Privacy is important for individuals, customers, and businesses alike. Privacy threats include data breaches and companies who overshare, violating their privacy promises regarding customer information. Privacy is the subject of rapidly growing laws and regulations and is worth attention from every organization. Sound privacy practices can be good for business and avoid a legal problem.
How is your business doing with your privacy program? Select any of the below that apply.
- Huh, what”™s privacy?
- Privacy is dead, why worry about it.
- I”™ve heard about privacy but we haven”™t really done anything about it.
- We have a privacy policy on our website but I am not sure we really follow it.
- We have a policy and program which we follow and update periodically.
Business owners and managers should imagine being their own customer. Would they be satisfied that personal information is being handled appropriately through the privacy program? Also consider if their program and practices came under scrutiny from government or a plaintiff, and documentation and evidence needed to be produced. Sound programs are less likely to come under investigation in the first place, and then will withstand inspection.
Personal privacy is a concept that has existed for hundreds, even thousands of years. In 1890 Louis Brandeis, who would go on to be a Supreme Court Justice, co-authored a law review article on the subject and suggested an individual right to privacy which included a right to be left alone.
We can think of four main areas of privacy:
- Information privacy
- Bodily privacy
- Territorial privacy
- Communications privacy.
Our focus here is information privacy, about data about consumers that is collected, stored, used, and shared. Recent current events implicate renewed debate about bodily privacy but that is beyond the scope of this article.
Today, consumers have privacy statutory legal rights which vary by jurisdiction. The European Union”™s General Data Protection Regulation (GDPR) went into effect in 2018 and required many U.S. businesses to adapt their privacy practices. In the U.S., the Federal Trade Commission Act carries some privacy protections for consumers with requirements for business. Individual sectors such as finance and health have their own privacy requirements.
In the absence of an overarching federal privacy law, states have started to enact their own privacy statutes, starting with California, followed by others and now Connecticut. The reach of these state laws extends beyond the border.
Connecticut”™s new privacy legislation was signed into law on May 10, 2022 and becomes effective July 1, 2023. It is called “An Act Concerning Personal Data Privacy and Online Monitoring” and some may call it the Connecticut Data Privacy Act (CTDPA).
Connecticut consumers will have the right to access their data, correct it, have it deleted, transfer it, and opt out of certain actions. Businesses will need to ensure these rights are provided.
New York has not passed a privacy law yet and the NY Privacy Act remains pending in the legislature. New York does have laws requiring reasonable cybersecurity and data breach notification.
Privacy laws generally create rights for consumers regarding information about them held by a business. This consumer rights mean legal obligations for the business. Privacy rights include:
- Notice about privacy practices; how the company collects, stores, uses, and shares information about the consumer.
- Ability to access data about the consumer, correct it, ask it be deleted or limit processing, or transfer data to another service provider.
A business privacy program should generally follow these principles:
- Be lawful, fair, and transparent
- Limit collection, use, and processing of personal data
- Keep personal data only as long as needed (then purge)
- Keep personal data accurately
- Keep personal data secure with good cybersecurity
- Be accountable for the above.
Organizations should think of cybersecurity, privacy, and business needs holistically and under the umbrella of information governance. This means managing the information technology, systems and data of a company, something well-run companies strive to do. This starts with having written policies for privacy, cybersecurity, and incident response.
This management can start with Bandler”™s Three Platforms to Connect concept to align legal requirements with internal policy and company action. These should also be aligned with the Fourth Platform of business mission.
Cybersecurity is a component of privacy, and a solid cybersecurity program protects organizations from cybercrimes such as data breaches, ransomware, and email based thefts as covered in earlier articles. Protection can start with Bandler”™s Four Pillars of Cybersecurity which anyone can understand.
Good privacy and cybersecurity practices are good business. The time to improve privacy to serve customers and comply with Connecticut law is now. It takes time to plan, build, improve, and implement programs.
Businesses should continually improve their privacy and cybersecurity plans and practices. This protects consumer privacy, prevents a serious cybercrime, ensures legal compliance and improves business efficiency.
John Bandler is an adjunct professor at Elisabeth Haub School of Law at Pace University who teaches about law as it intersects with cybercrime, cybersecurity and privacy. He is ”‹the principal and founder of Bandler Law Firm PLLC, a law practice that helps organizations navigate these areas.
