In today’s day and age, there is an inherent tension between privacy concerns and your business’s marketing needs. The collection and use of personal data is both a potential goldmine and an existential threat.From a marketing perspective, even if certain data is not useful in the near term, it could become useful and valuable in the future. The more personal data available to your business, the better you’ll be able to market personalized experiences, make more targeted and compelling offers, and capitalize on opportunities for cross-marketing and up-selling your customers. From a privacy perspective, the collection and maintenance of unnecessary data exponentially increases your potential liability and is a burden on the people and systems charged with protecting it. This creates a natural dichotomy between the desire–from a privacy perspective–to minimize the amount of customer data collected with the desire–from a marketing perspective–to maximize the amount of customer data collected, maintained, and mined for information. However, as a result of massive data breaches and abusive data collection and use practices, data privacy rights and protection (and consequences for failure) have become a consistent theme in the national discourse.
It is important to be aware that the more personal data your organization collects, the more important and complicated the protection of personal data and compliance with privacy laws becomes for your organization. For example, as of mid-2018, every state had enacted its own varying legislation requiring notification of breaches involving personal data (with many differing requirements for the content of such notices), and proposals for new state and federal data privacy laws are legion. Moreover, in the European Union, the most sweeping and stringent data privacy legislation ever enacted, the General Data Privacy Regulation (“GDPR”), went into effect in May of 2018. While the GDPR only applies to businesses that control the personal data of residents of EU member states, many of the concepts embodied therein are recognized as best practices that are being adopted in new legislation, such as the rights of individuals to know about and control the use of their personal data, the right to erasure of personal data, and the obligations of businesses to adopt reasonable, risk-based security measures to protect personal data. For example, the California Consumer Privacy Act of 2018, which goes into effect in less than one year, mirrors the rights and obligations created by the GDPR in many respects, and applies to certain organizations that collect and control the personal data of California residents. These newly-enacted laws, and others in the pipeline, are a minefield that well-meaning business owners must be aware of and navigate.
Data privacy legislation is in a near constant state of flux as legislators scramble to protect individuals’ rights with respect to the vast amounts of personal data collected by businesses every day. As a business owner, you regularly collect and maintain the personal data of employees, website visitors, potential customers, individual customers, points of contact at business customers, and others. Your business’s personal data collection and storage practices could represent significant risks to the individuals who trust you with their personal information. As a result, the collection, protection, and storage of that data implicates various state, federal, and foreign laws, and could give rise to civil liability to the individuals from whom you’ve collected data and to state or national supervisory authorities. What’s more, beyond the potential exposure to fines and civil damages, your lack of familiarity, understanding, and compliance with the various applicable regulations could cause significant and irreversible damage to your brand name and your hard-earned goodwill with your customers and peers.
Is your organization doing what is necessary to stay abreast of this constantly-changing regulatory landscape?
About the Author: Peter J. Klock, II practices in the area of complex commercial litigation. Before joining Bast Amron, Peter served as a judicial law clerk to the Honorable James Lawrence King in the Southern District of Florida for nearly four years. In that role, he drafted numerous published opinions and enjoyed primary responsibility for all aspects of the odd-numbered civil and criminal cases on Judge King’s docket, as well as a multi-district litigation matter involving over thirty national banks, In re: Checking Account Overdraft Litigation, MDL No. 2036. Peter’s extensive experience working with the Court has given him a unique insight into federal courtroom procedure, effective legal argumentation, and efficient use of motions and pleadings.