It has long been the case that technology has outpaced legislation by a long margin. Though technology is still winning that race, data privacy laws have sprung into action, and it may be a good time to revisit your company’s Data Privacy Practices to prevent potential regulatory exposure and liability.
Although there are many facets to consider in evaluating Data Privacy Compliance, a company’s Privacy Notice or Policy that is displayed on their website is usually a good ‘canary in the coal mine’ to determine where Data Privacy needs some TLC at your organization.
There are two ways in which your Privacy Notice gets stale. First, data privacy laws are changing very frequently these days, and certain personal data collection practices that were acceptable in the past may not be today. In fact, on the heels of California’s CCPA, Virginia and Colorado have enacted their own data privacy laws further increasing the expansion of general data privacy laws in the United States.
Second, even absent any new legislation, your business’s data collection practices may have changed since you last updated your Privacy Notice. If you collect different personal data, for example with a new registration form on your website, your Privacy Notice may need to reflect that change. Another example of change that potentially implicates your Privacy Notice are your data retention policies or cybersecurity certifications. If your business advertises in its privacy notice that it undertakes yearly penetration testing and your business has not conducted one in over the last year, the FTC could initiate an enforcement action based solely on that failed promise in your Privacy Notice.
A Privacy Notice at a minimum, should account for the following:
- Notify the consumer/visitor that their personal data is being collected and what types and categories of data is being collected.
- Notify the consumer of the legally acceptable business purpose for which it is being collected.
- How it is shared, and with whom it is shared and whether that entity will protect the consumer’s data.
- Present the ability to opt out of the sale or marketing of a customer’s data.
- Any specific rights of correction/deletion if applicable under particular data privacy laws.
- Display contact information for the individual responsible for data privacy at your organization.
Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman
Leech Tishman’s Twitter: https://twitter.com/LeechTishman
Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman
Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, construction, energy & natural resources, healthcare, and hospitality industries. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in Chicago, Los Angeles, New York, Philadelphia, Sarasota, Washington, D.C. and Wilmington, DE.