Our most recent “Founders Series” article focused on securing good space and signing lease. Founders will next want to address privacy and data security issues – particularly if their companies collect, use, process, store, license and/or disclose personally identifiable information (“Personal Information”) whether from customers, employees, business partners or other third parties.
The regulation of privacy and data security continues to evolve rapidly. Moreover, these laws are often dependent on the types of Personal Information that a company processes and the industry in which the company operates. As a result, we recommend consulting with an attorney that has expertise in this field prior to processing Personal Information.
For a general overview, below you can reference our summary of federal laws and policies affecting privacy and data security, as well as some insight to privacy policies.
U.S. Federal Privacy Laws
U.S. federal privacy laws tend to be based upon a company’s industry and/or the type of Personal Information involved. Some of the key federal laws that may impact your company are highlighted below.
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
HIPAA deals with the protection of certain kinds of health information, known as protected health information (“PHI”). PHI is information that can be used to identify an individual and that relates to an individual’s physical or mental health, the provision of health care to him or her, or payment for that provision. HIPAA applies to health plans, healthcare providers, healthcare clearinghouses (each, a “Covered Entity”), and business associates performing certain services for a Covered Entity involving the use or disclosure of PHI (each, a “Business Associate”).
A Covered Entity may only disclose PHI as required, permitted or authorized by HIPAA, or as authorized by the individual. A Covered Entity is required to disclose PHI to individuals or their personal representatives in most situations, and to the Department of Health and Human Services (“HHS”) if it is undertaking a compliance investigation, review or enforcement action. HIPAA also allows discretionary disclosures in certain situations, including for treatment or payment operations, disclosures incidental to other permitted uses and when in the public interest (such as for law enforcement purposes or relating to victims of abuse or domestic violence). If a disclosure is not required or permitted under HIPAA, the individual’s authorization must be obtained in writing before the disclosure can be made. Disclosures must normally be limited to the minimum amount necessary to satisfy the purpose of the request for the information.
Covered Entities are required to create policies and procedures for routine or recurring disclosures, as well as for disclosure requests. A privacy policy must also be created, describing possible uses and disclosures of PHI as well as duties and practices for protecting that information. The Covered Entity must deliver a notice describing this policy to all individuals with which it has a direct treatment relationship. In addition to a privacy policy, Covered Entities must designate privacy personnel, train employees and management to follow the policy, create reasonable data safeguards, and maintain documents and records. Failure to comply with HIPAA can subject the Covered Entity and individuals within it to both civil and criminal penalties. The Health Information Technology for Economic and Clinical Health Act (“HITECH”) a measure included in the American Reinvestment and Recovery Act (“ARRA”) signed into law in 2009, increases the requirements and liability of both Covered Entities and Business Associates. The HITECH Act also introduced data breach notification obligations that will apply not only to HIPAA Covered Entities and their Business Associates, but also vendors of personal health records, as well as the service providers to these vendors. State attorneys general are given express authority to bring enforcement actions in addition to HHS, and penalties have increased.
The Gramm-Leach-Bliley Act (“GLBA”)
The GLBA applies to any business that is significantly engaged in financial activities, such as lending money or providing financial advisory services. Whether a company is “significantly engaged” in financial activities depends on whether there is a formal arrangement and how often the company engages in that activity.
Under the GLBA, financial institutions must provide their customers with a privacy notice disclosing what categories of nonpublic personal information (“NPI”) are collected, what categories of NPI are disclosed, third parties to whom it will be disclosed, any disclosures required by law and any disclosures otherwise permitted by law. This privacy notice must be delivered to the customer in writing. Electronic delivery is permitted if the customer so agrees.
Customers must also be given a reasonable opportunity (such as a toll-free number or a simple form) to opt-out of any NPI-sharing agreement. The privacy notice and the opt-out usually must be provided to the customer at the time the customer relationship is established, and at least once annually thereafter. An opt-out does not need to be given if NPI is disclosed only to certain third-party service providers or to a financial institution that you have entered into a joint agreement to provide financial services with; however the privacy notice must still be delivered annually.
Consumers (customers who are commercial clients or individuals using your product or service for a business purpose) must only be provided with a privacy notice if the company significantly engaged in financial activities will share their NPI with nonaffiliated third parties outside of any exception (such as where necessary for a transaction authorized by a consumer or where necessary to comply with applicable laws). This privacy notice must only explain a reasonable way for the consumer to get the full privacy notice and must include an opt-out.
Children’s Online Privacy Protection Act (“COPPA”)
COPPA establishes rules for the collection, use, and distribution of information about children under 13 that could be used to identify the child. COPPA applies to operators of websites or online services that are directed in whole or in part at children under 13 or that are directed at a general audience but knowingly collect information from children under 13 (each, an “Operator”).
Every Operator must clearly and prominently display a link to a privacy notice on the home page of its website and at each area where personal data is collected from children. This notice must contain the name of all Operators collecting or maintaining personal information from children as well as the contact information of an Operator who will respond to all privacy inquiries. It must also describe the types of information collected, how the information will be used, and to whom and for what purposes it will be disclosed. Parents must be given the option to consent to collection without disclosure.
Before collecting most kinds of Personal Information, Operators must also give direct notice to parents including the information in the privacy notice, as well as a request for consent to collect information from the parent’s child. The method for consent depends on how the information will be used, with internal uses requiring less rigorous methods such as email, and external uses requiring stricter methods. Parental consent may always be revoked.
Operators who violate the policies of COPPA are subject to enforcement actions and civil penalties by the Federal Trade Commission (“FTC”). The FTC can also punish deceptive and unfair practices such as using collected information for undisclosed purposes or disclosing to third parties without parental consent. Individual states can also bring enforcement actions against companies for violating COPPA. Operators can meet safe harbor criteria by establishing self-regulatory programs to govern compliance with COPPA that are approved by the FTC and include independent monitoring and disciplinary provisions.
Privacy Policies
In order to comply with state and federal law, companies should have a privacy policy. The privacy policy must be responsive to the individual requirements of each law, and so the specific features of each company’s privacy policy will differ depending on the industry and on the states in which it does business. However, most policies should at a minimum include which categories of information it will collect and with whom that information may be shared.
Companies must be sure to follow their own policies carefully, as failure to do so will open the company up to potential liability from state action pursuant to that state’s law. The FTC can also punish failure to follow privacy policies as an unfair or deceptive trade practice whether or not one of the federal privacy laws applies. Private lawsuits are also possible. This threat of liability makes it extremely important to craft a privacy policy that will follow all legal requirements while not unnecessarily restricting the company’s business opportunities.