By Jennifer L. Sheridan, Esq.
Last month, Facebook’s founder and CEO Mark Zuckerberg testified before the U.S. Senate and House about his company’s data privacy practices.
A whistleblower had revealed that over 80 millions users’ personal information had been sold to Cambridge Analytica, a political consulting firm, and other third parties without the users’ knowledge or consent, in violation of Facebook’s policies.
Zuckerberg was forced to admit that his company had become aware of this data breach in 2015. After receiving the assurances that the user data had been deleted, they went on with business as usual.
At the hearing, Senator Kamala Harris asked Zuckerberg if he had notified Facebook users or the authorities. He said no because he thought the matter was closed.
California is one of 49 U.S. states which require Internet companies to notify users if there is a data breach of their users’ personal information.
Do you know your responsibilities regarding your users’ data?
First, you need to understand what privacy laws apply to your business.
To give some context, let’s imagine a hypothetical startup tech company named BizConnect.
BizConnect Business Model
BizConnect’s product is a software as a service (SAAS) platform for collaboration and project management.
BizConnect is headquartered in California, but its platform is available to users around the world. It hosts its software platform on Amazon Web Services (AWS).
What laws apply to BizConnect in the privacy arena?
Many companies have found themselves in the middle of an FTC investigation, leading to consent decrees, triggering greater FTC oversight and, in some cases, fines. In fact, Facebook is currently under an FTC consent decree from 2011.
Although there is no omnibus federal privacy law, several federal laws affect certain types of personal information. For health law, there is HIPAA; for financial data, there is Gramm-Leach-Bliley; for children under 13, there is COPPA; and for educational data, there is FERPA–to name a few.
At the state level, there are a myriad of national laws affecting information privacy. Many are targeted at information like genetic data or biometric data. Again I’ll assume BizConnect is not collecting any data in these categories.
However, as Senator Harris hinted in the recent Zuckerberg hearings, there are state laws, including in California, which require timely notification to users of unauthorized access of their personal information. Forty-nine states have notification laws for data breaches.
BizConnect needs to look at all of these laws and find out whether they apply to its services.
My next several posts at Tech Contracts.com will address privacy law compliance, still in the context of our hypothetical startup, BizConnect. We will discuss the following 10 best practices in detail:
- Self-certify compliance with the U.S. Privacy Shield;
- Use GDPR-compliant model clauses for data exporter-data importer transactions;
- Carry out an internal Data Privacy Impact Assessment (DPIA);
- Consider adopting a Code of Conduct for the relevant industry;
- Draft an internal written data security plan and train employees/contractors, especially those who have direct contact with personal data;
- Adopt commercial templates with customers to mitigate GDPR risk;
- Determine whether to appoint a Data Protection Office (DPO) under the GDPR; and
- Consider implementing an SSAE-16 audit and a Business Continuity Plan.
- Determine whether you need a EU data protection representative.
Jennifer Sheridan is an attorney. She serves as Of Counsel with Sycamore Legal, P.C., a San Francisco IT and IP boutique law firm founded by David Tollen, who also founded Tech Contracts Academy. Jenny specializes in technology contracts and privacy.
© 2018 by Tech Contracts Academy, LLC. All rights reserved.