5-week Privacy Law Series
Reason 5 – Things change
While there is not a general federal privacy law – yet – there was substantial momentum in the federal legislature last year to enact such a law, and it is conceivable that a comprehensive federal privacy law will be enacted this year. If it is, it could be rather wide sweeping, picking up even smaller businesses. Also, several states have comprehensive and/or subject matter specific privacy laws, other states have their own versions of privacy laws in the works, and it is possible some of the new laws will have much lower thresholds as to who the law applies to. Better to start preparing now than to scramble later.
If you fall under the GDPR or United Kingdom (UK) Data Protection Act, for example, there is no minimum number of individuals about whom you collect personal information and no dollar volume size of your business as threshold requirements for the application of those laws. Collecting even IP addresses or device or browser information, or implanting technologies such as cookies, web beacons, pixels/tags, local storage, or the like for analytics or marketing purposes, including through your service providers, could bring you under those laws.
Even if you don’t have a website or collect any personal information via your website, please keep in mind that many if not most privacy laws apply to offline collection of personal information as well as to online collection.
Furthermore, there are a number of practices a company might undertake with respect to its workers that various laws would require notice of (e.g., certain monitoring activities). Therefore, it is important to have not only an external but an internal privacy notice, especially if the required notices are not contained in other employment related documents.
Any or all of the circumstances mentioned above could require that you have an appropriate privacy notice in place. And even if you don’t technically fall within any law requiring a privacy notice today, having a comprehensive privacy notice would demonstrate good faith and an effort at transparency, and even if not fully compliant could help mitigate financial and other penalties.