Why Do Privacy Policies Matter?
Privacy laws have been in effect for decades, but developments in technology have necessitated that the laws adapt to address the increasing volume of data and information collected about consumers by Big Tech companies, online businesses, and businesses with an online presence. Therefore, it is crucial to understand the importance of privacy laws and why they matter.
To Whom do Privacy Laws Apply?
Privacy laws can apply to essentially anyone, and any jurisdiction can have its own laws to protect its citizens' privacy rights. The most well-known jurisdiction-specific privacy laws currently in effect are in California, Illinois, and Europe. In addition, the federal government has promulgated industry-specific privacy laws. The most significant of these laws applicable to businesses are discussed below.
General Data Protection Regulation
The General Data Protection Regulation (the “GDPR“) is the EU's omnibus privacy law. It can apply to US companies depending on who they target as customers. The GDPR applies to controllers or processors of personal data located in the EU and controllers or processors located outside the EU that offer goods or services to data subjects in the EU or monitor their behavior.
Less stringent regulations apply to companies with 250 or fewer employees. The requirements applicable to a business depend on whether they are a processor or controller. A controller is an entity that determines the means and purposes of the processing of personal data, and a processor is an entity that processes personal data on behalf of a controller.
The GDPR offers the same rights provided under the CCPA, plus the right to data portability and the right to rectify any inaccurate or incomplete information. Also, the GPDR requires certain companies to conduct data protection impact assessments and elect a data protection officer. Like the CCPA, the GDPR does not offer a private right of action. Instead, non-compliant businesses can potentially be fined up to €20 million, or 4% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher, depending on the severity of the violations.
California Consumer Privacy Act
California's state-specific act is named the California Consumer Privacy Act (the “CCPA“). Only California residents have rights under the CCPA, but these rights apply even if the person is temporarily out of state. Furthermore, the CCPA only applies to for-profit businesses that conduct business in California that either: (1) have a gross annual revenue over $25 million; (2) buy, receive, or sell the personal information of 50,000 or more California residents; or (3) derive 50% or more of their annual revenue from selling California residents' personal information.
The CCPA grants several rights to California residents, including:
- the right to know what personal information a business plans on collecting from the individual before the point of collection;
- the right to access personal information that a business holds about them;
- the right to compel a business to delete their personal information; and
- the right to opt out of the sale of their personal information.
The CCPA does not allow for a private right of action, except for certain data breaches, so an individual will have to rely on the California Attorney General to enforce the law against businesses that break it. However, any company that deals with consumers in California must abide by the CCPA.
Illinois Biometric Information Privacy Act
The Biometric Information Privacy Act (the “BIPA“) is an Illinois privacy law known for causing frequent and high-profile litigation. The BIPA requires that businesses get informed consent from a person before collecting “biometric identifiers.“ Biometric identifiers include retina or iris scans, fingerprints, voiceprints, and facial geometry. What makes the BIPA unique compared to other privacy laws is that it allows for harmed individuals to bring a private right of action. The BIPA provides statutory damages of up to $1,000 for each negligent violation and up to $5,000 for each intentional violation. As an example of potential liability under the BIPA, Facebook recently agreed to pay $650 million to settle a class action based on BIPA.
Health Insurance Portability and Accountability Act
The Healthcare Insurance Portability and Accountability Act (“HIPAA“)applies only to hospitals, hospital workers, health insurance companies, and business associates of healthcare entities. The law protects against the unauthorized and inadvertent discloser of a person's healthcare information. The Department of Health and Human Services is tasked with enforcing HIPAA.
The Gramm-Leach-Bliley Act (the “GLBA“) requires financial institutions to explain their information-sharing practices to their customers and safeguard nonpublic personal information. The FTC, federal banking agencies, and state insurance oversight agencies enforce GLBA.
Children's Online Privacy Act
The Children's Online Privacy Act (the “COPA“) prohibits companies from asking or collecting the personal information of children that are 12 years or younger unless there is verifiable parental consent.
Do Third-Party Services Require Privacy Policies?
Why is privacy important?
There are several reasons why privacy rights are necessary and why state and federal governments strive to enact strict privacy laws:
- Unwanted Government Intrusions. First, privacy laws prevent unwanted government intrusions. Implicit in the 4th Amendment right against unwarranted searches and seizures is the concept that every individual has a reasonable expectation of privacy when in private places. This prevents the government from searching our homes without warrants. The Supreme Court has extended this protection by holding that the government cannot seize cell-site location data (the location data produced when our cell phone pings a nearby cell tower) without a warrant.
- Prevent Private Companies from Using Our Data Without Our Permission. Privacy laws also stop private companies from recklessly using data for personal ambitions: Facebook's Cambridge Analytica scandal best exemplifies what can go wrong when a business mishandles our information for financial gain. Despite several warnings about the safety of British consulting firm Cambridge Analytica, Facebook allowed the app to harvest the data of 87 million Facebook profiles. Cambridge Analytica then used the data to interfere in the 2016 US presidential election. The FTC ultimately assessed Facebook a $5 billion fine for its privacy violations related to the scandal.
- Building Trust with Consumers. Having robust privacy policies can help build trust with consumers. Apple has recently launched an ad campaign that has highlighted the privacy protections the company offers, and it provides privacy statistics for each app installed on an iPhone. The extra transparency and assurances that consumer data will not be mishandled allow consumers to feel safer when using a company's products. Also, having established privacy rights gives consumers confidence that when businesses break the trust they elicit from the general public, these businesses will be held accountable.
- Have Control Over Our Personal Information. Establishing a strong regime of privacy laws enables citizens to regain control of their personal information. New and innovative privacy laws that have recently emerged granting individuals various rights and helped consumers regain control over their personal data. For instance, California consumers can prevent certain businesses from selling and collecting their information, revoking the free pass businesses had to transfer personal information without limits.
- Maintain Self-Autonomy. Consumers can lose a sense of self-autonomy when sensitive aspects of their lives, like information pertaining to mental health and their biometric data, are sold and transferred to countless businesses. Recognizing privacy rights restore this self-autonomy by allowing consumers to choose who can receive this information and who cannot. Last, some individuals might seek to be forgotten altogether. A right to deletion some privacy laws grant allows individuals to live their lives in anonymity, away from the prying eyes of enterprising businesses.
- Protect Finances and Reputation. Finally, privacy laws protect a person's finances and reputation. States that have implemented robust data breach laws have given extra protection to those who may be financially vulnerable in the event of a data breach. Furthermore, specific financial privacy laws and the fair credit reporting act allow individuals to hold credit reporting agencies accountable when significant errors are made on consumer's credit reports that prevent them from receiving financing for a car, home, or other things they might need. Likewise, privacy laws that allow a right of rectification will enable individuals to fix any errors in their personal information that might hurt their reputation online.
High-Profile Privacy Violations
Several high-profile data breaches have resulted in hefty violations for the businesses that allowed them to happen.
As mentioned above, Facebook allowed an unsecured political analytics company, Cambridge Analytica, to steal the personal information of 87 million users. This resulted in a $5 billion fine from the FTC, the largest penalty the agency has ever levied.
In 2013, it was reported that hackers had stolen the IDs and encrypted passwords for 38 million active Adobe users. The hack also exposed customer names and debit/credit card information. Adobe got off relatively easy, only having to pay $1.1 million to settle the claims against it.
Between May and July 2017, hackers gained access to the private records of 149 million Americans via the credit reporting agency Equifax. Under the settlement for this breach, Equifax had to payout $650 million in damages to those affected, along with free credit monitoring and identity theft services.
Yahoo! announced in 2016 that it had been subject to two major data breaches of user account data years before. The company stated that one data breach that occurred in late 2014 affected over 500 million Yahoo! user accounts, while a separate breach occurring around August 2013 affected over 1 billion user accounts. The announcement of these hacks caused Verizon's purchase price for an impending acquisition of Yahoo! to decrease by $350 million. In addition, Yahoo! eventually agreed to settle various lawsuits against it for $117.5 million in August 2019.
Third-party uses of personal information and sale should be disclosed. As with the disclosure of how information is collected and used, the CCPA and third-party service contracts require that this information be included. The policy should provide a list of third parties with which information is shared, how those third parties use that information, and for what purposes the information is shared. The policy should disclose whether the business will sell personal information, and if so, to what third parties the information will be sold and for what purposes.
Finally, company contact information should be provided for employees that handle privacy oversight at the business in case customers have any questions.
Contact an experienced law firm