Processing Personal Information: Evolving Laws and Heightened Responsibility
Depending on the types of personal information you collect and use, applicable laws on information privacy and security govern what you can and can’t do with it, how you have to protect it, and what you have to tell users and customers about what you’re doing. And laws around privacy are only moving in one direction – they’re covering more data and restricting its use more tightly.
European vs US concepts of privacy law
In Europe, personal information is protected by default, regardless of context, with some relatively narrow exceptions. In the US, by contrast, personal information is generally only protected if it’s being used in specific sectors of activity (e.g. healthcare or finance), or in certain contexts (e.g. data breaches).
However, laws on privacy have been evolving within the US. The FTC has long been able to fine or enjoin companies that make promises about data security and privacy that they don’t keep, and it occasionally happens if there’s a data breach. And a federal privacy bill that would cover all personal information – its newest evolution is the SAFE DATA Act – is currently being discussed in Congress.
The States aren’t waiting
In the meantime, some US states are working on their own broad-ranging laws. If you’re in California or deal with California residents, you already know about the California Consumer Privacy Act (CCPA), which regulates personal information about residents of California that doesn’t fall under certain sets of regulations already. It’s a lot closer to the European approach and is even tougher than the EU’s GDPR in some respects. (Though its rules around cookies only require opt-out, for example). An even stronger regulation, the California Privacy Rights Act, which builds upon the CCPA and also establishes a data protection agency for the state, just passed in November and takes effect in 2023. Multiple other states also have regulations in the works.
The global privacy push
In the wake of the GDPR, many other nations have established privacy regulations using it as a rough template. The specifics of these laws vary, both in strictness and in scope, but they all require you to tell individuals what you are doing with their information to varying levels of detail and to stick to that statement. Some, like the GDPR, are restrictive about personally identifiable information leaving their jurisdiction. Most have established national data protection authorities to investigate breaches and enforce the laws; some permit private lawsuits over privacy breaches.
Even if you aren’t currently under the jurisdiction of any strict regulations about the personal information you process, it’s a basic principle of privacy that you should tell individuals what you’re doing with their data – accurately and completely. And people increasingly expect that, even if they don’t pay close attention until something goes wrong. You have an ethical responsibility to the individuals whose personal information you hold to do with it only what you’ve told them you are going to do. You should start planning to be held to that if you aren’t already.