Andrea Shaw
July 22, 2019
Business Resources
Why your company needs a privacy policy
By Andrea J. Shaw
As a privacy lawyer I am frequently asked, “Does my company really need a privacy policy?” I always give the same answer: It absolutely does. A privacy policy reduces your legal risk, which makes it easier for you to focus on running your business.
The U.S. legal landscape is a patchwork of privacy laws, which vary by state and industry. It becomes more challenging to keep track of the requirements daily. In the data security law space alone, the number of states with privacy laws on the books doubled from 2016 to 2018.
Privacy laws in Maine
Maine has a number of laws governing data privacy, though please note we are not addressing industry specific requirements, such as banking or medical information. Two laws deserve particular attention — an Act to Protect Online Consumer Information and the Notice of Risk to Personal Data Act.
Gov. Janet Mills recently signed into law new prohibitions on how internet service providers (ISPs) can share consumer information for customers who are physically located and billed for service in Maine. The new law, “An Act to Protect the Privacy of Online Customer Information,” becomes effective July 1, 2020. It’s notable that this law doesn’t apply to search engines or other online groups that may be able to collect and use your online information.
For ISPs to use, disclose, sell or permit access to customer information, they must first obtain the customer’s express, affirmative consent. If you are a broadband subscriber located (and billed) in Maine, you might see a new request from your provider regarding your data over the next 12 months. In addition, ISPs must take reasonable measures to protect customer information from unauthorized use.
Maine’s Notice of Risk to Personal Data Act protects “personal information,” which is defined as a person’s first name or initial and their last name, along with any one of these items:
- Social Security Number
- Driver’s license or state identification number
- Account number (if they can be used without additional information)
- Account passwords.
If any of the elements above could be used to assume someone’s identity without his or her name, then it is also “personal information” under the law.
It is illegal in Maine for an unauthorized person to release or use an individual’s personal information acquired through a security breach.
Federal laws and enforcement
In addition to state regulation, the Federal Trade Commission has jurisdiction over most companies and individuals conducting business in the U.S. unless your company has another federal regulator, which generally means you have a more robust privacy requirements. The FTC may use its “unfair or deceptive acts and practices” authority when there is not a privacy law on point. Earlier this year, the FTC entered a settlement agreement with a company over allegations that it falsely claimed it was a “privacy shield” compliant. Privacy shield is one way that companies wishing to do business with folks in the European Union can meet their data privacy and protection requirements. The company started the privacy shield certification process, but never completed it.
What it all means
Creating and maintaining a privacy policy instills discipline for your business regarding privacy risks. It tells everyone at the company that privacy matters to the company and helps to create a culture of privacy and data protection. It also helps you keep your customers informed about what data you collect and how you use it. These things all go a long way to helping you manage and reduce your privacy risk. By having your privacy requirements buttoned up you can focus on what is really important — running your business.
Andrea J. Shaw is a shareholder at the Portland law firm Bernstein Shur.
Most Recent
Most Recent
0 Comments