[Things don’t stand still in the world of data privacy. Check out our short updates: Spring Cleaning: Fix Contract Terms for Data Transfers From The UK; The Clock is Ticking: Are Your Contract Terms Out-of-Date for Transfers of Personal Data Subject to the GDPR?; Third Time Lucky? Personal Data Transfers between the U.S., EU, UK; Draft EU “Adequacy Decision” for Data Transfers to U.S. Now What?]
By Jennifer L. Sheridan, Esq.
Last month, Facebook’s founder and CEO Mark Zuckerberg testified before the U.S. Senate and House about his company’s data privacy practices.
A whistleblower had revealed that over 80 millions users’ personal information had been sold to Cambridge Analytica, a political consulting firm, and other third parties without the users’ knowledge or consent, in violation of Facebook’s policies.
Zuckerberg was forced to admit that his company had become aware of this data breach in 2015. After receiving the assurances that the user data had been deleted, they went on with business as usual.
At the hearing, Senator Kamala Harris asked Zuckerberg if he had notified Facebook users or the authorities. He said no because he thought the matter was closed.
California is one of 49 U.S. states which require Internet companies to notify users if there is a data breach of their users’ personal information.
Do you know your responsibilities regarding your users’ data?
First, you need to understand what privacy laws apply to your business.
To give some context, let’s imagine a hypothetical startup tech company named BizConnect.
BizConnect Business Model
BizConnect’s product is a software as a service (SAAS) platform for collaboration and project management.
BizConnect is headquartered in California, but its platform is available to users around the world. It hosts its software platform on Amazon Web Services (AWS).
What laws apply to BizConnect in the privacy arena?
In the U.S., there is no overarching national or federal law on privacy. The Federal Trade Commission (FTC) has jurisdiction if a company’s privacy practices are deceptive and misleading, though it does not mandate a privacy policy.
Many companies have found themselves in the middle of an FTC investigation, leading to consent decrees, triggering greater FTC oversight and, in some cases, fines. In fact, Facebook is currently under an FTC consent decree from 2011.
Although there is no omnibus federal privacy law, several federal laws affect certain types of personal information. For health law, there is HIPAA; for financial data, there is Gramm-Leach-Bliley; for children under 13, there is COPPA; and for educational data, there is FERPA–to name a few.
At the state level, there are a myriad of national laws affecting information privacy. Many are targeted at information like genetic data or biometric data. Again I’ll assume BizConnect is not collecting any data in these categories.
However, as Senator Harris hinted in the recent Zuckerberg hearings, there are state laws, including in California, which require timely notification to users of unauthorized access of their personal information. Forty-nine states have notification laws for data breaches.
Another California law requires that websites collecting personal information post a privacy policy that meets defined criteria. This law reaches any company, no matter where it is located, if it collects personal information from California residents. For this reason, all U.S. companies collecting personal information on their website, even for a free demo or a mailing list, should post a privacy policy compliant with California requirements.
BizConnect needs to look at all of these laws and find out whether they apply to its services.
My next several posts at Tech Contracts.com will address privacy law compliance, still in the context of our hypothetical startup, BizConnect. We will discuss the following 10 best practices in detail:
- Adopt a privacy policy compliant with US law and EU law (namely the General Data Protection Regulation, or GDPR);
- Self-certify compliance with the U.S. Privacy Shield;
- Use GDPR-compliant model clauses for data exporter-data importer transactions;
- Carry out an internal Data Privacy Impact Assessment (DPIA);
- Consider adopting a Code of Conduct for the relevant industry;
- Draft an internal written data security plan and train employees/contractors, especially those who have direct contact with personal data;
- Adopt commercial templates with customers to mitigate GDPR risk;
- Determine whether to appoint a Data Protection Office (DPO) under the GDPR; and
- Consider implementing an SSAE-16 audit and a Business Continuity Plan.
- Determine whether you need a EU data protection representative.
In my next post on TechContracts.com, I’ll discuss data privacy best practice number one: Adopt a privacy policy compliant with US law and EU law.
Jennifer Sheridan is an attorney. She serves as Of Counsel with Sycamore Legal, P.C., a San Francisco IT and IP boutique law firm founded by David Tollen, who also founded Tech Contracts Academy. Jenny specializes in technology contracts and privacy.
© 2018 by Tech Contracts Academy, LLC. All rights reserved.