Partner
In the modern world, one of a business’s most important and valuable assets is the data that it collects from its customers or users. Customers and users often implicitly or explicitly trust a business with their data and expect that a business will securely store, use, and maintain that data as a component of their commercial relationships. Additionally, businesses also obtain valuable data sets from other sources, including by licensing those sets from other businesses. Unfortunately, data breaches have become more and more common, both as a result of hacking and as a result of negligence, and it has become incredibly important for businesses to understand data privacy law.
Businesses should typically be concerned with five different areas of data privacy law:
1. Protection of data privacy in consumer transactions. Businesses must be concerned with the protection of data privacy in consumer transactions. The protection of data in consumer transactions can be separated into two categories: (1) data privacy, or keeping consumer data secret; and (2) data security, or keeping consumer data secure through the implementation of industry-standard protections.
2. Protection of employee data privacy. Businesses must also be concerned with protecting the data privacy of their employees. In the United States, both federal and state laws affect employee rights in the area of electronic communications, such as email, voicemail, and text and instant messaging records.
3. Protection of common law rights of privacy and publicity. Businesses that use consumer or celebrity testimonials, names, or likenesses in advertising, whether on the Internet or otherwise, must also be concerned with the protection of the common law rights of privacy and publicity. These laws, which are typically defined by each state, can create causes of action for the commercial use of a name or likeness or a violation of one of the traditional common law rights of privacy, such as false light, intrusion upon seclusion, or public disclosure of private facts.
4. Protection of intellectual property rights in data. Businesses that collect, compile, or license data must also understand the intellectual property rights that attach to data and data compilations. Copyright law protects original works of authorship — including, in some cases, data compilations that demonstrate sufficient originality in selection and arrangement. Trade secret law may protect valuable data sets that meet the secrecy and reasonable protection requirements. Contract law governs the rights of parties who license data from others.
5. Protection of specialized data under specific statutes. Federal and state law impose specific requirements on the collection, use, and protection of certain categories of data, including health information (HIPAA), financial information (GLBA), children’s data (COPPA), and genetic information. These sector-specific statutes operate alongside general data privacy law and often impose more stringent requirements for covered data categories.
The data privacy legal landscape has changed dramatically in recent years with the enactment of comprehensive state privacy statutes. California led the way with the California Consumer Privacy Act (CCPA) in 2018, subsequently amended and strengthened by the California Privacy Rights Act (CPRA), which established the California Privacy Protection Agency as a dedicated enforcement authority.
More than a dozen states have now enacted similar comprehensive privacy statutes, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others. While these statutes vary in their specific requirements, most share a common core: rights for consumers to access, correct, delete, and opt out of the sale of their personal information; obligations for businesses to disclose their data practices; and requirements for data protection assessments before engaging in processing activities that present heightened risks.
Businesses that operate nationally must assess their compliance obligations under each applicable state statute — a task that requires mapping data flows, understanding which state laws apply based on resident locations and business activity, and implementing technical and operational mechanisms to respond to consumer rights requests from multiple jurisdictions.
The Health Insurance Portability and Accountability Act (HIPAA) governs the use and disclosure of protected health information (PHI) by covered entities — health care providers, health plans, and health care clearinghouses — and their business associates. HIPAA requires covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI. HIPAA violations can result in civil penalties ranging from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category, as well as potential criminal prosecution.
The Gramm-Leach-Bliley Act (GLBA) imposes privacy and security requirements on financial institutions — a category that includes not just banks and insurance companies but also many non-traditional businesses that provide financial products or services. GLBA requires financial institutions to implement a comprehensive information security program, provide annual privacy notices to customers, and offer customers the opportunity to opt out of certain information-sharing arrangements. The FTC’s Safeguards Rule, recently updated with substantially enhanced requirements, specifies the technical and operational components of GLBA-compliant security programs.
The Children’s Online Privacy Protection Act (COPPA) imposes specific requirements on operators of websites and online services that collect personal information from children under 13. COPPA requires verifiable parental consent before collecting personal information from children, detailed privacy policy disclosures, and specific data retention and deletion practices. The FTC actively enforces COPPA, and violations can result in penalties of more than $50,000 per violation.
Effective data privacy compliance requires a systematic, ongoing program rather than a one-time exercise. The core components of a compliance program include:
Revision Legal’s data privacy attorneys advise businesses across industries on building and maintaining effective data privacy compliance programs, navigating sector-specific statutory requirements, and responding to regulatory inquiries and enforcement actions. Contact us today to assess your business’s data privacy compliance needs.
Data privacy compliance has become a critical component of due diligence in business acquisitions and investments. A target company’s data practices — what data it holds, how it was collected, whether consent obligations have been met, and whether the company has experienced breaches — can materially affect the value of the transaction and the buyer’s post-closing liability exposure.
Sophisticated buyers now include data privacy representations and warranties in acquisition agreements, require the seller to disclose all known data breaches and regulatory inquiries, and may require the seller to remediate identified compliance gaps before closing. Buyers who fail to conduct thorough data privacy due diligence may inherit significant liabilities — including potential FTC enforcement actions for pre-acquisition data practices, state regulatory penalties, and litigation from individuals whose data was mishandled.
For sellers, demonstrating a mature, documented data privacy compliance program enhances deal value and facilitates the due diligence process. Companies that have invested in data mapping, privacy policy maintenance, and breach response planning are in a far stronger position in the transaction process than companies that are scrambling to document their data practices for the first time under deal pressure. Revision Legal assists clients on both the buy-side and sell-side of transactions with data privacy due diligence, representation drafting, and post-closing compliance integration.
California’s revised CCPA regulations offer some compliance clarity but leave significant questions unanswered. Here’s what businesses need to act on now.
Read more about Revised CCPA Regulations: Guidance and Uncertainty
Revenge porn involves the non-consensual distribution of intimate images to harm a victim. Revision Legal’s internet attorneys explain the legal definition and remedies for revenge porn victims.
Read more about What is Revenge Porn? Legal Definition and Remedies
Montana’s data breach notification law requires businesses to notify residents when their personal information is compromised. Here’s what the law requires and who must comply.
Read more about Montana Data Breach Notification Law Explained