By: Jake Younts
In the modern age, it can be daunting for a new business to understand data privacy requirements. Beyond even client concerns with their privacy, the government regulates client information through many complex laws. These laws do not apply to all information that a business has on its clients. Instead, they apply to personally identifiable information (“PII”) (or an analogous term). These laws vary not just in the industry (like HIPAA to medical care) but also in what personal information triggers them. Like it or not, each law has its own definition of what personal information is. As such, an important first step is understanding what data qualifies as PII that needs to be protected.
To start, it is necessary to understand what laws are relevant to your business. There are a number of federal laws that apply to specific businesses. However, many information privacy laws are state law. It will be necessary to know the specific definitions in the laws of your state, but general trends can help you understand your state’s specific laws. Given the complexity of some of this, it is best to discuss these laws with your lawyer to better understand what is required of you.
Federal Privacy
Some important federal laws that can affect some businesses are HIPAA, COPPA, and the Gramm-Leach-Bliley act. You may have heard of HIPPA from signing forms at the hospital. HIPAA mostly applies to hospitals and places that take or use health insurance. HIPAA also extends to some businesses that contract with those entities and handle patient information. If your business is involved in health care, then you need to look into whether HIPAA will apply to you. HIPAA’s definitions cover any information a covered entity has related to someone’s physical or mental health, treatment, or payment for treatment. However, to be covered by HIPAA, the information must identify or allow someone to reasonably identify the person.
COPPA is a law that protects children’s privacy online. It will apply to you if your business operates online, receives data on clients, and targets or could include children. COPPA requires you to know that children’s data is being taken. As such, it will only apply if your business has a reason to know that they have children’s data. COPPA defines PII based on a list of things that combined with a name count as PII and thus subject to COPPA regulation. A name alone is not PII under COPPA, but almost any other identifying information including addresses or phone numbers that are also received will trigger COPPA. As such, if there is any chance children could be involved and contribute their information online then you need to be aware of COPPA’s requirements. There is more on how COPPA works at this link.
The Gramm-Leach-Bliley Act only applies to financial information held by financial institutions such as banks and insurers. Additionally, it applies only to information that is not in the public domain. You will only need to be concerned with this act if you are operating a financial institution of some kind.
State Privacy
At the state level, many states have their own consumer data protection laws. Some of these laws, such as California’s, specifically cover data taken in combination with credit card information. If you will be accepting credit card payments, you should be aware of these laws in your state. There are also other state privacy laws that could apply to your business. Many laws will not apply unless your business is of a certain size. You will want to check on these requirements to see if your local laws affect your business.
Additionally, they typically define PII in different ways but there are some typical methods that are used. Some laws define PII broadly, as simply information that can be used to identify a person. With broad definitions like this that don’t offer much guidance, you would want to look in-depth into how the law has been enforced or hedge your bets and assume almost anything identifying could trigger the law. This can include almost anything from obvious items like name, address, social security number, or birthday, to more inconspicuous things like a client’s gender, nationality, or age.
Other laws define PII in terms of being non-public information or in terms of a defined list of items. These approaches give more guidance but can still surprise the unaware. For example, there can and has been litigation over whether an individual part of an address, like a zip code, counts as an “address.” Some laws also require more than a single piece of information in order to qualify as PII. As such, it is important to err on the side of caution and to be aware of the specifics of your area’s laws.
International Privacy
An important note is the international side of information privacy. If your business is looking to work with international clients, it can be important to know international laws for handling client data. For example, the EU’s privacy law, the GDPR, has much tighter regulations of data than typically exists in the US. You can get further information about the GDPR here.
Conclusion
It is important to know what privacy laws your business might deal with. You will want to look into the specific laws of your area and any places you expand into. Understanding PII is only one step to cover both yourself and your clients. Once you understand whether you are triggering regulations you will then need to look into what those regulations require and take further steps. Simply taking personally identifiable information from a client by itself isn’t necessarily a problem. Your business just needs to be cognizant of the accompanying legal requirements and risks that go along with that information.
This post has been reproduced with the author’s permission. It was originally authored on February 12, 2021, and can be found here.
Sources:
Solove, Daniel J. & Schwartz, Paul M., Information Privacy Law (6th Ed. 2018).
Andy Green, Complete Guide to Privacy Laws in the United States, Varonis.com, https://www.varonis.com/blog/us-privacy-laws/#:~:text=EU%20vs.-,US%20Privacy%20Laws,alone%20a%20data%20security%20law.&text=In%20brief%2C%20both%20the%20CCPA,of%20processing%20at%20any%20time. (updated March 29, 2020)
Logan Kline, Protecting Personally Identifiable Information in the United States, U. Cinc. L. Rev., https://uclawreview.org/2020/09/09/protecting-personally-identifiable-information-in-the-united-states/ (Sept. 9, 2020)
Pineda v. Williams-Sonoma Stores, 246 P.3d 162 (Cal. 2011).
15 U.S.C. §§ 6501–02 (1998).
15 U.S.C. 6809 (1999).
42 U.S.C. § 1320(d) (1996).
Cal. Civil Code § 1747.08 (West 2011).
Photo Sources:
https://www.thebluediamondgallery.com/legal/privacy-law.html from Alpha Stock Images
https://www.quoteinspector.com/images/credit/too-many-credit-cards/ from quoteinspector.com