Overview of U.S. Private-Sector Privacy: A Global Legal Perspective

Posted by Penelope B. Perez-Kelly on Feb 16, 2022 5:26:54 PM

Overview of U.S. Private-Sector Privacy: A Global Legal Perspective

In the United States, there is no comprehensive federal privacy law. Instead, there are industry-specific laws that regulate privacy for those sectors. There are also states that have enacted privacy regulations applicable to companies conducting businesses in those states and providing goods or services to residents of those states, most notably the California Consumer Privacy Act (CCPA or the Act).1 The CCPA provides consumer protection and strict privacy rights covering a broad range of businesses. While there are strict privacy laws regulating certain sectors, such as the health care and financial sectors, the CCPA applies to any business meeting the criteria specified in the Act. This article will provide a general legal perspective for companies trying to navigate the myriad U.S. laws and regulations when creating and implementing their privacy policies, with an emphasis on the CCPA and the European Union’s General Data Protection Regulation (GDPR).2

A company’s privacy policy covers the collection, use, and sharing of personal information (also referred to as personal identifiable information or PII).3 In the United States, PII is generally defined as information that makes it possible to identify an individual.4 The name, address, social security number, and driver's license are examples of PII.5 Privacy policies set standards for how PII must be handled internally, and privacy notices disclose to customers the way PII is being handled by the company.6 As cross-border transactions and e-commerce increase, companies have to decide whether to implement one global policy or multiple policies for different jurisdictions.7 While the idea of implementing one uniform privacy policy may seem attractive, companies with only one global privacy policy may create contractual obligations that are not a legal requirement when doing business in countries with less stringent privacy laws.8

Privacy policies, at a minimum, should incorporate fair information practices (FIPs), also referred to as fair information privacy practices or principles (FIPPs).9 “FIPs are guidelines for handling, storing and managing data with privacy, security, and fairness in an information society that is rapidly evolving.”10 The main principles of FIPS are notice, choice, access, and data security.11

Notice. Privacy notices should identify the type of PII the company is collecting, how the information is used, and generally to whom it is disclosed.12 If necessary to comply with applicable laws, privacy notices should detail the rights of individuals to access, modify, or in certain cases delete their PII (this right is also known as the “right to be forgotten” under the GDPR).13 The notice should also identify the privacy officer and his/her contact information. The notice should succinctly describe the company’s retention (how the company stores and disposes PII and for how long the company retains the information) and security procedures used to protect the PII. Care should be taken to disclosed what is required while protecting the company’s sensitive information (e.g., identity of critical systems or information security processes).

Choice. Consent is a key issue in privacy practices. Companies should get consent (implicit or explicit) when processing data containing PII.14 The term processing includes the collection, recording, organization, access, storage, updating or modification, retrieval, consultation, or use of PII.15 Consent can be given affirmatively or expressly (opt-in) or can be given implicitly by simply using or accepting the services or products provided by the company (no option).16 The U.S. Federal Trade Commission has issued a report stating that “companies do not need to provide choice before collecting and using data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law” (no option).17 It should be the best practice for companies to give consumers a choice to opt-out if consumers do not wish for their PII to be disclosed to third parties (opt-out).18

Access. U.S. consumers generally have the right, with certain exceptions, to access their PII held by companies and also have the right to update and correct their PII if necessary.19

Data security. Privacy notices usually state that the company has implemented generally accepted and appropriate procedures of technical and operational security in order to protect PII from loss, destruction, or unauthorized use or disclosure. Companies must comply with these standards and implement the stated security procedures. Companies should put in place reasonable security safeguards to protect the information and mechanisms to provide notice in the event of a data breach if legally necessary. Companies should have training and should conduct audits to assess potential risks in the event of a data breach to help improve their technical and operational security measures.

CCPA

But what if the company is conducting business in California? Enacted on 28 June 2018, the CCPA is the most comprehensive privacy law in the United States. The CCPA applies to for-profit businesses doing business in California that have the authority to determine the purposes and means of processing consumers’ personal information and meet one of the following criteria:

  • “Has annual gross revenue exceeding $25 million;
  • Alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  • Receives 50% or more of annual revenue results from sales of consumers’ personal information.”20

CCPA

The CCPA only applies to California residents. The CCPA defines personal information more broadly than other statutes. The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”21 Name, address, email address, social security number, and driver's license number are examples of personal information along with IP addresses, biometric information, geolocation information, and even information derived from the above-mentioned information.22

Many companies that may be subject to the CCPA have added additional language to their privacy notices that apply only to California residents. One of the requirements of the CCPA is the “Right to Opt-Out” notice.23 Companies must include a link generally titled “DO NOT SELL MY PERSONAL PROPERTY” giving individuals the choice to opt-out from selling their personal information to others.24 Sale includes any disclosure of personal information to another business or third party for value of any kind, monetary or otherwise. California residents must be given notice of their individual rights, including the right to request disclosure of data collection practices, the right to request specific personal information that has been collected, the right to have certain information deleted absent an applicable exception, the right to opt-out of the sale of their personal information to third parties, and the right not to be discriminated against for exercising those rights.25

“The CCPA provides consumers with a private right of action and is the first U.S. statute to expressly allow consumers to recover statutory damages as a result of data security incidents.”26 The statutory damages range from $100 to $750 per incident along with actual damages and other remedies.27 “These remedies do not apply to personal information that has been encrypted or redacted.”28 These remedies do not apply to all personal information collected but only to sensitive personal information.29 Individuals are required to provide a thirty-day written notice and an opportunity to cure prior to bringing an action for damages under the CCPA.30 These additional requirements and potential penalties had many companies (and their legal counsel) scrambling to update and revise their privacy policies before 1 January 2020. Companies continue to assess the impact of the CCPA on their privacy practices and whether the CCPA will become a model law for other states or for a comprehensive federal privacy law.

Other Applicable U.S. Privacy Laws

What other laws should a U.S. company be concerned about? The Health Insurance Portability and Accountability Act (HIPAA)? The Health Information Technology for Economic and Clinical Health Act (HITECH)? The Graham-Leach Bliley Act (GLBA)? The Children’s Online Privacy Protection Act (COPPA)? The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)? The answer is it depends if these laws are applicable to the company’s industry. A discussion of the reach of these particular laws is beyond the scope of this article.

GDPR

Should companies also be concerned with the GDPR? The GDPR came into effect in 2018. The GDPR is a set of comprehensive EU privacy regulations. The GDPR applies to companies with assets and employees in the EU; companies that sell to individuals in the EU; and companies that store data in the EU.31 “Companies doing business in the EU have the legal obligation to comply with these comprehensive privacy requirements, subject to potentially large fines.”32 The GDPR defines personal data as supposed to personal information as any data that relates to an identified or identifiable natural person.33 Examples of personal data that may not be considered PII are IP addresses (CCPA does include IP addresses as personal information) and cookie ID.34

Key participants are regulated or protected by the GDPR. The data subject is the person whose data is being processed.35 The controller is the entity or person that determines the purposes and the means of the processing of personal data, and the processor is the person or entity that processes data on behalf of the controller.36 “Under the GDPR, a data subject may express their consent by statement or by clear affirmative action” (opt-in).37 Privacy notices under the GDPR should include the controller’s identity, purposes of processing for which consent is sought, types of data that will be collected, information about the right to withdraw consent, information about automated processing, and risks of transfers outside Europe. Companies should identify the data protection officer (DPO).38 The DPO of a company is the primary point of contact on data protection for a company that is based in the EU.39 For companies that do not have a physical presence in the EU, the company must appoint an EU representative.40

A key issue under the GDPR is “providing individuals with control over their personal data.” EU residents have the following rights:41

  • Right to be informed of transparent communication and information;
  • Right to access their personal data (subject access request);
  • Right to rectification (this principle allows data subjects to require controllers to confirm the accuracy of their personal data);
  • Right to erasure (“Right to be Forgotten”);
  • Right to restriction of processing;
  • Right to data portability (this right allows data subjects to port data to themselves or to another controller);
  • Right to object; and
  • Right not to be subject to automated decision making (this right prohibits the controller from carrying out automated decision making unless the decision is necessary for the performance of a contract between the data subject and the controller or is authorized by law or is based on the data subject’s explicit consent).42

In the event of a breach, the GDPR requires controllers to report data breaches to the relevant data protection authority (DPA).43 DPAs are responsible for enforcing data protection laws at a national level.44 There is a DPA in each EU member state.45 Fines can be as large as 4% of worldwide revenues.46 Either the data subject or the DPA can file a complaint against the company.47 A U.S. company needs to be concerned with data transfers between the United States and an EU member state.48 Under the GDPR, transfers of data to the United States are only permitted under certain circumstances.49 U.S. companies must comply with various requirements including incorporating standard data protection clauses adopted by the European Commission or adopted by a DPA and approved by the European Commission, as well as other appropriate safeguards.50 The GDPR also provides derogations (exceptions) or conditions under which transfers may occur.51 “The derogations allow for a transfer if the data subject has provided explicit consent to the transfer or if the transfer is necessary for:

  • The performance of a contract between the data subject and controller (including pre-contractual measures) and the transfer is occasional;
  • Important reasons of public interest;
  • The establishment, exercise, or defense of legal claims and the transfer is occasional; or
  • The protection of the vital interests of an individual incapable of giving consent.”52

Even though the adequacy of privacy in the United States keeps being challenged in Europe (Schrems I and II),53 companies continue to rely on one of the following compliance mechanisms to transfer data between the United States and Europe:

  • Standard contractual clauses (SCCs). SCCs contractually bind the companies to comply with EU laws and to submit to jurisdiction to one of the DPAs. (Schrems II challenged the validity of data transfer to the United States. Schrems II held that SCCs are still valid but additional safeguards should also be in place.)54
  • Binding corporate rules (BCRs). BCRs provide that a multinational company can transfer data between countries after certification of its practices by a DPA.55

U.S. companies transferring personal data of EU residents from the EU to the United States need to make sure they are in compliance with the GDPR to avoid being liable for substantial penalties.

Vendors

It is not only critical for companies to comply with the particular legal regime in each country where they do business, but companies are also responsible for the actions of their vendors and subcontractors that have access to or process the PII of their customers. Therefore, companies should ensure that written contracts with their vendors and subcontractors are in place that include confidential provisions, nondisclosure agreements, provisions requiring subcontractors to have privacy policies consistent with the privacy policies of the company, prompt notification in the event of a breach or potential breach, representations regarding implementation of security information controls, and indemnification provisions.56 Companies should be able to monitor each vendor’s activities to ensure it is complying with its contractual obligations.57

Conclusion

Companies will continue to face challenges in today’s fast-paced business environment and must adapt and update their privacy practices in order to keep up with the constant development of new technology, the increased amount of personal data being collected and processed, and the evolving legal landscape of privacy laws around the world. Legal, information technology, marketing, and other departments must work together to achieve fair and effective privacy standards that are in compliance with applicable privacy laws that limit access, purpose, and storage while achieving the company’s objectives.

Request a consultation with Fisher Rushmer, P.A. to learn more.

Authored by: Penelope B. Perez-Kelly

Request A Consultation

This article, which is reprinted by permission, originally appeared in the International Law Quarterly.

Endnotes

1 Cal. Civ. Code § 1798.100 et seq.
2 EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
3 U.S. PRIVATE-SECTOR PRIVACY Law and Practice for Information Privacy Professionals 17 (Peter Swire, CIPP/US, DeBrae Kennedy-Mayo, CIPP/US, eds., 3d ed. 2020).
4 PRIVACY at 13-14.
5 Id. at 14.
6 Id. at 82.
7 Id.
8 Id.
9 Id. at 4.
10 Id.
11 Id.
12 Id.
13 Id. at 33.
14 Id. at 34.
15 Id. at 17.
16 Id. at 34.
17 Id. at 86. citing Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers, Preliminary Staff Report, Federal Trade Commission, 2012, iv.
18 Id. at 86.
19 Id. at 34.
20 Id. at 148.
21 Id. at 149.
22 Id. at 149-150.
23 Id. at 151.
24 Id.
25 Id. at 150.
26 Id. at 153.
27 Id.
28 Id.
29 Id.
30 Id.
31 Id. at 391.
32 Id. at 392.
33 Id.
34 Id.
35 Id. at 393.
36 Id. at 393-394.
37 Id. at 395.
38 Id. at 395.
39 Id.
40 Id. at 396.
41 Id. at 398.
42 Id. at 398-402.
43 Id. at 402.
44 Id. at 395.
45 Id.
46 Id. at 391.
47 Id. at 403.
48 Id. at 405.
49 Id.
50 Id. at 407
51 Id. at 406.
52 Id.
53 Id. at 407 (“Until 2015, many U.S. companies that did business in the EU participated in the U.S.-EU Safe Harbor program to provide a lawful basis for EU data to be transferred to the United States. In the case of Schrems v. Data Protection Commission (Schrems I), the European Court of Justice struck down the Safe Harbor program. This decision was made in significant part based on concerns about U.S. government surveillance, as made public by the 2013 Snowden disclosures.” Maximilliam Schrems, an Austrian citizen, had been a Facebook user since 2008. Some of the data belonging to Mr. Schrems had been transferred by Facebook Ireland to its servers belonging to Facebook Inc. located in the United States. Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II): The EU-U.S. Privacy Shield is no longer a valid mechanism to transfer data from the EU to the United States. The Schrems II decision held that the validity of the SCCs depend on whether there were effective mechanisms in place to ensure the same level of protection required under EU law.
54 Id. at 407.
55 Id.
56 Id. at 89.
57 Id. at 91

Topics: Privacy, International Law

Posted by:
Penelope B. Perez-Kelly

Penelope B. Perez-Kelly

Find me on:

LinkedIn

Read Comments or Reply: