In April 2018, Facebook’s founder, CEO, and Chairman, Mark Zuckerberg, testified before the U.S. Senate and House about the data privacy practices of his company.
A whistleblower associated with Cambridge Analytica, a political consulting firm, revealed that over 80 millions users’ personal information had been sold to Cambridge Analytica and other third parties without the users’ knowledge or consent, and in violation of Facebook’s policies.
Zuckerberg was forced to admit on public television that his company had become aware of this data breach in 2015. After receiving the assurances that the user data had been deleted, they went on with business as usual.
At the hearing, Senator Kamala Harris asked Zuckerberg directly if he had notified Facebook users or other authorities of the data breach. He said no because he had thought the matter was closed.
California is one of 49 states in the US which require Internet companies to notify users if there is a data breach of their users’ personal information.
Do you know what your responsibilities are to your users’ data?
First, you need to understand what privacy laws apply to your business.
To give some context to this discussion, let’s assume that you are a hypothetical startup tech company named BizConnect.
BizConnect Business Model:
Your product is a software as a service (SAAS) platform for collaboration and project management.
I’ll assume that BizConnect is headquartered in California but is available to users across the United States and around the world. It hosts its software platform on Amazon Web Services (AWS).
What laws apply to BizConnect in the privacy arena?
In the U.S. there is no overarching national or federal law on privacy. The Federal Trade Commission (FTC) has jurisdiction if a company’s privacy practices are deceptive and misleading. The FTC does not mandate a privacy policy; however, if a company publishes a privacy policy and is found to not be living up to its promises, it can find itself ensnared in an FTC investigation.
Many companies have found themselves in the middle of such an investigation that has led to a consent decree meaning greater FTC oversight and possible fines. In fact, Facebook is currently under a FTC consent decree from 2011.
Although there is not a omnibus federal privacy law regulation, there are several federal laws affecting certain types of personal information. For health law, there is HIPAA; for financial related data, there is Gramm-Leach-Bliley; for children under 13, there is COPPA; and for education related data, there is FERPA, to name a few. Let’s assume that BizConnect is not collecting personal information triggered by any of these federal laws.
At the state level, there are a myriad of national laws increasingly affecting information privacy. Many of these are targeted at types of information such as genetic related data or biometric related data. Again I’ll assume the BizConnect is not collecting any data, which would fall in these categories.
However, as Senator Harris alluded to in the recent US hearings with Mark Zuckerberg, there are state laws, including California, which require timely notification to users if there is a data breach including any unauthorized access of their personal information. 49 states have data notification laws for data breaches including unauthorized disclosure of user data.
Another California requirement is that websites collecting personal information must post a privacy policy that meets defined criteria. This law reaches any company no matter where it is located if it collects any personal information from California residents. For this reason, all U.S. companies collecting personal information on their website, for a free demo or a mailing list, should be posting a privacy policy compliant with California requirements.
The next several series of blog posts will address data privacy law compliance in the context of the hypothetical startup, BizConnect. For background, BizConnect is in discussion with several prospective EU customers. The following 10 best practices will be discussed in detail:
1. Adopt a privacy policy compliant with US law and EU law (namely the General Data Protection Regulation or GDPR coming into effect May 25, 2018);
2. Self-certify compliance with the U.S. Privacy Shield;
3. Use model clauses for data exporter-data importer transactions, which have been amended to be GDPR compliant;
4. Carry out an internal Data Privacy Impact Assessment (DPIA);
5. Consider adopting a Code of Conduct for the relevant industry;
6. Draft an internal written data security plan and consider implementing SSAE-18 audit and a Business Continuity Plan;
7. Consider whether you need to appoint an EU data protection representative; 8. Determine whether to appoint a Data Protection Officer (DPO) under the GDPR; 9. Adopt commercial templates with customers to mitigate risk of GDPR liability; and 10. Evaluate your internal policies including training and record keeping.
In the next post, I’ll discuss data privacy best practice number one: Adopt a privacy policy compliant with US law and EU law.