Privacy laws federal, state, and local, affect most US companies. In addition, foreign privacy laws that impose restrictions on the transfer of personal data outside of their border, require US companies that do business with foreign entities to agree to other requirements and restrictions.

US and foreign privacy laws may provide for stiff penalties in case of infringement. Government investigations and private litigation may result in the assessment of fines, damages or prison terms. Given this complex legal, regulatory, and judicial landscape, companies should not take privacy issues lightly or use a cookie-cutter approach.

What is Personally Identifiable Information

Companies collect home addresses, unlisted phone numbers, names of spouse, house partners, children or dependents, employment history, salary, race or national origin, hobbies, personal interests or travels of their personnel, clients, and other third parties. This information often designated as "personally identifiable information" ("PII") is commonly stored in paper files or in electronic databases, stored on electronic address books, personal digital assistants, laptops, or servers accessible through LAN, WAN, intranets, extranets, or the Internet. PII may be crucial for many aspects of a company's operation, human resources (e.g., payroll, or company directory), interaction with clients and distributors, marketing, sales, or business development.

Compliance Requirements

The United States and many foreign countries have legal structures that affect the collection, use, transfer, or disclosure of PII. The United States uses a sectoral approach that relies on a mix of legislation, regulations, and self-regulation. These laws, regulations, industry best practices and other binding structures, which have been enacted at the federal, state and even local, pertain to such a variety of matters (e.g. financial information, video rentals, electronic communications, or healthcare information). As a result, it is certain that one or more privacy law or regulation, local, state, or federal, does affect and govern some portion of a company's activities.

Outside of the United States, numerous countries have privacy or data protection laws, as well. These laws often restrict transborder transfers of personal information to countries that do not provide comparable privacy rights and protection, such as the United States. Thus, US companies intending to send or receive personally identifiable information about individuals protected by those foreign laws must ensure compliance. The local laws that control their foreign subsidiaries or distributors regulate the use and access of data that the subsidiary or distributor wants to share with the US company. As the recipient or processor of foreign PII protected by foreign law, the US company must be aware of the restrictions placed on the foreign source PII, and be prepared to assist and cooperate with its foreign counterpart to ensure cross-border transfer within the limits permitted by the applicable foreign law.

Selected United States Privacy Laws

In the United States, many federal or state laws address privacy issues. Recently, additional laws or local ordinances were passed at the county level to remedy the state legislature failure to enact privacy protection laws. The examples below are only a very limited sample of the privacy laws that populate the American legal landscape.

Financial Information

The privacy and confidentiality of financial information is highly regulated. The recent Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801- 6827, increased the nature and scope of protection to address, in particular, the dissemination of financial information in connection with marketing activities. The GLBA establishes a number of privacy-related provisions that apply to all "financial institutions." The law reaches most entities that engage in an activity that could be deemed financial in nature, such as companies in the banking, securities, and insurance industries. Numerous entities that perform services other than banking are considered financial institutions, such as travel agencies or tax preparation businesses. The privacy provisions also apply to third parties that receive nonpublic personal information from financial institutions.

The privacy provisions in GLBA protect all information whether in electronic or paper form. Companies subject to GLBA must provide a consumer with periodic notices explaining the institution's privacy policies and practices and give consumers a reasonable opportunity to "opt out" of disclosures to third parties. Financial institutions are restricted from sharing consumer personal information outside the scope described in the privacy notice. Companies that own or use databases of PII must have in place security procedures to ensure the protection of the PII and limit the dissemination of the PII.

While the privacy provisions in GLBA cover only a few pages, each federal agency that regulates the different "financial institutions" (e.g. FDIC, SEC) and the FTC have published more detailed regulations that expand on the GLBA provisions.

In addition, the GLBA allows states to enact or use laws that provide additional privacy protection to financial information. Since the enactment of GLBA, numerous states have enacted privacy laws that strengthen the protection set forth in the GLBA.

Medical Information

The HIPAA Privacy Rule, 45 CFR Subtitle A Subchapter C Parts 160 & 164 established in application of the mandate in the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. §§ 1320 et. seq., addresses the protection of health care information. The HIPAA Privacy Rule protects all information pertaining to the past, present or future provision of health services and the payment of such services, whether the information is in electronic or paper form.

The HIPAA Privacy Rule applies to specific "covered entities," which are health plans, healthcare providers, and healthcare clearinghouses. In addition, any person or entity that provides services to the covered entities and handles or has access to patients' protected information is also subject to the HIPAA Privacy Rule as a "business associate."

The HIPAA Privacy Rule came in effect as of April 21, 2003 for most covered entities. Small plans have one additional year to comply.

The HIPAA Privacy Rule imposes restrictions on the use and disclosure of patient information and outlines patients' rights, namely, the right to have access to their records, the ability to amend those records, the right to receive an accounting of disclosures, the right to limit the use and disclosure of the records, and the right to receive responses to their requests pertaining to their rights.

As a result, companies that qualify as a "covered entity" must ensure the security and integrity of these records, provide notices to patients of their rights, respond to patient inquiries, request for access or modification of their records and appoint a Chief Privacy Officer who will be responsible for the proper management of the protected health information. Companies that provide services to the covered entities as "business associates" must also have policies and procedures to assist the covered entity in responding to patients inquiries, and must, as well, ensure the security and integrity of the PII that to which they have access as part of their services to the covered entities.

HIPAA contains stiff penalties for violations, including fines and prison time. However, the law does not provide a private cause of action for patients who wish to sue under the act. Instead, complaints for violation of the HIPAA Privacy Rule must be brought to the Department of Health and Human Services, which will investigate the complaints and pursue the infringing "covered entity" as appropriate.

Information Regarding Children

The Children's Online Privacy Protection Act (COPPA) 15 U.S.C. sections 6501, et seq. governs information that online businesses collect about children under the age of thirteen. COPPA defines how business may collect such information, and the extent to which they can use that information. COPPA applies not just to websites specifically directed toward children; it also regulates the activities of websites with a general audience if companies have actual knowledge that they collect information from individuals under thirteen.

COPPA requires each site to provide a clear and conspicuous notice of its privacy practices on its website. In addition, before it may collect, use, or disclose children's personal information, a company subject to COPPA must obtain verifiable parental consent. COPPA also defines how and to which extent, once the children PII has been collected, the company may use such information.

Employment

Many laws govern those aspects of the employer-employee relationship that are confidential and require the handling of personal information. For example, the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., contains rules pertaining to background checks of prospective employees. Privacy law is also implicated when employers need access to employee offices, computers, etc., or when employers electronically monitor their employees' Internet usage and email. The Electronic Communications Privacy Act (ECPA), 15 U.S.C. § 1681 et seq., governs the interception of electronic and wire communications and limits access to certain networks and communications. There are also laws about permissible interview inquiries and state laws about inquiry into arrest records for prospective employees. Use of personnel records is governed by both federal and state rules. These privacy protection laws continue to apply even after the employment relationship is terminated.

Foreign Data Protection Laws

US companies that do business internationally, have subsidiaries or distributors abroad, or sell on foreign markets must be aware of the requirements in the foreign privacy laws that are in place in those countries whose courts may have jurisdiction over the US company or its local subsidiaries or contractors. Many foreign laws restrict transfers of personal information outside of their borders to countries. As a result, US corporations with operations in other countries or receiving data from foreign companies may need to conform to these laws to some extent, so that they can receive PII from their subsidiaries, distributors, and other contractors established abroad.

For example, European Union member states rely on comprehensive legislation that requires the creation of government data protection agencies, registration of databases with those agencies, and, in some instances, prior approval before personal data processing may begin. Privacy laws in all E.U. member states prohibit the transfer of PII outside the E.U. to countries that do not offer an adequate level of privacy protection. Since the E.U. commission has declared that the United States does not offer adequate privacy protection, transfer of PII from a subsidiary, distributor, or other co-contractor is restricted. Special precautions must be taken, and permissions obtained. Many countries outside the E.U. have enacted privacy laws that are very similar to the model and structure used in the European Union.

Self-Regulation and Self-Certification Programs

Self-Regulation Programs

Most companies have adopted privacy policies, tailored to their own business purposes and ethics, which they frequently post on their website. Many companies, in addition, register with seal programs such as BBB Online, http://www.bbbonline.com, or TRUSTe, http://www.truste.com. To obtain a seal under these programs, companies must agree to follow specific privacy guidelines.

Self-Certification under Safe Harbor

Because the US currently has no privacy legislation of general applicability, the E.U. deems the US as a whole to lack adequate protection, thereby constraining companies that transfer data from the E.U. To help US companies (or their subsidiaries or contractors) comply with the laws of the E.U. Member States and to facilitate international business transactions, the US Department of Commerce (DoC) has implemented a Safe Harbor privacy program. A US company that adheres to the Safe Harbor Principles may complete the DoC's self-certification program, and receive a presumption from all 15 E.U. Member States that such company will provide the required adequate privacy protection to personally identifiable data from the E.U. However, the foreign company that would be transferring information to the US company still needs to comply with its own Data Protection Law. In addition, since the United States does not have a similar agreement with other foreign countries with privacy laws that restrict trans-border data transfers, and preclude transfers to countries that are deemed not to offer sufficient protection, there is currently no alternative to companies that do business abroad in the remainder of the world. Participation in the E.U. Safe Harbor program has no effect on compliance with the requirements of privacy laws outside the E.U. area.

Noncompliance Risks

Too many companies act on the wrong impression that privacy awareness equates to posting a privacy policy on their website. Privacy protection concepts, however, apply to much more than the collection of data from a website. Privacy policies are complex and must reflect actual company practices. Promising more than what one is prepared to give could be costly. Thus, cutting and pasting a privacy policy from another company is foolish and could create much harm.

Most privacy laws contain civil and/or criminal penalties. Some include a private right of action. For example, violation of the HIPAA Privacy Rule may result in civil or criminal penalties for failure to comply with the requirements and for wrongful disclosure of confidential information. Civil and criminal penalties may be assessed for violations of a patient's privacy rights. The civil penalties are up to $100 for each violation, with a cap of $25,000 for all violations of an identical requirement or within a calendar year. There may be lower penalties if the covered entity can provide that it did not know of any violation; or had reasonable cause, and did not willfully neglect to comply with the requirements; or if the failure is corrected within 30 days. Criminal penalties may be assessed if the covered entity knowingly obtained and disclosed protected information. Fines may be up to $50,000; and may be combined with a prison term up to one year. If information was obtained under false pretenses, there may be fines up to $100,000 and/or prison up to 5 years. If protected information was obtained with intent to sell, transfer, use information for commercial advantage, personal gain, or malicious harm, then higher fines and prison terms may be assessed against the violators, up to $250,000; prison up to 10 years.

In addition to the penalties provided for by the applicable statute, there may be additional damages assessed for deceptive or unfair practices under Section 5 of the FTC Act and the state law equivalent. In recent years, there has been increased attention to the protection of PII, domestically and abroad. Privacy-related complaints have been filed. Numerous government actions (e.g. FTC, State agencies) and private actions (individual or class action) against well-known companies targeting violations of privacy have taken place. Foreign Data Protection Agencies have investigated subsidiaries of US companies. In addition to the embarrassment of being the target of investigations, complaints or lawsuits reported in the press, these actions generally have resulted in the assessment of damages and penalties, the obligation to pay plaintiff's attorneys' fees, and the requirement to implement strict privacy and security procedures. In other instances, government action has prohibited a contemplated transaction.

For example, the FTC recently investigated Microsoft's Passport Single Sign-in (Passport), Passport Express Purchase (Passport Wallet) and Kids Passport. Under the September 2002 consent decree, Microsoft has agreed to implement and maintain a comprehensive information security program, have its security program certified as meeting or exceeding the standards in the consent order every 2 years, and pay a civil penalty of $10,000 for each future violation of the order.

Double-Click has also been the target of several investigations and class action suits, which ended up in costly damages. To end a 30-month privacy investigation by the FTC and ten states, Double-Click agreed to pay $1.8 million in plaintiff's cost in a class action suit, pay $450,000 in fines, and agreed to adhere to specific practices and policies, which included the following requirements: display 300 million consumer privacy banner ads that invite consumers to learn more about how to protect their online privacy; provide easy to read explanation of its ad-serving services; provide opt-in before it can combine PII and clickstream; ensure that Internet user's online data will not be used in a manner inconsistent with the privacy policy under which it was collected; develop internal policies to ensure protection and routine purging of data collected online; limit the life of new ad serving cookies to five years. In addition, Double Click must submit to two annual reviews for the next 2 years, by an independent accounting firm, to verify compliance with the settlement.

In some cases, a suit or investigation may occur because of an inadvertent error. For example, Eli Lilly was sued for privacy violation both at the federal and state levels after an error by one of its employees caused the individual email addresses of Prozac patients to be published in an email sent to the entire listserv. The email, which was meant to be sent in a confidential manner, instead prominently displayed the email addresses of more than 600 addressees in the "recipient" box. After a lengthy investigation, the company settled with the FTC in January 2002, and agreed to take steps to ensure the security of data, follow a specific four-stage information security program, and submit to an annual review "by qualified persons" of its information security program. Although the FTC settlement did not provide for any fine, the July 2002 settlement with eight states for the same event included a $160,000 payment to these states and required the company to strengthen its internal standards relating to privacy protection, training, and monitoring.

Even if there is no specific privacy law applicable, once a company has published its privacy policy, it is bound by the public statements made. Publishing a privacy policy exposes the company to prosecution if it fails to perform according to the representations made in the public privacy policy. For example, Toysmart and Microsoft were subject to investigations by the FTC and state attorney generals because of their alleged failure to perform according to the representations made in the privacy policies published on their websites. Similarly, a company that self-certifies with the DoC about its privacy protection policies and procedures in connection with the E.U. Privacy Safe Harbor Program must carry out these practices in the United States. Making inaccurate statements about its actual data collection practices, or making promises that it does or cannot keep would otherwise expose the company to prosecution from the FTC or state attorney general based on misrepresentation or deceptive practices under Section 5 of the FTC Act or state equivalent unfair and deceptive practices acts.

Problems could occur, as well, when a company tries to transfer certain databases in connection with the sale of the company's assets in a manner inconsistent with its published privacy policy. For example, one of the early cases in this area related to the bankruptcy of the Toysmart company. In re Toysmart.com, LLC, No. 00-13995- CJK (U.S. Bankr. Ct. Mass.) filed in May 2000 and FTC v Toysmart.com, LLC, No. 00- 11341-RGS (U.S.D.C., D.Mass) filed July 10, 2000. Toysmart's online privacy policy stated that the company would "never share" its information with a third party. Toysmart ultimately sought bankruptcy protection and offered to sell its database of customer information. The FTC objected, and in a first settlement, Toysmart agreed that any buyer would have to be in the same business as Toysmart and agree to follow all of the requirements of Toysmart's privacy policy. Ultimately, after many months of additional transactions with the FTC and the bankruptcy court, a shareholder of the company purchased the customer list and agreed to destroy it promptly thereafter. Altogether, something that could have been a "simple" sale of assets, delayed the database owner by more than one year.

Conclusion

Privacy Laws affect most US companies. Ensuring compliance is crucial to avoid exposure to penalties and public relations disasters. After conducting an evaluation of its operations, activities, and processes, a company must implement and observe comprehensive privacy policies and procedures that comply with the applicable laws, regulations and professional or business ethics codes.

© 2008 IT Law Group – All Rights Reserved