Without a doubt, data privacy is one of the biggest up-and-coming fields of law. As the world moves more and more online, and as data breaches continue to hit the news on a semi-regular basis, it’s important to have a handle on just what data privacy means. This isn’t meant to be an exhaustive discussion on the subject, but even knowing the basics can be very important.
Data privacy laws are really a patchwork of different protections on personal data. The two most well-known laws of this type are the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) of the European Union. Other, more specific laws also exist, such as the federal COPPA – the Children’s Online Privacy Protection Act, aimed at personal data of those under 13 – and the Illinois Biometric Information Privacy Act, which deals specifically with biometric identifiers like fingerprints and retinal scans. And, just because you aren’t located in the European Union or California doesn’t mean that it’s safe to ignore those laws. If you are interacting with residents of those jurisdictions, then you need to be careful.
These laws, in one way or another, deal with personally identifiable information (“PPI”), that is, information that can be used to identify a particular individual. PPI includes obviously sensitive data like Social Security numbers or credit card numbers, but also more general personal information like telephone numbers, home addresses, and e-mail addresses. Unique identifiers, such as IP addresses and account names (e.g. gamer tags for online gameplay), also fall under PPI, and geolocation data can, as well. Contrary to what some may believe, there are few, if any restrictions, on what data someone is allowed to collect. The emphasis is on openness and transparency about what is happening with the data.
First, anyone who collects data must be truthful about what data is being collected and why. Do you plan to take e-mail and home addresses to sell them to a third-party marketing firm? Well, okay. But you need to make people aware of that. Relatedly, and of paramount importance, permission to collect the data must be secured. And, that permission needs to come before the data is collected. This cannot be stressed enough, so let us repeat – do not collect personal data without getting permission first.
Another important aspect of data privacy, which has already been touched on, is data sharing. With whom do you plan to share the PPI that you’ve collected? And, again, for what purpose? An additional aspect is, how long will the data be retained? Is PPI needed for a one-time transaction, or will it be held for a longer period of time? Keep in mind that people also have the right to have their data deleted upon request. And it should go without saying that reasonable safety precautions must be in place to prevent data breaches and other unintended disclosures.
Data privacy matters are becoming a bigger part of business life. Businesses need to think thought these issues, ideally before operations begin. Privacy principles should be one of the basic building blocks of any business model.