications, and requires senders to provide opt-out mechanisms for commercial emails, amongst other rules. The FTC primarily regulates and enforces the CAN-SPAM Act, though the FCC has also implemented rules implementing the CAN-SPAM Act with respect to mobile service commercial messages.

The Telephone Consumer Protection Act (TCPA), enacted in 1991, governs most robocalls, texts, or faxes. Generally speaking,TCPA requires consent for most automated calls, except in some limited circumstances.The Telemarketing and Consumer Fraud Abuse Prevention Act, and its implementing regulation, the Telemarketing Sales Rule (TSR) provides restrictions on the telemarketers. These include, but are not limited to, required disclosures at the outset of a sales call, time restrictions, and consent requirements. Both the TCPA and TSR provide for private citizen actions, in addition to administrative remedies.

The Children’s Online Privacy Protection Act of 1998 (COPPA) regulates the collection and use of children’s information by commercial websites. Among other requirements, COPPA requires websites to provide privacy notices on the homepage of the website, accessible by every page, obtain verifiable parental consent before collecting children’s personal information, and maintain the confidentiality, security, and integrity of such information. The FTC enforces COPPA.

Want to learn more?

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, governs financial institutions. To comply with the GLBA, financial institutions must inform customers about how they share customers’ sensitive data (“nonpublic personal information” or NPI), inform customers of their opt-out rights, and apply specific protections to NPI.
The data protection requirements of GLBA are outlined in its Safeguards Rule, with additional privacy and security requirements in the FTC’s Privacy of Consumer Financial Information Rule
(Privacy Rule). The GLBA is enforced by the Federal Trade Commission, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.

Want to learn more?

The Fair Credit Reporting Act (FCRA) is a federal law that regulates the collection and use of consumer credit information. FCRA requires credit reporting agencies (CRAs) to maintain accurate records and provides consumers with the ability to access and correct their information with CRAs. In addition, FCRA limits the use of consumer reports to defined permissible purposes. FCRA has been further amended by The Fair and Accurate Credit Transactions Act (FACTA), which provides additional privacy and security safeguards.

The European Union’s 2002 E-Privacy Directive governs the processing of personal data in the electronic communications sector. Most notably, the E-Privacy Directive requires prior informed consent, prior to placing cookies on a European user’s computer, except in limited circumstances.

The European Parliament is currently in the process of vetting proposals for the E-Privacy Regulation, the successor to the E-Privacy Directive, in order to harmonize the requirements for electronic communications with the GDPR.

The laws described above are only a small sample of the various federal and regional laws governing data privacy and cybersecurity. In addition to the laws noted above, there are specific sectoral rules for the financial sector, state specific privacy and breach notification rules, and more. If you are interested in learning more about the privacy laws applicable to your business, please contact us.