Structure of U.S. Data Privacy Laws and Regulations
Privacy law in the US is a patchwork of ad hoc legislation on both the federal and state levels targeting certain industries (e.g. financial institutions); types of data (e.g. medical records, data in electronic format); certain groups (e.g. children, movie renters); and certain entities (e.g. publicly traded companies, communication service providers). Bottom line is there is no general privacy law – rather the laws tend to be subject matter specific. In addition there can be subject matter legislation on the Federal and State level – with each state having its own set of laws. So what are you looking out for? Well let’s get down to the practical – first and foremost, you will need to identify what existing Federal and State statues may apply to your business. To do that you will need to understand where and how you collect and use PII. Once you’ve determined that a statute applies to your business, you’ll need to find any guidelines or administrative regulations that have been issued under such rules. Finally, you’ll need to pay attention to the guidance offered by the enforcement efforts of various administrative agencies (e.g. Federal Trade Commission and state consumer protection authorities). Done? Well not quite. Privacy concerns should fall into two main buckets: how you use PII and how you protect PII. Questions you are going to need to address are: Do I need to have a privacy policy? If yes, how will you define your use of PII? How will you protect the PII? What are your responsibilities if PII is breached? Remember, the only thing worse than not having a privacy policy when one is required is having a privacy policy your company does not comply with. You know a picture is worth a thousand words so here is a summary.
Next installment, Privacy – Structure of Foreign Data Privacy Laws and Regulations, and remember, ALWAYS CONSULT AN ATTORNEY FIRST.
