Privacy Law & Data Protection: Avoiding Trouble & Costly Violations
After a deep dive into current privacy law and data protection, I’m excited to announce I’m officially a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals. Joining this community will not only help me stay on the leading edge of changes to privacy law, but also ensure my clients are complying with the constantly changing privacy and data protection rules and regulations.
Today, all business communications are subject to some degree of privacy law. In other words, my days at the office are busy with clients who want to:
/ be assessed for the level of compliance they need
/ structure privacy and data protection throughout their systems
/ correct & remedy violations
/ continuously review policies and systems
The Importance of A Compliance Assessment
Privacy laws internationally, nationally, and locally have been changing significantly over the past couple of years. Even when companies are trying their best, the goal posts keep moving.
Here in California, we had the 2018 California Consumer Privacy Act (“CCPA”) passed. It was then revised a year later. These Acts contain specific requirements that businesses need to adhere to to protect consumer privacy or face large fines. In addition, California was the first state to allow a private right of action so that businesses can face civil litigation and not just Attorney General penalties for non-compliance.
Many small businesses and popular influencers may not realize these laws could apply to them. These are my favorite clients to work with, and typically need the most assistance in navigating privacy and data protection laws. Contrary to popular belief, the CCPA does not just apply to businesses that make millions of dollars, but also to businesses that receive information from more than 50,000 people. These days, having 50,000 people sign up for a newsletter or purchase a product does not seem like a significant amount, but it is enough to require a business to comply with the CCPA’s privacy and data protection requirements.
What we look at to assess your exposure:
/ your sales revenue tied to the data your collecting
/ # of people from whom you are collecting data
/ how compliant your systems are, including 3rd parties
We've moved from the days of having a little storefront on eBay or Etsy, to these same people having their own full-fledged websites and businesses. And what comes with this successful entrepreneurship is having to comply with the relevant business laws. You can’t continue to have an “I'm just running this out of my garage," mentality. You’ve grown up. You’re a business. You're a full-fledged entity. And that’s a good thing. Embrace it and both the benefits and responsibility that come with it.
The Importance of Structuring Privacy and Data Protection Procedures to Your Specific Business
Your business is unique, and its privacy and protection procedures should be unique too. There is no one-size-fits-all formula because privacy and protection requirements change based on the type of consumers you interact with and how you interact with them.
Factors to consider when creating a privacy and data protection plan:
/ who your audience is
/ who you are actually reaching
/ how you currently communicate with your audience
/ how you want to communicate with your audience
/ what data you collect from your audience
/ how you use the data collected
/ how you want to use the data collected
For instance, the requirements for data collection and use vary based on the age of the consumer. Similarly, express written consent is required before texting a consumer with promotional material; whereas promotion emails do not require such express consent.
When we work with clients to structure their data and privacy systems, we create a schematic of interactions and the protections that keep them compliant in each interaction using checklists, forms, and even working with our clients to connect them with the third parties that offer reliable consumer communication services. This way it's not the client who's sending out the text messages, but the third-party who's then controlling the database, and whose singular expertise is dedicated to ensuring that the protocols are followed correctly.
The Importance of Immediately Correcting and Remedying for Privacy and Data Protection Violations
Clients frequently come to us for the first time because there's been a security breach or a complaint made regarding their privacy practices. Our response to these clients is threefold. First, we investigate, determine if a problem actually exists, and, if so, stop the problem from continuing. Second, we work with the client to modify their procedures to eliminate future problems. Third, we help the client resolve any complaints, typically by settling with the complaining party. Unfortunately, many privacy related laws are strict liability so you are liable even if the violation was unintentional. The atmosphere is very litigious right now with these consumer class-actions coming out on these purely unintentional violations. Oftentimes, the best business strategy is settling these complaints quickly and fixing the problem so it doesn’t happen again.
One of the most common violations is with text messages. The Telephone Consumer Protection Act (TCPA) regulates marketing that's sent to your phone rather than your email. Sending unsolicited promotional text messages violates the TCPA, with penalties ranging from $500-$1,500 per text sent. Given that most businesses send three or more promotional text messages a week, over the course of a month or two months, you're looking at hundreds of thousands of dollars in liability. Often these cases will settle for around $25,000, but it's something you have to take seriously. Because if you get one, unless you spend the time and resources to fix the problem, you're going to get another complaint and another and another.
That said, not all complaints are valid. We are currently handling a TCPA lawsuit where our client had the proper procedures in place and is still being sued. Unfortunately, there are many next-gen ambulances chasers that pursue these supposed TCPA violations. In these cases, where a client wants to litigate and wants to fight back, we're happy to do so.
The Importance of Continuously Reviewing Privacy Policies and Systems
Setting up privacy and data protection policies is not a one and done situation. Businesses cannot just set up your storefront and never look at the privacy policies again. As your company evolves, you need to ensure you privacy policies and systems also evolve with the changing laws and best practices
I like to think of these periodic reviews as a prevention against very expensive violations. And I encourage my clients to think of having to change their policies as an indicator that their business is growing and succeeding.
Integrity is an Emerging Market
Implementing privacy and data protection procedures should not be thought of as a hassle, but as a way to build your relationship with consumers. In this day and age, the more honest and transparent connections businesses have with their consumers, the more consumers trust and respect the company. Having robust privacy and data protection procedures is one way that your business can enhance its connection with its consumers.