Personal data is being used by a broader range of entities for a broader range of purposes every day. Privacy and data security issues are constantly evolving, with developments due to technology, public policy, and breaking news. These issues now impact virtually every company in every industry, both in the United States and around the world. As a consequence of the Internet of Things, smart phones, and the ability to collect data from almost anywhere, more and more companies are gathering and using personal data. Increasingly, privacy and data security law can tell you how your company can in fact use and protect this valuable asset.
These issues affect a broad range of critical topics for all companies, including start-ups and fully established companies, ranging from business partnerships to overall business plan issues, broad compliance challenges, contracting issues, market opportunities and, of course, realistic acquisition opportunities. Lawyers in an increasingly broad variety of fields therefore must understand the key principles surrounding the use and disclosure of personal data when providing virtually all aspects of legal advice to companies, in both regulated and unregulated industries, including compliance, mergers and acquisitions, litigation, and the full range of specific privacy and data security laws and regulations. This means that business lawyers need a basic understanding of privacy and data security law, at least at the level of understanding what issues are relevant for a company and why these issues matter. For some companies, particularly start-ups, if you are not thinking about these issues from the beginning, you may find that your start-up or more established company is missing opportunities and reducing its chances for future success.
A Brief History
Privacy used to be only a constitutional law issue in law and in law schools, with limited implications for businesses and law firms. It dealt primarily with abortion, birth control, search and seizure, and whether you had to disclose your membership in the Communist party (along with some common law torts). Privacy was not really a significant issue for corporate America.
Privacy law started to become an issue for companies involving personal data and consumers/individuals and their relationship to companies in the mid-1990s. From tentative and narrow beginnings, privacy law is now an enormous compliance and regulatory issue across the country and the world, for companies in virtually all industries. It is relevant if you have data about employees, customers, consumers, or anyone else. It is front-page news today on a regular basis, leading to highly publicized concerns about artificial intelligence, big data, discrimination, security breaches, and a broad variety of privacy concerns. It is a top of mind issue for consumer advocates, regulators, and legislators around the country.
Overall US Privacy Approach
The overall approach to privacy in the US consists of a large (and growing) number of laws and regulations, at state, federal, and international levels. These laws have (to date) been (1) specific by industry segment (e.g., health care, banking); (2) specific by practice (e.g., telemarketing); or (3) specific to particular data categories (biometrics, genetic information, facial recognition).
Today, there is no generally applicable US privacy law at the federal level covering all industries and all data (although that may be changing), but there is increasing complexity in the regulatory environment.
We are starting to see state-level laws (such as the California Consumer Privacy Act) that apply across industries. We also are seeing a new set of “specialty” privacy laws that deal with emerging technologies such as facial recognition and location data.
US law at both the state and federal level also includes data security obligations for any company that collects personal information. These requirements generally create compliance obligations for “reasonable and appropriate” security, with varying levels of additional detail depending on the specific law.
Outside the US
There are separate privacy and security rules related to data used in and coming from foreign countries. Where these laws exist (and they exist in a growing number of countries), the rules usually are tougher in other countries beyond the US, meaning that those countries are more protective of individual privacy.
Many of these laws apply to US companies, either because those companies have a presence in these countries of because of the “extra-territorial reach” of those laws (such as the European Union’s General Data Protection Regulation (GDPR)). Moreover, there are increasing pressures related to the transfer of persona data from these countries, particularly the transfer of data from the European Union to the US.
These issues are affecting a broad range of company operations, including core corporate strategy issues. For example, because US privacy law currently is primarily sectoral, determining where your company fits into these sectors is crucial. In the health care space, if your business model is direct to consumer, you typically have modest explicit legal obligations today (although regulators are watching you in any event). If you partner with health insurers or hospitals, in many cases you may become subject to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules as a service provider to these entities.
Thinking about where your business operates also matters (especially in evaluating if you are subject to laws in other countries or state-specific laws). These principles now matter for overall compliance, product design, customer and vendor relationships, marketing opportunities and, critically, mergers and acquisition activity, as purchasers now are drilling down into data assets, data rights and privacy and security compliance. For the foreseeable future, these issues will become increasingly important and complicated, across virtually all segments of corporate America.