Why Organizations Should Care About Personal Information Privacy Beyond Comprehensive Privacy Laws: Reason 3

5-week Privacy Law Series

Reason 3 – Specific laws

Even though the United States currently does not have a comprehensive general privacy law in place, it does have a number of industry-specific laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Family Educational Rights and Privacy Act (FERPA) and the Gramm-Leach-Bliley (applicable to financial institutions), that require businesses to implement appropriate privacy notices/practices. There also is a federal law addressing the collection/use of personal information of minors (Children’s Online Privacy Protection Act (COPPA)). In addition to the few states that have enacted comprehensive privacy laws (i.e., California, Colorado, Connecticut, Utah, Virginia, and to a lesser extent Nevada), there are a number of subject matter-specific state laws being enacted, such as laws addressing biometric or genetic data and children’s privacy. The requirements of such laws would need to be addressed in an appropriate privacy notice and privacy practices, which could include obtaining consent.

There have been a number of lawsuits brought by individuals against companies under the Illinois Biometric Information Privacy Act, for example. Under that law, “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Businesses need to be aware of practices that might bring them within certain laws, and what those laws are.

Check back next week for Reason 4 – Consumer protection and common law liabilities