Privacy is a very controversial area of the law. While you may never be directly affected by outsourcing and intellectual property laws, almost everyone sends data over the Internet. For better or worse, everything that people do on the Internet—what they look at, how long they look, what they buy (or don’t buy), when they buy, and who they associate with—can be monitored and tracked. This data can then be aggregated to compile very accurate profiles about a person’s interests, tastes, spending habits, and even personality traits. It doesn’t end there. If all of this information is then combined with databases containing health, family, legal, communication, and other types of information, the potential for abuse is enormous. Almost every week, there is a security breach in the news. Ultimately, all of us are just clusters of data and numbers. You must understand how privacy can be impacted if certain data falls into the wrong hands.
How does Privacy Affect My Company?
All businesses collect information on their customers. This can include “personally identifiable information” such as names, addresses, phone numbers, social security numbers, birth dates, race, employment history, personal interests, and past purchases, etcetera. The Internet isn’t just for e-commerce; it‘s also the largest, most comprehensive database ever created that collects information about all who uses it. The potential for abusing this much information is enormous. How companies and other entities gather this data, make use of it, and safeguard it is critical.
Companies and consumers have very different interests at stake when it comes to privacy. Consumers want to make sure that companies do not abuse personal information by disclosing or distributing it to unwelcome parties. We have all heard the alarming stories of sensitive personal information that is unintentionally transmitted over the Internet by a careless and inattentive employee. In some cases, a company learns that sensitive consumer information has been stolen because the company’s safeguards were inadequate. In other cases, dishonest employees purposely release this information to others, completely indifferent to the consequences.
Companies want to ensure that they can use customers’ information for their own purposes. A company may want to offer products or services to a targeted demographic. While many people are uncomfortable when a company consciously targets them, there may be legitimate reasons for doing so. Consumers may appreciate the opportunity to save money on needed products and services or be alerted when alternatives become available. The issue of privacy and how information should be used is a constant and delicate balance of competing considerations.
Privacy has been contentious at both the state and federal levels. Companies that do not understand their obligations when handling certain types of information are at grave risk. Consumers must know their rights when a company has mishandled their data.
How does Federal Law Affect Privacy Rights?
Federal privacy protection exists but has been inconsistent and uneven, and is a patchwork of various laws. Companies and consumers must be aware of the various statutes that exist when information is collected or disseminated. For example, here are a few of the many federal privacy statutes:
- Children’s Online Privacy Protection Act (“COPPA”). This act regulates the on-line collection and use of information from children under 13 years of age.
- Electronic Communications Privacy Act (“ECPA”). This act regulates the access, use, disclosure, and interception of electronic communications.
- Gramm-Leach-Bliley Act. This act requires financial institutions to provide privacy notices to their customers and regulates the disclosure of an individual’s personal information by financial institutions.
- Health Insurance Portability and Accountability Act (“HIPAA”). This act regulates the use and dissemination of an individual’s health-related information.
- Fair Credit Reporting Act. This act regulates the use of a person’s credit information and creditworthiness.
- Identity Theft and Assumption Deterrence Act. This act makes it illegal for a person to knowingly obtain and use another individual’s personal data for an unlawful purpose.
- Family Educational Rights and Privacy Act (“FERPA”). This act regulates the privacy rights of students in educational records.
Individual states, such as Massachusetts, have their own privacy laws that govern the handling of an individual’s personal information. Congress and many states had initially taken a “hands-off” approach. They hoped that self-regulation would guide industry privacy practices. This position has since changed in the face of numerous public disclosures about the mishandling of customers’ personal data. In addition, for companies transacting business overseas (such as in the European Union), a whole different set of privacy laws apply.
How does State Law Affect Privacy Rights?
A new category of legislation requires companies to notify customers when their personal information is or may have been disseminated without their authorization (so-called “Shine the Light” laws). California was the first state to pass this type of legislation in 2003 and many other states have since followed suit. Even if you a Boston-based company and conduct most of your business in Massachusetts or the New England area, you may still be affected by these laws if you have customers in other states. Interestingly, many of these laws do not require an actual security breach. Some laws require notification even if a breach is only suspected to have occurred. Notification legislation by itself does not require a company to protect a person’s privacy. These laws force a company to notify individuals when a person’s information has been (or is suspected to have been) unintentionally released.
Laws such as these take a “back door” approach to privacy: A company decides what level of protection to offer, but if that protection is inadequate and is breached, then people must be notified. If the breach is on a large enough scale, these notifications get reported in the media and disseminated worldwide, thereby generating a torrent of negative publicity. This can potentially cost the company a great deal of business and good will. Even if a company is not located in California or in any other state with these laws, it will still be affected if it has customers there.
We understand the competing privacy interests of companies and consumers. Some privacy issues we can help with include:
- Drafting a privacy policy;
- Determining what information must be protected;
- Determining what legal measures or standards must be put in place;
- Analyzing the impact of new privacy or security laws on you or your business;
- Pursuing a claim against a company that released your personal information to others; and
- Defending your company against allegations of improper disclosure.
We will guide you through this complex and rapidly evolving area of technology law.