Privacy and Data Security

Companies that collect personal information from consumers should think about their privacy practices from the beginning of the product development and through each state of the product lifecycle. Such analysis often includes: (a) assessing whether there are legitimate business reasons for collecting each type of information; (b) understanding all the ways the information will be used; (c) ensuring limits on the collection and retention of such data; (d) implementing procedures to promote data accuracy and integrity; and (e) employing reasonable security and access restrictions.

If your company is collecting personal information from consumers, it is also important to have a good sense of exactly what data is being collected, the purpose of the data collection, and how this information is being collected, processed, stored, transferred, or otherwise used. Having a good sense of the company’s data collection and use practices will allow the company to accurately describe this information in its privacy policy and provide adequate protection for securing the data.
Here are a few tips to get a good sense of your company’s data collection and use practices:

1. Understand what types of information are being collected. For example, privacy laws encompass a wide range of data elements such as name, address, telephone number, email, financial information, health or medical information, birth date, Social Security number, biometric data, identifiers associated with a device (such as IP address, cookie identifiers, and device identifiers), and inferences drawn from these data elements. State privacy laws refer to these data elements as ​“personal information” or ​“personal data.”
2. Understand where this information is collected (whether offline, online, via a mobile app, or other mechanism), and whether it is collected automatically or requires the consumer to manually enter the information.
3. Have a good sense of where this information is stored (whether on the company’s network or a central computer database), and whether the information can be transferred off of the secure network to, for example, individual employee laptops, or smartphones.
4. Know what controls are in place to prevent unauthorized access to the information, both from unauthorized third parties (i.e., hackers) and company employees.
5. Determine if the disclosure of the personal information to third parties constitutes a ​“sale” of personal information as defined in state privacy laws like the California Consumer Privacy Act (CCPA), and similar laws in Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, and Tennessee. A sale means ​“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”
6. Understand whether the company discloses personal information to service providers for business purposes, how service providers may use the personal information, and how the service providers are required to safeguard personal information consistent with statutory and contractual requirements.
7. Consider developing a records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when the company no longer needs it.
8. When collecting personal information online from children under the age of 13 (including on websites, mobile apps, or other online services), companies must comply with COPPA.
9. Recognize that privacy laws may apply to information about employees and commercial customers, not just consumer data.

Practice Pointers

• Consider privacy at the outset of product development.
• Know what data is being collected from consumers.
• Understand who will have access to this information and their purpose for accessing the data.

For companies that are not regulated as health providers/health insurers under HIPAA, it is clear that the use of consumer information related to health for advertising purposes is not only on the agenda for the FTC and legislators, but also on the radar of the plaintiffs’ bar.

In particular, the FTC has recently rekindled enforcement interest in protections for consumer health information with respect to its Health Breach Notification Rule.

Companies should ensure there is a process in place to identify and obtain consent for all consumer health information that may be shared with third parties via a website for advertising or analytics related purposes (i.e., via pixels) to avoid running afoul of the Rule.

In addition, Washington State recently passed the My Health, My Data Act (MHMD), with enforcement slated to largely begin in 2024. The law applies to regulated entities, which are defined as a legal entity that (1) does business in Washington and (2) determines the ​“purpose and means of collecting, processing, sharing, or selling consumer health data.” Although limited to ​“consumer health data,” MHMD’s actual scope is much broader than many might anticipate based on the title of the law. It imposes stringent notice and consent obligations to the collection, sharing, and sale of ​“consumer health data,” a term that captures a potentially vast array of data, as it is defined as ​“personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” Like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), MHMD provides broad privacy rights. As such, MHMD provides consumers with rights to confirm processing, delete, and withdraw consent for the collection and sharing of consumer health data.

MHMD broadly prohibits regulated entities from using a geofence to identify consumers, collect consumer health data, or send ads or notifications based a consumer’s proximity to in-person health care services facilities for certain purposes. MHMD also creates a private right of action, allowing consumers to bring claims under Washington’s Consumer Protection Act, in addition to authorizing enforcement by the state attorney general.

Practice Pointers

Washington is the first state in the nation to codify into law broad protections for consumer health data. MHMD is part of a broader, accelerating trend toward treating health data as a particularly sensitive category of personal data. These trends suggest short-term and long-term priorities.

In the short term, regulated entities should ask:

• Have you identified all instances in which you collect, share, or sell consumer health data?
• How can you build on existing processes for honoring consumer requests?
• Do our current notice and consent practices meet MHMD’s detailed, prescriptive disclosure requirements?

Additionally, MHMD illuminates the long-term trend toward stricter health data privacy regulation. Building on MHMD, companies may take steps to develop longer-term compliance around health data identification and management. Lawmakers in other states — such as Illinois, Massachusetts, New York and Nevada — are working on their own versions of legislation that would enforce similar data protections.

Implementing and maintaining data security is a never-ending challenge. As cybercriminals evolve, so must the companies that collect personal and other identifying information. Staying one step ahead of these hackers will help to prevent or at least minimize the risk of experiencing a data breach. Threats to data may transform over time, but the fundamentals of sound security remain constant. This is why companies should consider data security from product development and throughout a product’s life cycle. Assessing data security options and making reasonable choices based on the nature of the business and the sensitivity of the information involved will help to ensure that the data remains protected and secure.

When looking at data security throughout a product’s lifecycle, here are a few tips to help ensure that your company’s data, and any data it collects and stores, remains secure:

1. Some states have enacted laws requiring businesses to maintain data security standards to protect state residents’ personal information from being compromised. These laws typically require businesses to implement and maintain reasonable security measures.
2. Understand what security measures are in place at each point of collection, storage, access, and transfer to ensure that the data is secure throughout its lifecycle. Consider conducting a formal risk assessment to identify threats to, and vulnerabilities, in the information system, the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability would have, and the security controls that are needed.
3. Maintain extensive computer system security requirements (e.g., secure user authentication protocols or passwords, secure access control measures, monitoring of systems, up-to-date firewalls, and virus or malware protection), and require meaningful password protections.
4. Implement intrusion detection and prevention tools to monitor the network for malicious activity, and have an effective process or policy in place to receive and address security vulnerability reports.
5. Secure all data that is carried over an unsecured or wireless network (e.g., HTTPS).
6. Encrypt all data containing personal, sensitive, or other identifying information. Also ensure that all sensitive information (e.g., Social Security numbers, payment card information) is masked or truncated.
7. Require third-party service providers receiving personal information, by contract, to maintain reasonable security measures.
8. Train employees on compliance with data security policies.
9. Develop and maintain a comprehensive written policy outlining the company’s physical, administrative, and technical information security measures.
10. Regularly monitor and review security measures, at least annually, to ensure they are preventing unauthorized access to personal and other information.

Practice Pointers

• Consider data security from product inception and throughout the product life cycle.
• Implement reasonable data security measures for data both in transit and at rest.
• Require third-party service providers receiving personal information to maintain reasonable security measures.

In 2003, Congress enacted the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) to regulate unsolicited commercial e-mail. The Act does not prohibit unsolicited commercial e-mail messages, but it does provide specific requirements for the content of those messages, including a requirement that the messages include an opt-out mechanism.

The Act applies to all commercial e-mail messages, whether they are sent to individual consumers or businesses. A commercial e-mail message is generally a message which has a ​“primary purpose of . . . commercial advertisement or promotion of a commercial product or service.”

Specifically, the CAN-SPAM Act imposes the following requirements for commercial messages:

1. Header Information: The transmission information of commercial e-mail messages and transactional or relationship messages cannot be false or misleading.
2. Subject Heading: The subject heading of a commercial e-mail message cannot be deceptive.
3. Opt-Out Mechanism: All commercial e-mail messages must contain clear notice of the recipient’s right to opt out of future messages from the sender, and a compliant opt-out mechanism.
4. Honoring an Opt-Out: The opt-out must become effective within ten business days and remain valid until the recipient affirmatively opts back into receiving commercial e-mail messages from the sender.
5. Identification as Advertisement: The sender must clearly identify that the commercial e-mail message is an advertisement or solicitation.
6. Address: The commercial e-mail message must contain the sender’s valid physical postal address.

Most of the Act’s requirements do not apply to transactional e-mail messages, such as messages that confirm the receipt of an order. If a message includes both commercial and transactional content, the ​“primary purpose” of the e-mail will dictate what requirements a company must follow.

Consider the following tips when planning an e-mail campaign:

1. Scrub the mailing list against your ​“do not e-mail” list at the last possible, commercially reasonable moment.
2. Don’t require recipients to do anything more than reply to the e-mail or visit a single web page in order to opt out. If you provide a menu of opt-out options, include an option to opt out of all commercial e-mail messages from the business.
3. Don’t sell, share, or use your opt-out list for any reason other than to comply with the law.
4. Monitor your company’s (or vendor’s) compliance with the Act.
5. Have written contracts with third-party service providers, including affiliate marketers, that clearly set out each party’s responsibilities for compliance and appropriate and adequate remedies for non-compliance.

Practice Pointers

• Make sure commercial e-mail messages contain a compliant opt-out mechanism, and that you honor and monitor the effectiveness of that opt out.
• Contractually obligate vendors to comply with the CAN-SPAM Act, and actively monitor their compliance.

Every company that collects information from consumers, or somehow uses consumers’ personal or other identifying information, should have a privacy policy in place that explains their privacy practices. Not posting a privacy policy on a web site, mobile app, or other online service that collects personal information is not only contrary to FTC guidance, but may also be a violation of state law. With states that have comprehensive privacy laws (such as California) implementing specific requirements for privacy disclosures, it is important to continually review, evaluate, and update your company’s privacy policy and privacy practices. Privacy policies will vary depending upon a company’s specific business model or products and services offered.

The key considerations provided below are offered as a general overview. However, this should not take the place of seeking assistance from skilled professionals who will have a better understanding of your company’s specific privacy practices and needs.

1. Companies should clearly and plainly describe their data collection, use, disclosure, and protection practices in a privacy policy that is available to consumers before they purchase, download, or use the company’s products or services. Key points to consider when developing a privacy policy include, but may not be limited to:
   1. What types of personal information are being collected, is the collected information submitted by the user or collected automatically, and is the collected information merged or stored together with other data types;
   2. How information is used or shared with third parties or service providers;
   3. Whether a company’s website, app, or service allows or causes communications to be sent to users outside the website, app, or service (e.g., email messages, text messages), or includes advertising or causes advertising to be sent to users;
   4. Whether and how the website, app, or service utilizes any user tracking technology or conducts online behavioral advertising;
2. State privacy laws may require additional disclosures about privacy rights available to consumers. These rights include the right to access personal information, delete personal information, or correct inaccurate information. The state privacy laws may also offer privacy rights to opt-out of the sale or sharing of personal information to third parties, or to opt-out of targeted advertising. Companies should include details about applicable rights in their privacy policies.
3. Companies should make sure to periodically review and update their privacy policies as needed and make sure that all of their representations and consumer-facing materials remain consistent with statements made relating to their privacy practices.
4. Any ​“material” change to a privacy policy must be accompanied by appropriate notice and choice to consumers. Colorado privacy regulations now treat almost all changes to a privacy policy as ​“material,” triggering a consumer notice.
5. Privacy policies should include the effective date and contact details for the business.

Practice Pointers

• Know what personal and other information is collected, stored, transferred, or otherwise used.
• Privacy policies should be reviewed and updated regularly to ensure that the privacy practices are current.
• Consumers must be notified of any material change to a privacy policy.

California passed the Age-Appropriate Design Code Act in 2022 (effective July 1, 2024), which mirrors the UK Code and serves as the first piece of legislation in the country that imposes affirmative requirements and restrictions on organizations that provide services to users under the age of 18. For reference, in the UK, the national privacy authority rolled out the Age Appropriate Design Code in September 2021, which requires online services to provide better privacy protections for children under the age of 18 by having privacy settings default to the highest level of protection and conducting impact assessments prior to releasing new features, among other things. Together, these laws represent a significant shift in the regulatory landscape of children’s digital services.

An array of states, including Minnesota and Nevada, are proposing legislation modeled after the Act. States such as Maryland, New Mexico and Oregon proposed similar models, however momentum with such models has stalled this year. Moreover, other states are focusing on parental supervision to children’s online access. For instance, Utah is the first state to enact laws that limit children’s use of social media, as Utah requires parental consent before kids (under 18) can sign up for sites like Instagram and TikTok. Such law also prohibits children under 18 from using social media between the hours of 10:30 p.m. and 6:30 a.m., and requires age verification for anyone who wants to use social media in Utah. Arkansas similarly passed legislation banning minors under 18 from social media platforms without parental consent.

Practice Pointers

The overarching policy of California’s Age-Appropriate Design Code Act (the ​“Act”) is to require businesses to prioritize the best interests of children when developing and implementing their services. Organizations that process personal data of children and target children for advertisements must ensure they comply with the Act by:

• Conducting a data protection impact assessment (DPIA) about how they use children’s data before they cause harm;
• Ensuring data remains minimal to what is required for the purpose by addressing risks around data storage and complying with data retention policies;
• Informing children that they are being monitored and tracked and the rights they have with the help of effective privacy policies and notices;
• Ensuring data security by taking appropriate security measures;
• Setting all default settings to the most private;
• Making it easier for children to report privacy concerns;
• Living up to your policies and terms & conditions; and
• Providing all privacy notices in clear language that children can understand.

The world of information technology has vastly expanded over the past few decades. Consumers entrust personal information to many different types of businesses on a daily basis and expect companies to safeguard their information during collection, use, retention, and disposal. Despite growing awareness of the need for strong data security, however, data breaches continue to occur at an alarming rate.

To date, all 50 states and the District of Columbia have enacted legislation requiring private entities to notify individuals (and, in some instances, regulators) of certain breach of personally identifiable information for individuals in their state. While adoption of a preemptive, federal standard has been a goal of many key businesses, and a variety of bills have been introduced, at present the matter is left to state law. This creates significant complexities in terms of breach notification due to differences in the applicable legal requirements.

When a data breach occurs, a company must notify every individual whose personal information was breached. In some states, notification may also be required to state regulators. Notification of a breach is governed by the laws in the state where the individual whose data was breached resides. This means that multiple state laws could apply to the same breach.
Below are some tips to follow to assist the company in responding to a potential data breach.

1. Create a written data breach incident response policy. Companies should review their breach notification policies and response mechanisms, and consider purchasing cyber liability insurance.
2. If the company believes a data breach has occurred, investigate as soon as possible. If a breach is confirmed, the company should take appropriate steps to send consumer notice within a reasonable time period, in accordance with state law.
3. The type of personal information breached is key to determining the specific notification requirements, and which state laws will apply. In all states with data breach notification laws (except D.C.), personal information includes first name/initial and last name plus another personal identifying element (e.g., SSN, driver’s license number). Some states have expanded the definition to include additional personal information, such as medical and health insurance information, or biometric data.
4. A smart, organized vendor due diligence and security program can help to mitigate the occurrence and scope of data breaches caused by third parties or service providers that collect or use the data collected by the company.
5. Have agreements in place with service providers requiring them to notify the company in the event a data breach occurs that affects the consumer information collected from the company’s website or service.
6. If a data breach has occurred, be sure to review and address the existing vulnerabilities to prevent future occurrences.

Practice Pointers

• Have a written data breach response policy in place, before a breach occurs.
• Investigate a data breach as soon as there is any indication that a breach has occurred.