8 Steps to Shoring Up Your Data Privacy Practices

January 28 is National Data Privacy Day, and with it comes a perfect opportunity to evaluate your company’s data privacy practices.

American consumers increasingly want the right to control the collection and use of their personal information. Importantly, they also want a means to exercise that right when personal information is wrongfully disclosed. A flurry of state and federal privacy legislation has been proposed in response. Regardless of the particulars of the privacy legislation that may ultimately govern a business’ data practices, there are certain steps that can be started now that will ease the business’s transition to compliance.

The California Consumer Privacy Act took effect January 1, 2020 and New York’s new cybersecurity law, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act – becomes effective on March 21, 2020. The New York Privacy Act, SB 5642, proposes privacy standards on all businesses in New York including a private right for consumers to sue for its violation. Its sponsor, New York State Senator Kevin Thomas (D), has stated in support, “New York should be a leader in protecting the privacy of its residents and their personal data.” The Senate Bill and its State Assembly counterpart are presently in Committee.  Most anticipate that the Act will be passed in some form.

Also, Maine and Nevada passed privacy legislation, and many other states are in various stages of legislative or tasks force consideration of comprehensive privacy enactments. Against this patchwork of developing legislation from several states, both consumers and businesses have called for passage of federal legislation that will provide consistent privacy standards throughout the country in addition to those that regulate specific industries, such as banking and healthcare.

Businesses should be proactive in their approach to privacy. Here are the steps to do so.

1. Determine Present Personal Data Practices: A business should develop a robust record of its data collection, use and processing of consumer personal information. This process is referred to as “data mapping.” While definitions, handling requirements and reporting requirements  may differ from state to state, it is impossible for any business to be in compliance unless it first determines the categories of data its collects; what purpose the data serves; and how it is handled, shared, stored or deleted.
2. Consider Updating Collection Practices: After determining your present data practices, stop and think whether they make sense. Determine why the business has collected and maintained certain personal information, whether it serves a business purpose and whether it is worth the cost of continuing to do so in the face of evolving privacy standards.
3. Consider Updating Retention Practices: Many businesses are guilty of over-preservation – that is, keeping all the data they have collected over time. But does that make sense? There may be categories of personal data that no longer have any legitimate business use but increase operational costs for storage and security along with increasing the exposure to a potential data breach. Some data may be safely deleted if document preservation requirements for that data have expired and there is no legal requirement that the data be kept (such as a litigation hold or regulatory requirement).
4. Review Contractual Obligations: The terms by which businesses share their consumers’ personal data may impact the scope of the business’s obligations to consumers and those of the other businesses. Businesses should understand and try to define the commercial and legal risk of sharing consumer data. Include advertising technology in this assessment and whether such data sharing may be considered the “sale” of personal data.
5. Update Public Notices and Disclosures: It is important to make sure that the business’s public-facing Privacy Notice is up-to-date and accurately reflects how the business is presently collecting and using consumer personal data. If and when those practices change, update the Privacy Notice as well.
6. Establish Internal Privacy Policies: Businesses should establish, train and enforce privacy standards governing how employees, at every level, interact with consumer personal information. Those standards should emphasize the need to respect the privacy rights of others.
7. Create Operational Processes to Deal with Privacy Requests: As with the CCPA, we expect that most privacy laws will require businesses to allow consumers to access, correct and request deletion of their personal information. This process should not happen on an ad hoc basis, but should follow an established process with individuals trained on how to respond.
8. Coordination with In-house and/or Outside Legal/ Technology/Compliance Consultant: Privacy compliance requires an investment of time and resources from a variety of sources. Company commitment to privacy is essential, from C-Suite approval of the changes and expenses to be incurred to participation in enacting those changes by IT, human resources and each employee that is exposed to personal data. Depending on in-house capabilities, businesses should consider when outside technological or legal support is needed to assist with privacy tasks.

It is shaping up to be the decade of privacy. We do not yet know the specific parameters that privacy compliance will require in each regulation or law that will follow. However, investing in privacy now will help a business to prepare for whatever is coming. It may also make good business sense, as consumers will increasingly choose to do business with companies that consider their privacy rights.