Personal data is used by a broader range of entities for a broader range of purposes daily. Privacy and data security issues are constantly evolving, with developments due to technology, public policy, and breaking news. These issues now impact virtually every company in every industry in the United States and worldwide. Due to the Internet of Things, smartphones, and the ability to collect data from almost anywhere, more and more companies are gathering and using personal data. Increasingly, privacy and data security laws can tell you how your company can, in fact, use and protect this valuable asset.
These issues affect a broad range of critical topics for all companies, from business partnerships to overall business plan issues, broad compliance challenges, contracting issues, market opportunities, and realistic acquisition opportunities. Therefore, owners in an increasingly wide variety of fields must understand the fundamental principles surrounding using and disclosing personal data in regulated and unregulated industries. This means that business owners need a basic understanding of privacy and data security law, at least at the level of understanding of what issues are relevant for a company and why these issues matter. For some companies, particularly start-ups, if they are not thinking about these issues from the beginning, they may find that the company is missing opportunities and reducing its chances for future success.
Privacy used to have limited implications for businesses. It dealt primarily with abortion, birth control, search and seizure, and whether you had to disclose your membership in the Communist party (along with some common law torts). Privacy was not a significant issue for corporate America.
Privacy law started to become an issue for companies involving personal data and individuals and their relationship with companies in the mid-1990s. Privacy law is now an enormous compliance and regulatory issue for companies in virtually all industries across the country and the world. It is relevant if you have data about employees, customers, consumers, or anyone else. It is front-page news today regularly, leading to highly publicized concerns about artificial intelligence, big data, discrimination, security breaches, and a wide variety of privacy concerns. It is a top-of-mind issue for consumer advocates, regulators, and legislators around the country.
The overall approach to privacy in the US consists of many laws and regulations at state, federal, and international levels. These laws have been (1) specific by industry segment, (2) specific by practice, or (3) specific to particular data categories.
Today, there is no generally applicable US privacy law at the federal level covering all industries and all data, but there is increasing complexity in the regulatory environment.
There are no state-level laws that apply across industries. A new set of specialty privacy laws deal with emerging technologies such as facial recognition and location data.
US law at both the state and federal levels also includes data security obligations for any company that collects personal information. These requirements generally create compliance obligations for reasonable and appropriate security, with varying levels of additional detail depending on the specific law.
There are separate privacy and security rules related to data used in and coming from foreign countries. Where these laws exist, the rules are usually stricter in other countries beyond the US, meaning those countries are more protective of individual privacy.
Many of these laws apply to US companies, either because those companies have a presence in these countries or because of the extra-territorial reach of those laws. Moreover, there are increasing pressures related to the transfer of personal data from these countries, particularly the transfer of data from the European Union to the US.
These issues affect many company operations, including core corporate strategy issues. For example, determining where your company fits into these sectors is crucial because US privacy law is currently sectoral. In healthcare, if your business model is direct to the consumer, you typically have modest explicit legal obligations today. Suppose you partner with health insurers or hospitals in many cases. In that case, you may become subject to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules as a service provider to these entities.
Thinking about where your business operates also matters. These principles now matter for overall compliance, product design, customer and vendor relationships, marketing opportunities, and, critically, mergers and acquisition activity, as purchasers are now drilling down into data assets, data rights, and privacy and security compliance. For the foreseeable future, these issues will become increasingly important and complicated across virtually all segments of corporate America.