by Jason Koransky, Associate
“Privacy law” cannot be confined to a small, orderly box. Rather, it is a complicated, sprawling, and sometimes difficult tangle of federal and state laws. From the federal Fair Credit Reporting Act and Electronic Communications Privacy Act to state laws addressing use and disclosure of arrest and conviction information, privacy law implicates a broad range of business activities.
Importantly, these laws have major implications for companies that gather, assemble, or otherwise use their customers’ personal identifying information. With so many different types of businesses increasingly focused on creating relationships with their customers by collecting and using personal information, these laws affect a growing number of entities — sometimes in ways that are not readily apparent. Further, data breaches that result in the release of personal information frequently appear in national headlines and often lead to lawsuits.
And privacy law constantly evolves.
For example, proposed federal legislation (the Personal Data Protection and Breach Accountability Act) could potentially create a uniform law addressing requirements to notify consumers in the event of a data breach, which would largely replace the existing patchwork of incongruous state laws. Another piece of proposed federal legislation (the Data Broker Accountability and Transparency Act) would create requirements for a business to ensure the maximum possible accuracy of the personal information it collects and provide people a means to access, review, and dispute this information. In addition, President Obama recently discussed federal legislation to protect student data.
On the state level, examples of new laws being implemented include those related to on-line privacy rights of minors, how websites can collect personal identifying information, and information that an employer may ask a potential employee on a job application.
These laws have tangible and far-reaching implications for businesses, which certainly cannot be taken lightly or ignored. Many businesses now have privacy and information-security offices, which monitor compliance and handle issues that arise. Privacy and data security audits, legal risk assessments, and finding solutions for potential red flag privacy issues are essential to minimize the risk of a data breach and minimize the liability from ensuing lawsuits. Solution-based privacy analyses include, for example:
- Reviewing how a company uses its consumers’ personal identifying information;
- Reviewing privacy policies associated with websites, apps, and other products or services;
- Analyzing systems in place to train employees on the use of consumers’ personal identifying information, as well as systems in place to protect this data; and
- Reviewing actions that have been taken in past data breaches.
While we cannot predict much of what may occur in 2015, we can say with confidence that during this year privacy issues will continue to grow, evolve, and significantly affect businesses in this information age.
* * *
Jason Koransky is an associate with Pattishall, McAuliffe, Newbury, Hilliard & Geraldson LLP, a leading intellectual property law firm based in Chicago, Illinois. Pattishall McAuliffe represents both plaintiffs and defendants in trademark, copyright, trade secret and unfair competition trials and appeals, and advises its clients on a broad range of domestic and international intellectual property matters, including brand protection, Internet, and e-commerce issues. Jason’s practice focuses on trademark, trade dress, copyright and false advertising litigation, domestic and international trademark prosecution and counseling. He is co-author of the book Band Law for Bands, published by the Chicago-based Lawyers for the Creative Arts.