What exactly is privacy? Is it Facebook’s record fine from the Federal Trade Commission? Or is it Apple’s claims that the iPhone is the best mobile device in terms of user privacy? For consumers, privacy may mean having control of personal data, information about their families, income, medical conditions, etc. In short, privacy means a lot of things.
It was going to be an easy assignment, or so I thought, when my company asked me, a veteran communicator, to dig into privacy to help with compliance. It’s privacy. Everyone wants it and knows what it means, right?
Leave Me alone
A basic definition of privacy is the right to be left alone. It’s also the right to decide what and when a company can share details about your life or family.
Only one problem with that definition – the use of the word “right.” There is no fundamental right to privacy in the U.S. Constitution. There have been court cases applying privacy to certain circumstances. Overall, though, the concept of privacy in the U.S. continues to evolve. In Europe and in California, it’s a different story.
At this point, my guess is you’re thinking, ‘I’m in communications. Why does all this concern me?’ Communicators need to be aware of and care about privacy for a lot of reasons.
For example, do you have employees in California, Paris or Brussels? Congratulations, the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR) covers those employees.
Does your firm provide health insurance in the U.S.? If so, be aware what the Health Insurance Portability and Accountability Act, or HIPPA, says you can communicate and the words you can and cannot use.
Similarly, do you have clients in the financial sector? Then Gramm-Leach-Bliley Act (GLBA), like HIPPA, can influence your communications. Does your company have a privacy policy on its webpage? Are you living up to the promises the privacy policy makes to your site’s visitors? Are all these questions and acronyms giving you a headache?
In short, privacy laws are everywhere. PR pros can benefit from at least a basic understanding of how they work.
Let’s start with the United States. The U.S. lacks an omnibus federal privacy law. True, many sectors have privacy regulations, but they vary widely. Students have privacy over their education records. Patients have a level of privacy over their medical records via HIPPA.
We all have privacy when it comes to potential discrimination based on our genes. The Federal Trade Commission (FTC) enforces privacy laws as they relate to policies and promises business make to consumers. The agency does so under Section 5 authority, which regulates unfair and deceptive practices in commerce. (And yes, I know that is a generalization of the FTC. I have a limited word count.)
That patchwork of privacy regulations makes compliance difficult, and lawyers rich. Yet privacy in the U.S. is evolving, whether we like it or not. One way it’s evolving is via the California Consumer Privacy Act (CCPA), which starts Jan.1.
Unlike many states, in California (CA) the right to privacy is actually part of the state constitution. The CCPA builds on that with a slew of consumer rights and business obligations. It started as a ballot measure and morphed into a hastily passed and, some would argue, unclearly written law.
CCPA and PR Pros
What does CCPA mean for communications professionals? If you collect or share data on CA residents you might have obligations under the CCPA. CA consumers have the right under the law to ask you what data you have about them, where you got it, what you plan to do with it, not to sell or share it with anyone else. In the most extreme case, you must delete data when asked. This has implications if you have employees in CA. Today, they can’t ask you to delete data, but you must tell them what data you collect and why.
For example, if your company has data on CA consumers and you use that to determine the best methods for developing communications strategies you may have to disclose what you are doing with that data. Similarly, you might have to prove you are handling the data correctly. In addition, you might be asked to demonstrate that what you’re doing with the data does not have discriminatory consequences for CA consumers. Under CCPA, consumers also have the right to request that all their data be deleted.
The California Case
And if you or your firm has a website that collects data on CA consumers, you need a CCPA-compliant privacy policy on your website. You also must offer a way for CA residents to contact you about their data, including a website and a mandatory toll-free number. By the way, the law’s definition of personal data is wide and almost all encompassing.
The good news, at least for now, is that there is no private right of action for violations of the privacy requirements of CCPA. In other words, consumers who feel you violated their privacy, or did not respond to a request exercising their rights in a timely manner, cannot sue you.
CCPA has teeth, though. The CA attorney general has the power to levy fines up to $7,500 per violation of the law. So, should you stick your head in the sand and ignore CCPA, it can bite you. Hard.
If you have not started planning to comply with CCPA, or even figured out if it applies to you, time is short. Should you treat all data as if it comes from CA just to be safe? Do you treat all consumers as if they are CA residents? These are questions businesses across the U.S. are asking. So far, there are few clear-cut answers.
Now that you’re terrified to do business in California, let’s move to the really complicated discussion: the EU’s General Data Protection Regulation (GDPR).
GDPR and its Complications
GDPR came into effect last May and has been a near-constant focus for privacy pros and companies operating in Europe. The GDPR requires companies that collect and process data to comply with strict requirements as it relates to consumer data.
It applies to companies that collect consumer data in the EU. In addition, the definition of data is broad. It also applies to companies that offer goods and services to the EU, even though they may not be based there. Under this requirement, if your company or one you represent sells products in the EU or offers, for example, professional services that include collection of personal data, you must comply with GDPR.
Under GDPR, companies must be transparent with how they handle data. In some cases, relying on consent from the subject is not enough. Companies also have to limit how data is used and not use it for more than the purpose it was collected without additional consent. Companies also can only retain data for limited time periods and must keep data confidential and secure.
Forget Me, Forget Me Not
Communicators should be familiar with GDPR’s “right to be forgotten.” This means that consumers have the right to have their personal information erased. For example, if your company has data on someone and that person wants it deleted, you must do so. In addition, you must inform everyone you shared that data with that they too have to erase it. Recent court decisions have limited this right to the EU, however.
Here is an example of a GDPR issue that’s become common. Let’s assume you offer communications services in the EU and your webpage collects data using cookies. You must get explicit consent before you place cookies on a user’s computer. The words, “By using this website you agree to our cookie policy,” you see on a lot of U.S.-based sites is not GDPR-compliant. These “cookie walls,” where just by using the website you get cookies, are no longer legal under GDPR.
You’re So Fine
Earlier, we reviewed the penalties that the California attorney general can levy under CCPA. The potential fines under GDPR make those look affordable. Each EU member has what’s called a Supervisory Authority, the government agency charged with enforcing the GDPR. The law gives them the ability to charge a wide range of fines. With the most severe violations, fines can add up to four percent of global revenue. Let me repeat. The fines can be four percent of every cent your company makes worldwide, not just in the EU.
Singapore and Brazil Join the Fun
And it’s not just the U.S. and EU that can complicate your business with privacy matters. Singapore has been looking closely at privacy and the movement of data. China recently issued a draft regulation that would restrict greatly the ability of companies to move consumer data out of the PRC. Brazil approved legislation setting up a GDPR-like structure. The list goes gets longer each day.
Please note, a brief article like this giving a broad overview of privacy regulations is not a substitute for an in-depth analysis of how these laws might impact you or your business. When in doubt, consult a privacy professional before you undertake a project that could have profound privacy, and financial implications. A good place to start is the International Association of Privacy Professionals (IAPP). This group has a wealth of information on U.S., EU and other nations’ privacy regulations.
And remember, and with due credit to the IAPP, there is no privacy without security. But data security and the dreaded “we’ve had a breach” are for another column.
CONTACT: [email protected]