Why Do Privacy Policies Matter?

Privacy laws have been in effect for decades, but developments in technology have necessitated that the laws adapt to address the increasing volume of data and information collected about consumers by Big Tech companies, online businesses, and businesses with an online presence. Therefore, it is crucial to understand the importance of privacy laws and why they matter.

To Whom do Privacy Laws Apply?

Privacy laws can apply to essentially anyone, and any jurisdiction can have its own laws to protect its citizens' privacy rights. The most well-known jurisdiction-specific privacy laws currently in effect are in California, Illinois, and Europe. In addition, the federal government has promulgated industry-specific privacy laws. The most significant of these laws applicable to businesses are discussed below.

General Data Protection Regulation

The General Data Protection Regulation (the “GDPR“) is the EU's omnibus privacy law. It can apply to US companies depending on who they target as customers. The GDPR applies to controllers or processors of personal data located in the EU and controllers or processors located outside the EU that offer goods or services to data subjects in the EU or monitor their behavior.

Less stringent regulations apply to companies with 250 or fewer employees. The requirements applicable to a business depend on whether they are a processor or controller. A controller is an entity that determines the means and purposes of the processing of personal data, and a processor is an entity that processes personal data on behalf of a controller.

The GDPR offers the same rights provided under the CCPA, plus the right to data portability and the right to rectify any inaccurate or incomplete information. Also, the GPDR requires certain companies to conduct data protection impact assessments and elect a data protection officer. Like the CCPA, the GDPR does not offer a private right of action. Instead, non-compliant businesses can potentially be fined up to €20 million, or 4% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher, depending on the severity of the violations.

California Consumer Privacy Act

California's state-specific act is named the California Consumer Privacy Act (the “CCPA“). Only California residents have rights under the CCPA, but these rights apply even if the person is temporarily out of state. Furthermore, the CCPA only applies to for-profit businesses that conduct business in California that either: (1) have a gross annual revenue over $25 million; (2) buy, receive, or sell the personal information of 50,000 or more California residents; or (3) derive 50% or more of their annual revenue from selling California residents' personal information.

The CCPA grants several rights to California residents, including:

• the right to know what personal information a business plans on collecting from the individual before the point of collection;
• the right to access personal information that a business holds about them;
• the right to compel a business to delete their personal information; and
• the right to opt out of the sale of their personal information.

The CCPA does not allow for a private right of action, except for certain data breaches, so an individual will have to rely on the California Attorney General to enforce the law against businesses that break it. However, any company that deals with consumers in California must abide by the CCPA.

Illinois Biometric Information Privacy Act

The Biometric Information Privacy Act (the “BIPA“) is an Illinois privacy law known for causing frequent and high-profile litigation. The BIPA requires that businesses get informed consent from a person before collecting “biometric identifiers.“ Biometric identifiers include retina or iris scans, fingerprints, voiceprints, and facial geometry. What makes the BIPA unique compared to other privacy laws is that it allows for harmed individuals to bring a private right of action. The BIPA provides statutory damages of up to $1,000 for each negligent violation and up to $5,000 for each intentional violation. As an example of potential liability under the BIPA, Facebook recently agreed to pay $650 million to settle a class action based on BIPA.

Health Insurance Portability and Accountability Act

The Healthcare Insurance Portability and Accountability Act (“HIPAA“)applies only to hospitals, hospital workers, health insurance companies, and business associates of healthcare entities. The law protects against the unauthorized and inadvertent discloser of a person's healthcare information. The Department of Health and Human Services is tasked with enforcing HIPAA.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (the “GLBA“) requires financial institutions to explain their information-sharing practices to their customers and safeguard nonpublic personal information. The FTC, federal banking agencies, and state insurance oversight agencies enforce GLBA.

Children's Online Privacy Act

The Children's Online Privacy Act (the “COPA“) prohibits companies from asking or collecting the personal information of children that are 12 years or younger unless there is verifiable parental consent.

If any of these privacy laws affects your business, you must make the required disclosures mandated by law and craft a privacy policy detailing individual rights on your website to be compliant. You must also implement security measures on your website to safeguard personal information collected and set up collection protocols to prevent your website from wrongfully collecting personal information from a protected party.

Do Third-Party Services Require Privacy Policies?

Many commonly used third-party services require that websites have a privacy policy. For example, a website using Google Analytics must update its privacy policy to meet the Google Analytics Terms of Service because Google Analytics tracks user behavior with cookies, and those cookies collect personal information. Google's AdSense service requires that a website's privacy policy provide information on how Google's DoubleClick cookies work, and also provide instructions on how users can opt out of the use of DoubleClick cookies through Google's Ad settings. Apple and Facebook require all of their app developers to have a privacy policy, and Twitter requires one when a business uses their lead generation services.

These service providers require that a company's website have a privacy policy and disclose certain information because privacy laws require that companies disclose what personal information third parties gather or are given. For example, the EU Cookies Directive and some state laws, like CalOPPA, require the disclosure of cookie usage. If businesses fail to publish this information in their privacy policies, these third-party service providers can be found liable for violating various privacy laws.

Why is privacy important?

There are several reasons why privacy rights are necessary and why state and federal governments strive to enact strict privacy laws:

• Unwanted Government Intrusions. First, privacy laws prevent unwanted government intrusions. Implicit in the 4^th Amendment right against unwarranted searches and seizures is the concept that every individual has a reasonable expectation of privacy when in private places. This prevents the government from searching our homes without warrants. The Supreme Court has extended this protection by holding that the government cannot seize cell-site location data (the location data produced when our cell phone pings a nearby cell tower) without a warrant.
• Prevent Private Companies from Using Our Data Without Our Permission. Privacy laws also stop private companies from recklessly using data for personal ambitions: Facebook's Cambridge Analytica scandal best exemplifies what can go wrong when a business mishandles our information for financial gain. Despite several warnings about the safety of British consulting firm Cambridge Analytica, Facebook allowed the app to harvest the data of 87 million Facebook profiles. Cambridge Analytica then used the data to interfere in the 2016 US presidential election. The FTC ultimately assessed Facebook a $5 billion fine for its privacy violations related to the scandal.
• Building Trust with Consumers. Having robust privacy policies can help build trust with consumers. Apple has recently launched an ad campaign that has highlighted the privacy protections the company offers, and it provides privacy statistics for each app installed on an iPhone. The extra transparency and assurances that consumer data will not be mishandled allow consumers to feel safer when using a company's products. Also, having established privacy rights gives consumers confidence that when businesses break the trust they elicit from the general public, these businesses will be held accountable.
• Have Control Over Our Personal Information. Establishing a strong regime of privacy laws enables citizens to regain control of their personal information. New and innovative privacy laws that have recently emerged granting individuals various rights and helped consumers regain control over their personal data. For instance, California consumers can prevent certain businesses from selling and collecting their information, revoking the free pass businesses had to transfer personal information without limits.
• Maintain Self-Autonomy. Consumers can lose a sense of self-autonomy when sensitive aspects of their lives, like information pertaining to mental health and their biometric data, are sold and transferred to countless businesses. Recognizing privacy rights restore this self-autonomy by allowing consumers to choose who can receive this information and who cannot. Last, some individuals might seek to be forgotten altogether. A right to deletion some privacy laws grant allows individuals to live their lives in anonymity, away from the prying eyes of enterprising businesses.
• Protect Finances and Reputation. Finally, privacy laws protect a person's finances and reputation. States that have implemented robust data breach laws have given extra protection to those who may be financially vulnerable in the event of a data breach. Furthermore, specific financial privacy laws and the fair credit reporting act allow individuals to hold credit reporting agencies accountable when significant errors are made on consumer's credit reports that prevent them from receiving financing for a car, home, or other things they might need. Likewise, privacy laws that allow a right of rectification will enable individuals to fix any errors in their personal information that might hurt their reputation online.

High-Profile Privacy Violations

Several high-profile data breaches have resulted in hefty violations for the businesses that allowed them to happen.

Facebook

As mentioned above, Facebook allowed an unsecured political analytics company, Cambridge Analytica, to steal the personal information of 87 million users. This resulted in a $5 billion fine from the FTC, the largest penalty the agency has ever levied.

Adobe

In 2013, it was reported that hackers had stolen the IDs and encrypted passwords for 38 million active Adobe users. The hack also exposed customer names and debit/credit card information. Adobe got off relatively easy, only having to pay $1.1 million to settle the claims against it.

Equifax

Between May and July 2017, hackers gained access to the private records of 149 million Americans via the credit reporting agency Equifax. Under the settlement for this breach, Equifax had to payout $650 million in damages to those affected, along with free credit monitoring and identity theft services.

Yahoo!

Yahoo! announced in 2016 that it had been subject to two major data breaches of user account data years before. The company stated that one data breach that occurred in late 2014 affected over 500 million Yahoo! user accounts, while a separate breach occurring around August 2013 affected over 1 billion user accounts. The announcement of these hacks caused Verizon's purchase price for an impending acquisition of Yahoo! to decrease by $350 million. In addition, Yahoo! eventually agreed to settle various lawsuits against it for $117.5 million in August 2019.

What should a business include in its privacy policy?

A well-crafted privacy policy should include several topics. First, it should detail the business' commitments to its customers. It it should make general statements as to how customer information is protected and what the business will do to protect customer information if a breach occurs.

A privacy policy should disclose how information is collected and used. The CCPA and third-party service contracts require that this information be included. A business should detail how it collects personal information (e.g., via cookies, third-party services) and how that information is used, (e.g., if geo-location data is used to adapt the user's experience).

Third-party uses of personal information and sale should be disclosed. As with the disclosure of how information is collected and used, the CCPA and third-party service contracts require that this information be included. The policy should provide a list of third parties with which information is shared, how those third parties use that information, and for what purposes the information is shared. The policy should disclose whether the business will sell personal information, and if so, to what third parties the information will be sold and for what purposes.

A privacy policy should detail and identify consumer privacy rights. It must list the rights a consumer has under state and federal law and detail how a consumer can exercise those rights. For instance, if the CCPA applies to the business, the policy must detail the rights the CCPA protects and how consumers could exercise those rights in relation to the business. The policy should explicitly include information on consumers' opt-out choices and how they can exercise that option. For example, some websites simply have a hyperlinked button that says “Do not Sell My Information” which is linked to a page that allows consumers to opt out of their sale of information.

Data retention procedures should be addressed. The privacy policy should state how the company stores personal information, how long the company retains personal information, and how personal information is destroyed once the retention period ends.

Finally, company contact information should be provided for employees that handle privacy oversight at the business in case customers have any questions.

Contact an experienced law firm

If your business has an online presence, you should contact the experienced lawyers at Newburn Law now to learn about how we can help you create a privacy policy to protect your consumers and your business.