Consumer Privacy and Data Protection Laws: Recent Traction

Consumer Privacy and Data Protection Laws: Recent Traction

Increasingly, compliance with privacy and data protection laws is a top priority for businesses.  That priority is underscored by a March 15, 2022, federal law [the “Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). CIRCIA may be found in Division Y of H.R. 2471, known as the Consolidated Appropriations Act of 2022.    

CIRCIA requires “Covered Entities” to report cybersecurity incidents and ransom payments to the Department of Homeland Security (“DHS”).  Incidents must be reported within 72 hours.  Ransom payments must be reported within 24 hours. CIRCIA requires DHS’ Critical Infrastructure Security Agency (“CISA”) to adopt regulations which identify which organizations are “covered entities, and to what agency will receive these reports; most likely CISA and/or the FBI. Covered Entities are also required to preserve [to-be-defined-in rulemaking] “relevant data.” 

Most states have passed consumer privacy and data protection legislation that grants state regulators authority to bring enforcement actions against such businesses. Failure to comply can result in steep fines. 

Additionally, the Federal Trade Commission (“FTC”) uses its authority under the FTC Act to bring legal action against organizations for violation of consumers’ privacy rights or failure to maintain the security of sensitive consumer information. As the rate of data security breaches increases, so has the expansion of federal and state laws and regulations. In a further complication, insurers, car dealers, and other businesses with state licenses have their own industry-specific consumer data protection laws. 

The Federal Trade Commission: Two Data Protection Laws

The FTC Act

The FTC applies its consumer protection law, the FTC Act, to business practices that affect consumers’ privacy and data security; the Act prohibits unfair or deceptive practices. For example, a business that fails to safeguard a consumer’s personal information or makes material changes to its privacy policies without notifying consumers violates the Act. The FTC has sued businesses over violations of the Act, winning monetary damages and injunctive relief, such as requiring the defendant to implement a comprehensive security program to protect consumer information. 

The Gramm-Leach-Bliley Act

Enacted more than 20 years ago, the FTC’s Gramm-Leach-Bliley Act requires regulations that protect the financial privacy of consumers who share sensitive financial information with the various market and bank regulators, ranging from many auto dealers that engage in financing business to the Federal Reserve. The Act regulates the collection, use, protection, and disclosure of non-public personal financial information. It includes requirements for notices of privacy practices, as well as options for customers and consumers to opt-out of use and disclosure of personal information in certain circumstances, and businesses must have a data security program. Penalties for violating Gramm-Leach-Bliley include civil monetary penalties and, in certain circumstances, enhanced criminal penalties and fines and imprisonment. Multiple federal regulators, as well as state insurance agencies, enforce Gramm-Leach-Bliley.  

In many cases, a security breach triggers the FTC to file a complaint against one of the financial companies it monitors for violations of Gramm-Leach-Bliley. For example, the FTC brought a case against LightYear Dealer Technologies, LLC, which develops and sells a management system for auto dealers. The FTC claimed that several security failures by LightYear left its backup database vulnerable to hackers, who gained access to the unencrypted personal information of millions of consumers. The 2019 consent agreement included requirements that LightYear implement and maintain a comprehensive information security program, have its information security program assessed every two years, and have a senior corporate manager oversee its information security program and certify compliance annually.   

 A Sample of Privacy and Data Protection Laws in Four States

California

Under the landmark CA Privacy Act, consumers have more control over the personal information large for-profit businesses collect. Requirements of the Act include the following:  

  • Businesses must include disclosures in their privacy policies about the personal information they collect and how they use and share it.  
  • Businesses must disclose whether they sell personal data to third parties and provide the option to opt-out.  
  • Consumers have the right to request information from businesses, such as specific personal information they collected, and to request that personal information be deleted.  
  • Businesses cannot discriminate against consumers for exercising their rights under the Act.   

Under the recently enacted California Privacy Protection Act, websites and online service providers must post their privacy policies conspicuously and abide by them. The California Attorney General enforces the state’s privacy and data security laws.  

The trend of other states and the federal government following California’s lead in legislative initiatives on privacy and data security will likely continue.   

Ohio

Introduced in July 2021, the Ohio Personal Privacy Act is a comprehensive consumer privacy bill. Consumers can expect that businesses the Act applies to will providetheir privacy policy, as well as information about the type of personal data they collect and access to it. Consumers will have the right to request that a business deletepersonal data collected for commercial purposes and the right to request that their personal data not be sold to third parties. When seeking remedies, consumers may file a complaint with the Attorney General’s Office; there is no private right of action.

New Jersey  

While New Jersey lacks comprehensive data privacy laws, it does have statutes that cover aspects of data privacy and security. The statute requiring businesses to report data breaches to New Jersey customers expediently protects a range of personal information, from social security numbers to account access information. Another statute limits when retailers can scan a consumer’s ID and the type of information they can retain stipulates how it can be stored, and prohibits the sale of the information to any third party. There are also statutes regarding the protection of social security numbers and the destruction of private information records.   

Among other important data security cases the state has pursued, New Jersey was part of a 2017 multi-state settlement with Target Corp. The New Jersey Attorney General formed the “Data Privacy & Cybersecurity” section in 2018; it focuses on internet privacy and data security investigations.   

Flordia

Florida has a consumer data protection statute that applies to all legal entities and third parties that acquire, maintain, store, or use personal information and consumer records. The law requires that these entities take reasonable measures to protect and secure data in electronic form containing personal information. It also requires entities to provide notice to the Office of the Attorney General and the individual whose personal information security is breached as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred.  

Establish a Comprehensive Data Protection and Security Program

Over recent years, the annual number of data events has jumped dramatically. And businesses increasingly face litigation over their privacy practices, with charges often extending to a company’s board and executives, e.g., for attempting to conceal a cyberattack. The US is moving towards comprehensive data privacy and security laws like the European Union’s General Data Protection Regulation on the legislative front.   

  It is imperative for businesses to have a comprehensive data protection and security program to reduce risks of government enforcement actions and consumer litigation. Some steps to consider when developing a program include: 

  • Conduct a thorough audit of data privacy and security practices, including identifying third parties that collect, share, or access data.  
  • Emphasize that data protection is a company-wide, top-to-bottom priority.  
  • Develop a compliance framework, written policies, processes, and internal controls; determine types of data, how it is stored, and key risks.  
  • Monitor and enforce policy compliance and implementation; establish a privacy team that coordinates with other arms of the enterprise to identify red flags.  

About Alex Gertsburg

At Gertsburg Law, our attorneys have a comprehensive understanding of the countless issues facing businesses on a daily basis. Most of our experienced attorneys in the Chagrin Falls and Cleveland offices are former business owners and in-house counsel, bringing a unique perspective and depth of knowledge to their skill set. We will work with you to understand your goals and to find the right solution for your organization. For more information visit https://www.gertsburglaw.com