Understanding Data Privacy Laws
What are data privacy laws?
Data privacy laws protect the personal information of consumers. Some data privacy regulations require a business to disclose how information will be collected or used, and others require businesses to implement certain safeguards and security measures.
What are the current data privacy laws in place?
- General Data Protection Regulation (GDPR) – European Union
- California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA) – California
- Health Insurance Portability and Accountability Act (HIPAA)
- Children’s Online Privacy Protection Act (COPPA)
- Fair Credit Reporting Act (FCRA)
- Federal Trade Commission Act
- Other State Statutes
What are the requirements for businesses?
The GDPR and CCPA require businesses to provide privacy notices on their websites, disclosing what personal information is collected and how it is used. Approximately 9 other states have implemented or proposed similar regulations, indicating that nearly all businesses in the future will be required to post privacy policies online.
Most states with consumer protection laws impose an obligation for businesses to notify consumers that may be affected by a data breach. Additionally, the GDPR and over 10 states now impose requirements to take certain security measures to protect private data. These requirements are often taking “reasonable measures” to protect personal data, but some include specific requirements, such as data encryption.
What is the liability for failure to protect personal data?
Violating a data protection act is generally an issue handled by government entities. The administrative department enforcing the statute may issue fines and prevent a business from operating without implementing better security measures.
Civil claims are usually not raised for individual incidents. Statutory damages and fines are a few hundred dollars under state law and up to $7,500 under the CCPA. Individuals may pursue civil claims when actual damages arise, such as identity theft.
If a data breach occurs and affects hundreds or thousands of individuals, the business may face a class action lawsuit. Each individual affected can join the class and add statutory damages to the claims.
In serious cases, a company may face FTC action. The FTC can impose penalties for data protection issues by pursuing it as an unfair trade practice. These penalties can be upwards of $50,000 per violation.
Key Takeaways
Not all territories have a requirement to post privacy policies or implement data security measures. However, states are trending towards requiring reasonable security measures and data disclosures. If you want to operate your business freely across the US or in the EU, you need to have basic system security and a privacy policy. Issues with data protection laws are simpler to prevent before the government gets involved.
About
Attorney Collier started his own law firm straight out of law school and has been practicing law in Ohio for 5+ years. During that time, Joe focused on business law and litigation, gaining some exposure to intellectual property law. While running his firm in 2021, Joe decided to go back to school and get his patent license. Since then, Attorney Collier has been focusing on protecting innovators and entrepreneurs through his expertise in intellectual property and business law.