Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Elizabeth C. Rogers, Greenberg Traurig, LLP.
It is therefore crucial to not only have a well-crafted policy that addresses any legal or regulatory requirements, but to also ensure that the organization adheres to the policy in practice.
While there is no universal definition of PII, it is generally considered “any information that can be used to distinguish or trace an individual’s identity” or “any other information that is linked or linkable to an individual.” See National Institute of Standards and Technology, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST Special Publication 800-122 (2010).
For instance, the following types of PII may be obtained in a commercial transaction:
Derivative data may also be collected or generated from commercial transactions, such as purchase history, customer preferences, and geo-locational data.
Companies in the health care or life sciences industries (e.g., health care providers, pharmacies, medical device manufacturers) and their downstream contractors and service providers may capture medical information related to age, health, prescription medication, or insurance or medical claim-related data. Such information is commonly referred to as personal health information (PHI) and is a type of PII.
Other types of PII may include educational or employment information, personal identification numbers (e.g., Social Security numbers or driver’s license numbers), date and place of birth, and biometric records (e.g., photographs, fingerprints, x-rays).
Notable Federal Privacy Laws
Notable federal privacy laws (by industry sector) include the following:
In addition, regardless of the industry, websites and online services that target children must comply with the Children’s Online Privacy Protection Act (COPPA). COPPA applies to “an operator of a website or online service directed to children” and to “any operator that has actual knowledge that it is collecting personal information from a child.”1 A child is any person under the age of 13.
Privacy policies for websites or online services covered by COPPA must be posted online and must include the following:
Notable State Privacy Laws
You should also be familiar with the privacy laws of the states in which your client does business and where relevant consumers reside, both for privacy notice and for data-breach remediation purposes. For a more detailed discussion on data breaches, see Planning for & Managing a Data Breach, Preparing a Breach Notification Letter, and State Statutory Laws Regarding DataBreaches.
California, for instance, has been at the forefront of state privacy legislation. The California Online Privacy Protection Act (CalOPPA) applies to any business that collects PII about California residents through websites, mobile applications, or online services. As such, CalOPPA has a broad reach and extends to most companies that conduct business online or engage in other online activities.
CalOPPA requires an operator of a commercial website or online service (which includes mobile apps) to do the following:3
Other notable California data privacy laws include:
Other states may have similar laws to those in California (see, e.g., the Delaware Online Privacy and Protection Act (DOPPA), 6 Del. Code Ann. §§1201C–1206C) or laws that address other aspects of privacy, such as biometric data (see, e.g., Illinois’s Biometric Information Privacy Act, 740 ILCS 14/1–740 ILCS 14/99).
The policy should contain at least the following information:
Other information may be required depending on the states or countries where your client does business, the laws and regulations governing your client’s industry sector, and whether your client’s website targets children under the age of 13.
Disclosing the Policy
In some situations, annual privacy notices must be mailed or handdelivered to consumers to comply with relevant laws such as the Gramm-Leach-Bliley Act (GLBA). See, e.g., Regulation P (12 C.F.R. § 1016.9), adopted by the Consumer Financial Protection Bureau (CFPB) pursuant to the GLBA.
Note, however, that a recent amendment to the GLBA8 provides an exception to the annual privacy notice requirement if a financial institution:
Reviewing and Updating the Policy
The FTC has brought numerous enforcement actions relating to privacy policies (or other consumer-facing statements) that resulted in consent decrees, including the imposition of fines and audit obligations (which in some cases may last for 20 years). Common reasons for enforcement actions include:
Notable enforcement actions in these areas are discussed in further detail below.
The FTC alleged that the privacy disclosures in respondent’s policy were deceptive and violated Section 5 of the FTC Act because respondent did not, in fact, provide in-store opt-out mechanisms or notify consumers of the tracking. The FTC noted that retailers that contracted with respondent were not obligated to post notices of the tracking program in their stores and that respondent’s website did not list all of the retailers using its technology. Thus, the fact that consumers could opt out via respondent’s website did not overcome the failure to provide in-store opt-out mechanisms.
Deceptive Data Collection or Use
In In re PaymentsMD, LLC,11 the FTC alleged that a medical billing provider and its former CEO used the sign-up process for an online billing portal—where consumers could view their billing history—to deceptively obtain consumers’ consent to collect highly detailed medical information from pharmacies, medical laboratories, and insurance companies. As part of the settlement, the FTC banned respondents from deceiving consumers about how they collect and use information, including how the information may be shared with or collected from a third party.
Inadequate Data Security
In In Re Oracle Corp.,12 respondent Oracle Corp. had acquired Java Standard Edition (Java SE) software from Sun Microsystems in 2010. Oracle was aware that older versions of Java SE were insecure and offered updates to consumers. Oracle warranted, as part of the update process, that both the updates and the consumer’s system would be “safe and secure” with the “latest . . . security updates.” However, the update only removed the most recent version of Java SE and not any of the earlier insecure versions. The FTC alleged that Oracle’s failure to disclose the limitations of the update process was deceptive in light of its statements regarding security.
Inadequate Disclosure of the Amount of Data Gathering
In In re Compete, Inc.,13 respondent, a web analytics company, collected data about consumers through two products: a Toolbar and a Consumer Input Panel. Respondent represented that its products would collect and transmit information about the websites consumers visited but failed to disclose the extent of personal information that was collected and transmitted. Such information included consumers’ Social Security numbers, credit card and bank account numbers, and security codes and expiration dates. The FTC alleged that respondent’s failure to disclose the extent of data gathering violated Section 5 of the FTC Act.
Elizabeth C. Rogers is a shareholder in Greenberg Traurig’s Cybersecurity, Privacy and Crisis Management practice group.
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Drafting Privacy Policies > Practice Notes > Drafting Privacy Policies
For a comprehensive discussion on preparing for and responding to a data breach, see
> PLANNING FOR & MANAGING A DATA BREACH
RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach
For assistance in preparing a data breach notification letter, see
> PREPARING A BREACH NOTIFICATION LETTER
For a list of the individual data breach security statutes by state, see
> CHART – KEY REQUIREMENTS OF STATE DATA BREACH LAWS
For more information on the Controlling the Assault of NonSolicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), see
> COMPLYING WITH THE CAN-SPAM ACT
RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws
For a detailed discussion on the Gramm-Leach-Bliley Act (GLBA), see
> COMPLYING WITH THE PRIVACY REQUIREMENTS OF THE GRAMM-LEACH-BLILEY ACT (GLBA)
For an explanation of the requirements of the Children’s Online Privacy Protection Act and Rule (COPPA), see
> COMPLYING WITH THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)
1. Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6502(a)(1). 2. Children’s Online Privacy Protection Rule, 16 C.F.R. § 312.4(d). 3. California Online Privacy Protection Act, Cal. Bus. & Prof. Code § 22575. 4. Cal. Bus. & Prof. Code §§ 22575(a), 22576. 5. Cal. Bus. & Prof. Code § 17206(a). 6. Cal. Bus. & Prof. Code §§ 22580–22582. 7. Cal. Bus. & Prof. Code §§ 22584–2285. 8. Section 75001 of the Fixing America’s Surface Transportation Act (the FAST Act), 114 P.L. 94 (effective Dec. 4, 2015). 9. In re Nomi Techs., Inc., 2015 FTC LEXIS 101 (F.T.C. Apr. 23, 2015). 10. In re Gateway Learning Corp., 138 F.T.C. 443 (F.T.C. 2004). 11. In re PaymentsMD, LLC, 2015 FTC LEXIS 24 (F.T.C. Jan. 27, 2015). 12. In re Oracle Corp., 2015 FTC LEXIS 292 (F.T.C. Dec. 21, 2015). 13. In re Compete, Inc., 2013 FTC LEXIS 14 (F.T.C. Feb. 20, 2013).