It seems like every year brings a data breach that affects more and more people. In 2017 and 2018, we saw the largest data breaches in history. Equifax lost information belonging to 148 million people, Facebook lost more than 87 million records by providing information to Cambridge Analytic, and Marriott Starwood Hotels lost information belonging to 500 million people.
In response, governments across the globe have proposed or passed broad privacy regulations limiting what companies can do with the data gathered from individuals. In 2018, the European Union started enforcing the General Data Protection Regulation (GDPR). US Senators Marco Rubio and Ron Wyden have proposed broad privacy legislation as well.
Finally, in the absence of action from Congress, state legislatures have enacted their own privacy laws. In 2018, California passed the California Consumer Privacy Act (CCPA) and Ohio passed the Data Protection Act (DPA). In 2019, Utah's and Washington's state legislatures proposed privacy legislation.
The labyrinth of privacy regulations can make it difficult to figure out how to comply. However, this will discuss some of the main themes in privacy regulation and what companies should do to address their privacy obligations.
Privacy laws require companies to post a public notice explaining the following:
Why the company is gathering personal information.
What the company does with that information.
Whether the company shares that information with third-parties.
Whether personal information is being used for a company purpose or being sold to third-parties.
What the company does to protect personal information.
What rights, if any, a consumer has when it comes to processing personal information.
How to contact the company in case consumers have questions about how the company handles personal information.
Privacy regulations vary when it comes to consumer rights, but the three recurring rights are:
The right to access personal information.
The right to delete information.
The right to restrict how a company processes information.
Regarding access, companies not only need to provide information in the privacy notice, but they also need to provide information to consumers when the consumer requests it. Companies must provide requested information in a common electronic format and must also provide the information within a reasonable time after the consumer's request.