Understanding the Evolution of Data Privacy and Security Laws
In the United States, the first comprehensive consumer data privacy statute was the California Consumer Privacy Act (“CCPA”) passed in September 2018. The CCPA was modeled, in part, on the massive European privacy regulations that went into effect in May 2018 called the General Data Protection Regulation (“GDPR”). We discussed the CCPA at length in this blog series; What Is The California Consumer Privacy Act (CCPA)?, How Does The New California Privacy Law Affect Other States?, Key Provisions You Should Know From The CCPA, CCPA Compliance: Tighter Restrictions From The CCPA & Proposition 24, Privacy Law Compliance: Corporate Support For CCPA Expansion Globally.
Prior to the GDPR and the CCPA, there were no statutory efforts in the U.S. to create a comprehensive regulatory regime to protect the privacy of consumer data and information. There were, however, some limited and targeted efforts to protect consumer privacy. One of the more important efforts was the Illinois Biometric Information Privacy Act (“BIPA”) passed in 2008. Among other features, the BIPA defined “biometric” data and regulated how and under what circumstances private businesses could collect, use, share and store such data.
The BIPA is very broad and has many components. Here we focus on a few of the important features of data privacy laws in general. In part, the BIPA prohibits businesses from collecting, using/processing, sharing, or storing a person’s uniquely identifying biometric information unless the business:
- Provides notice to the person – in writing – that biometric identifiers or information will be collected, used, shared, and/or stored;
- Provides notice to the person – in writing – of the specific purpose and length of term for which such biometric identifiers are being collected, stored, used, and shared;
- Obtains from the person written consent – a release – allowing the collection, use, sharing, and storage of biometric data;
- Creates and publishes written retention schedules and policies/procedures for permanently destroying the collected biometric data.
Note the key data privacy concerns expressed in the BIPA:
- Data and information that uniquely identifies a person
- Data that is collected
- Data that is used/processed
- Data that is shared
- Data that is stored
Note further how the Illinois General Assembly attempted to protect consumers from abuse of their collected biometric data:
- Requiring written notice to consumers –
- That biometric data is collected, used/processed, shared, and/or stored,
- Of why the data is collected,
- Of how long the data is to be retained.
- Requiring informed consumer consent in writing.
- Requiring notice to consumers of retention and data destruction policies.
Importantly, the BIPA also provides that consumers have a private right of action, which means that they can sue businesses that violate the BIPA. Also, the BIPA applies to anyone, not just consumers. Thus, for example, employees are covered by the BIPA when employers collect and use biometric data for various purposes (like workplace security and time-clock management).
These are the same concerns and protection efforts that animate all of the existing data privacy statutes and currently proposed legislation. For example, ten years after the passage of the BIPA, the California Legislature adopted these same concerns and protection efforts and greatly expanded them. As originally enacted, the CCPA expanded statutory protections for ALL uniquely identifying data – often called “personal identifiable information.” Personal identifiable information (“PII”) can generally be defined as any information or data – from a single data set or a combination of data sets – that allows a person’s specific identity to be known or reasonably inferred, either directly or indirectly. Further, the CCPA expanded the privacy rights of consumers from not merely having the right to know what personal data is being collected and why, but also the rights to:
- “Opt-out” – refuse permission to have information/data sold under various circumstances,
- Know whether personal information is sold, shared, or disclosed;
- Know with whom personal information is sold, shared, or disclosed;
- “Opt-in” for certain types of data collection involving those under the age of 16;
- Access personal information stored and to know, thereby, what information/data has already been collected;
- Non-retaliation for refusing permission – the CCPA phrased this as a right to “equal service and price” when a consumer exercises any privacy rights.
Subsequently, other rights have been added, including the rights to:
- Have personal information deleted and destroyed – this is the so-called “right to be forgotten;”
- Direct that a company share stored personal information as directed by the person – this is the idea of “portability of data.”
Further, amendments to the CCPA have expanded the scope of what data is protected. Not only is PII protected, but also what is called “sensitive personal information” (“SPI”). SPI includes protection for information like Social Security and driver’s license numbers, account login passwords and codes, geolocation information, personal beliefs, racial and gender data, etc.
As with the BIPA, the enforcement mechanisms used by the CCPA involve disclosures and consents. Among other requirements and prohibitions, businesses that collected personal information and data are required to disclose – in writing – that data was being collected, the business purpose or purposes for the collection, what use/processing are to be done with the data, whether the data is to be shared/disclosed, and with whom. The CCPA also mandated that obsolete data must be destroyed and that businesses establish reasonable state-of-the-art computer system security policies and protocols to protect consumer data from unauthorized access and exfiltration. Unlike the BIPA, the CCPA provides NO private right of action for consumers except when data has been accessed or exfiltrated through a data breach or unauthorized access.
Baer Reed provides effective legal solutions for organizations looking for data privacy investigation and compliance support. To learn more about our attorneys and organization, contact us today.
- On January 18, 2022
- Back to post list
Mr. Reyes graduated with honors from the Ateneo de Manila University, where he received the Procter and Gamble Student Excellence Award. He obtained his Juris Doctor degree from the Ateneo de Manila School of Law. During law school, Mr. Reyes was part of the Philippine delegation to the Willem C. Vis International Commercial Arbitration Moot held in Vienna, Austria. He was also a member of the Ateneo Society of International Law and the St. Thomas More Debate Society. He completed his internship at the Public Attorney’s Office. He wrote a thesis entitled: “To Kill A White Elephant: An Analysis of the Fiduciary Exception to the Corporate Attorney-Client Privilege”. Mr. Reyes is admitted to practice law in the Philippines and the State of New York.
Ms. Lardizabal-Manzano is a graduate of San Sebastian College-Recoletos, where she earned her B.A. in Political Science. In 2003, she received her law degree from Lyceum of the Philippines and was admitted to practice law in 2004.
Matthew Hersh earned a B.A. in Political Science from Columbia University in 1990 and graduated cum laude from Georgetown University Law Center in 1999. He also holds a master’s degree in international relations from the Georgetown University School of Foreign Service.
Cap. Avi Levak (Res. IDF) graduated from from Israel’s prestigious Ben-Gurion University of the Negev with a Bachelor of Science in Computer Science and Mathematics. He is also a Leadership and Communication coach trained in TuT coaching by Alon gal in Israel. Avi specializes in high-level, in-depth analysis of business and client needs, within systems and software strategy and architecture.
Ms. Tyler graduated cum laude from Georgetown University and received her law degree, cum laude, from Georgetown University Law Center. During law school, she interned at the United Nations Economic Commission for Europe. She also worked on The Tax Lawyer journal and was a member of the award-winning Barristers’ Council Mock Trial Team. Ms. Tyler is admitted to practice law in the State of California and the District of Columbia.
Ms. Cruz-Anonuevo graduated cum laude and top nine in her batch from Miriam College with a degree of Bachelor of Arts in InternationalStudies. She obtained her Juris Doctor degree from Ateneo de Manila University School of Law in Rockwell. During law school, she interned in Rivera, Santos, Maranan & Associates. She was also part of Ateneo’s Labor Law Bar Operations. She wrote her thesis on, “Stealing Privacy: Limitations on Media’s Photographic Invasion.,” Ms. Cruz-Anonuevo is admitted to practice law in the Philippines.
Ms. Aquino-Batallones obtained a Bachelor of Arts degree in Development Studies (with Minors in Global Politics and Hispanic Studies) from the Ateneo de Manila University. In 2011, she received her Juris Doctor degree from Ateneo de Manila University School of Law. During law school, she interned at Romulo Mabanta Buenaventura Sayoc & de los Angeles then became an intern of Ateneo Legal Services Center’s Clinical Legal Education Program.
Mr. De Guzman graduated from San Beda College with a degree of Bachelor of Arts Major in Economics and received his law degree from San Beda College of Law. He is multilingual and is fluent in three languages: Chinese, Filipino, and English. He was admitted to the Philippine Bar in 2003.