Why Organizations Should Care About Personal Information Privacy Beyond Comprehensive Privacy Laws: Reason 5

5-week Privacy Law Series

Reason 5 – Things change

While there is not a general federal privacy law – yet – there was substantial momentum in the federal legislature last year to enact such a law, and it is conceivable that a comprehensive federal privacy law will be enacted this year. If it is, it could be rather wide sweeping, picking up even smaller businesses.  Also, several states have comprehensive and/or subject matter specific privacy laws, other states have their own versions of privacy laws in the works, and it is possible some of the new laws will have much lower thresholds as to who the law applies to. Better to start preparing now than to scramble later.

But you say you don’t process the personal information of anyone outside the US and your business is too small to fall under the scope of any state comprehensive privacy laws (not enough revenues and/or not enough personal information processed about residents of those states). The short answer is – things change. For example, you might adopt or tweak functionalities or online applications that change the way you collect personal information and where you collect it. Or perhaps you previously did not use an analytics company or an online marketing company and now you do. If they are collecting personal information about people in foreign countries, or of a high enough volume to fall within a particular US state privacy law, you would be in violation of those laws if you didn’t have an appropriate privacy notice (privacy policy) in place. Also, some laws require appropriate notice, and in some cases consent (e.g., the General Data Protection Regulation (GDPR) in Europe), if you implement technologies such as cookies, web beacons, pixels/tags, local storage, or the like, to either monitor the behavior of individuals or to extract information from individuals’ devices. Analytics and marketing providers typically implement such technologies on your behalf to provide the information you request.

If you fall under the GDPR or United Kingdom (UK) Data Protection Act, for example, there is no minimum number of individuals about whom you collect personal information and no dollar volume size of your business as threshold requirements for the application of those laws. Collecting even IP addresses or device or browser information, or implanting technologies such as cookies, web beacons, pixels/tags, local storage, or the like for analytics or marketing purposes, including through your service providers, could bring you under those laws.

Even if you don’t have a website or collect any personal information via your website,  please keep in mind that many if not most privacy laws apply to offline collection of personal information as well as to online collection.

Furthermore, there are a number of practices a company might undertake with respect to its workers that various laws would require notice of (e.g., certain monitoring activities).  Therefore, it is important to have not only an external but an internal privacy notice, especially if the required notices are not contained in other employment related documents.

Any or all of the circumstances mentioned above could require that you have an appropriate privacy notice in place. And even if you don’t technically fall within any law requiring a privacy notice today, having a comprehensive privacy notice would demonstrate good faith and an effort at transparency, and even if not fully compliant could help mitigate financial and other penalties.