Companies that collect personal and other information from consumers should think about their privacy practices from the beginning of the product development and through each state of the product lifecycle. Such analysis often includes: (a) assessing whether there are legitimate business reasons for collecting each type of information; (b) understanding all the ways the information will be used; (c) ensuring limits on the collection and retention of such data; (d) implementing procedures to promote data accuracy and integrity; and (e) employing reasonable security and access restrictions.
Here are a few tips to get a good sense of your company’s data collection and use practices:
- Understand what types of personal information is being collected. Personal information may include, for example, name, address, telephone number, email, financial information, health or medical information, birth date, or Social Security number.
- Understand what type of non-personal information is being collected. Nonpersonal information may include, for example, geolocation, IP address, device serial number, and cookies.
- Understand where this information is collected (whether offline, online, via a mobile app, or other mechanism), and whether it is collected automatically or requires the consumer to manually enter the information.
- Have a good sense of where this information is stored (whether on the company’s network or a central computer database), and whether the information can be transferred off of the secure network to, for example, individual employee laptops, or smartphones.
- Know what controls are in place to prevent unauthorized access to the information, both from unauthorized third parties (i.e., hackers) and company employees.
- Understand how the company shares or discloses the personal or other information with third party vendors, service providers, or others that help to operate the product, service, website, or app, and how the information is secured upon transfer to these third parties.
- Consider developing a records retention or other similar policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when the company no longer needs it.
- When collecting personal information online from children under the age of 13 (including on websites, mobile apps, or other online services), companies must comply with COPPA.
- Consider privacy at the outset of product development.
- Know what data is being collected from consumers.
- Understand who will have access to this information and their purpose for accessing the data.
The key considerations provided below are offered as a general overview. However, this should not take the place of seeking assistance from skilled professionals who will have a better understanding of your company’s specific privacy practices and needs.
- What types of data (both personal and non-personal) are being collected, is the collected data submitted by the user or collected automatically, and is the collected data merged or stored together with other data types;
- Whether the company uses any third party vendors or service providers to operate the website, app, or service, and how is information shared between, or disclosed to, these parties;
- Whether the website, app, or service allows or causes communications to be sent to users outside the website, app, or service (e.g., email messages, text messages), or includes advertising or causes advertising to be sent to users;
- Whether and how the website, app, or service utilizes any user tracking technology or conducts online behavioral advertising;
- The only way to ensure that privacy practices are described accurately is to know what personal and non-personal information the company actually collects, and how it is used, shared and protected.
- Companies should make sure to periodically review and update their privacy policies as needed and make sure that all of their additional representations and consumer-facing materials remain consistent with statements made relating to their privacy practices.
- Privacy policies should include the effective date.
- Know what personal and other information is collected, stored, transferred, or otherwise used.
- Privacy policies should be reviewed and updated regularly to ensure that the privacy practices are current.
Implementing and maintaining data security is a never-ending challenge. As cybercriminals evolve, so must the companies that collect personal and other identifying information. Staying one step ahead of these hackers will help to prevent or at least minimize the risk of experiencing a data breach. Threats to data may transform over time, but the fundamentals of sound security remain constant. This is why companies should consider data security from product development and throughout a product’s life cycle. Assessing data security options and making reasonable choices based on the nature of the business and the sensitivity of the information involved will help to ensure that the data remains protected and secure.
When looking at data security throughout a product’s lifecycle, here are a few tips to help ensure that your company’s data, and any data it collects and stores, remains secure:
- Some states have enacted laws requiring businesses to maintain data security standards to protect state residents’ personal information from being compromised. These laws typically require businesses to implement and maintain reasonable security measures.
- Understand what security measures are in place at each point of collection, storage, access, and transfer to ensure that the data is secure throughout its lifecycle. Consider conducting a formal risk assessment to identify threats to, and vulnerabilities, in the information system, the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability would have, and the security controls that are needed.
- Maintain extensive computer system security requirements (e.g., secure user authentication protocols or passwords, secure access control measures, monitoring of systems, up-to-date firewalls, and virus or malware protection), and require meaningful password protections.
- Implement intrusion detection and prevention tools to monitor the network for malicious activity, and have an effective process or policy in place to receive and address security vulnerability reports.
- Secure all data that is carried over an unsecured or wireless network (e.g., HTTPS).
- Encrypt all data containing personal, sensitive, or other identifying information. Also ensure that all sensitive information (e.g., Social Security numbers, payment card information) is masked or truncated.
- Require third-party service providers receiving personal information, by contract, to maintain reasonable security measures.
- Train employees on compliance with data security policies.
- Develop and maintain a comprehensive written policy outlining the company’s physical, administrative, and technical information security measures.
- Regularly monitor and review security measures, at least annually, to ensure they are preventing unauthorized access to personal and other information.
- Consider data security from product inception and throughout the product life cycle.
- Implement reasonable data security measures for data both in transit and at rest.
- Require third-party service providers receiving personal information to maintain reasonable security measures.
Data Breach Notification
The world of information technology has vastly expanded over the past few decades. Consumers entrust personal information to many different types of businesses on a daily basis and expect companies to safeguard their information during collection, use, retention, and disposal. Despite growing awareness of the need for strong data security, however, data breaches continue to occur at an alarming rate.
Fifty states and the District of Columbia have enacted legislation requiring private entities to notify individuals of any breach involving personally identifiable information for individuals in their state. Only Alabama, New Mexico, and South Dakota have not enacted state data breach notification laws. While adoption of a preemptive, federal standard has been a goal of many key businesses, and a variety of bills have been introduced, at present the matter is left to state law. This creates significant complexities in terms of breach notification due to differences in the applicable legal requirements.
When a data breach occurs, a company must notify every individual whose personal information was breached. In some states, notification may also be required to state regulators. Notification of a breach is governed by the laws in the state where the individual whose data was breached resides. This means that multiple state laws could apply to the same breach.
Below are some tips to follow to assist the company in responding to a potential data breach.
- Create a written data breach incident response policy. Companies should review their breach notification policies and response mechanisms, and consider purchasing cyber liability insurance.
- If the company believes a data breach has occurred, investigate as soon as possible. If a breach is confirmed, the company should take appropriate steps to send consumer notice within a reasonable time period, in accordance with state law.
- The type of personal information breached is key to determining the specific notification requirements, and which state laws will apply. In all states with data breach notification laws (except D.C.), personal information includes first name/initial and last name plus another personal identifying element (e.g., SSN, driver’s license number). Some states have expanded the definition to include additional personal information, such as medical and health insurance information, or biometric data.
- A smart, organized vendor due diligence and security program can help to mitigate the occurrence and scope of data breaches caused by third parties or service providers that collect or use the data collected by the company.
- Have agreements in place with service providers requiring them to notify the company in the event a data breach occurs that affects the consumer information collected from the company’s website or service.
- If a data breach has occurred, be sure to review and address the existing vulnerabilities to prevent future occurrences.
- Have a written data breach response policy in place, before a breach occurs.
- Investigate a data breach as soon as there is any indication that a breach has occurred.
In 2003, Congress enacted the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) to regulate unsolicited commercial e-mail. The Act does not prohibit unsolicited commercial e-mail messages, but it does provide specific requirements for the content of those messages, including a requirement that the messages include an opt-out mechanism.
The Act applies to all commercial e-mail messages, whether they are sent to individual consumers or businesses. A commercial e-mail message is generally a message which has a “primary purpose of . . . commercial advertisement or promotion of a commercial product or service.”
Specifically, the CAN-SPAM Act imposes the following requirements for commercial messages:
- Header Information: The transmission information of commercial e-mail messages and transactional or relationship messages cannot be false or misleading.
- Subject Heading: The subject heading of a commercial e-mail message cannot be deceptive.
- Opt-Out Mechanism: All commercial e-mail messages must contain clear notice of the recipient’s right to opt out of future messages from the sender, and a compliant opt-out mechanism.
- Honoring an Opt-Out: The opt-out must become effective within ten business days and remain valid until the recipient affirmatively opts back into receiving commercial e-mail messages from the sender.
- Identification as Advertisement: The sender must clearly identify that the commercial e-mail message is an advertisement or solicitation.
- Address: The commercial e-mail message must contain the sender’s valid physical postal address.
Most of the Act’s requirements do not apply to transactional e-mail messages, such as messages that confirm the receipt of an order. If a message includes both commercial and transactional content, the “primary purpose” of the e-mail will dictate what requirements a company must follow.
Consider the following tips when planning an e-mail campaign:
- Scrub the mailing list against your “do not e-mail” list at the last possible, commercially reasonable moment.
- Don’t require recipients to do anything more than reply to the e-mail or visit a single web page in order to opt out. If you provide a menu of opt-out options, include an option to opt out of all commercial e-mail messages from the business.
- Don’t sell, share, or use your opt-out list for any reason other than to comply with the law.
- Monitor your company’s (or vendor’s) compliance with the Act.
- Have written contracts with third-party service providers, including affiliate marketers, that clearly set out each party’s responsibilities for compliance and appropriate and adequate remedies for non-compliance.
- Make sure commercial e-mail messages contain a compliant opt-out mechanism, and that you honor and monitor the effectiveness of that opt out.
- Contractually obligate vendors to comply with the CAN-SPAM Act, and actively monitor their compliance.
At the federal level, the U.S. Federal Communications Commission (FCC) and the FTC share jurisdiction over telemarketing regulation. State attorneys general have the authority to investigate and enforce violations of federal telemarketing law, as well as applicable state-specific telemarketing laws.
The federal Telephone Consumer Protection Act of 1991 (TCPA) and the Telemarketing Sales Rule (TSR) prohibit:
- Autodialed calls and text messages to cell phones without the appropriate, written consent.
- Prerecorded message calls to cell phones and landlines without the appropriate, written consent and disclosures.
- Fax advertisements without the required consent and/or opt-out language.
- Telemarketing calls to numbers on the National Do Not Call Registry.
- Telemarketing calls to company-specific do-not-call lists.
As a result, when crafting a campaign, it is important to consider:
- Message Type: Is the message commercial or informational?
- Technology Used: Are you contacting the consumer via phone and/or text, or using an autodialer or prerecorded message?
- Target Audience: Is the consumer a current, former, or prospective customer?
- Consent: Is consent required? If so, is it valid and in writing?
- Vendors: Have you conducted due diligence/monitoring of your third-party service providers?
- Consider whether consent is required and, if so, if it is valid and in writing.
- Monitor your third-party service providers.