Privacy Law Compliance comes from the Top Down

Privacy Law Compliance comes from the Top Down

By Allison Hushek on November 15, 2023

If you’re the CEO of a startup, to avoid hefty regulatory fines and loss of consumer trust, adopting an understanding of privacy laws - and leading your team to do the same - is a top priority. Data about people’s personally identifiable information (PII), behavior, interests, spending habits, and more, can cause harm in the wrong hands. Privacy laws in the U.S. primarily originated to protect individuals from identity theft, but they have evolved into a right to be protected from an unwarranted invasion of privacy. When the CEO acknowledges privacy as a fundamental right, compliance becomes easy.

There is a patchwork of international, federal and state data privacy legislation that can plague companies with inaction. The goal is to situate your organization to be in compliance with the strictest version of these laws. Currently, those are:

- Europe’s General Data Protection Regulation (GDPR);

- California’s California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); and

- for minors, Children’s Online Privacy Protection Rule (COPPA) for under age 13, and California’s California Age-Appropriate Design Code Act (CAADCA) for under age 18 (effective July 1, 2024; inspired by the UK Age-Appropriate Design Code).

There are additional privacy laws pertaining to specific industries. To name a few:

- in healthcare, Health Insurance Portability and Accountability Act (HIPPA);

- in financial services, Gramm-Leach-Bliley Act (GLBA); and

- in biometric data collection, Biometric Information Privacy Act (BIPA).

Rather than become weighed down by the specificities of these laws at the outset, understanding the principles behind them will go a long way. In general, those principles are:

- transparency in terms of posted policies which explicitly outline collection, use and transferability of the data;

- limited and legitimate purposes with respect to the collection and use of data, to be aligned with the individual’s reasonable expectations

- data minimization to avoid collecting unnecessary personal data;

- accuracy, along with an individual’s right to correct the data;

- storage limitation, with longer periods allowed for archival purposes in the public interest, scientific or historical research, or statistical purposes;

- protection against breaches, using best cybersecurity and other security practices; and

- accountability when it comes to breaches, as evidenced with the adoption of internal policies and issuance of privacy breach notifications in a timely fashion.

Enough about understanding. Now it’s time to take action. If you’re a CEO, the immediate recommended steps to privacy compliance are as follows:

1. Appoint a data protection officer (DPO), which is sometimes a Certified Information Privacy Professional (CIPP) but can be anyone in your organization that has respect for privacy laws and an ability to research, read and adhere to laws;

2. Draft and distribute privacy policies to employees (often found in employee handbooks) and consumers (often found on an organization’s website);

3. Post an opt-in cookies collection policy on a company’s website (opt-outs can be viewed by regulatory agencies like the FTC as intentionally deceiving consumers);

4. Ensure the teams that collect and store data (e.g., marketing, IT) are doing so in an organized fashion to be able to respond to requests to identify, correct or erase such data;

5. Enact data protection impact assessments (DPIAs) to identify and minimize data protection risks on various projects; and

6. Connect the DPO with the Artificial Intelligence (AI) / Machine Learning (ML) teams to ensure transparency and compliance.

Big tech companies often make headlines about privacy violations. In 2023, to highlight a few, TikTok was fined $370 million (USD) by the Irish Data Protection Commission (DPC) for data violations with regard to child users; Amazon was fined $30.8 million by the FTC regarding lapses with the Alexa assistant and Ring security cameras and was subject to a permanent injunction to delete certain children’s profiles; Microsoft had to pay $20 million for illegally collecting PII from children without parents’ consent; and Google had a $93 million settlement in California over claims against its location privacy practices.

Don’t be lulled into believing there is a lack of enforcement outside of big tech and social media companies. Smaller companies are being charged by regulatory agencies and sued by individuals all the time over data privacy violations - it just doesn’t make the front page. Settlements like these can incapacitate a company - between fines, injunctions and damage to reputation. CEOs can lead their teams to success in terms of data privacy compliance, and ultimately consumer confidence, by implementing basic privacy protection procedures.

Playbook Law is a solo firm providing General Counsel Services for Startups and Interim In-House Counsel for Established Companies in the Technology, Gaming, Entertainment + Sports industries.

This blog is provided for information purposes only and does not constitute legal advice and is not intended to form an attorney-client relationship.

©2023 Playbook Law, PC. All rights reserved.