Understanding the Evolution of Data Privacy and Security Laws
In the United States, the first comprehensive consumer data privacy statute was the California Consumer Privacy Act (“CCPA”) passed in September 2018. The CCPA was modeled, in part, on the massive European privacy regulations that went into effect in May 2018 called the General Data Protection Regulation (“GDPR”). We discussed the CCPA at length in this blog series; What Is The California Consumer Privacy Act (CCPA)?, How Does The New California Privacy Law Affect Other States?, Key Provisions You Should Know From The CCPA, CCPA Compliance: Tighter Restrictions From The CCPA & Proposition 24, Privacy Law Compliance: Corporate Support For CCPA Expansion Globally.
Prior to the GDPR and the CCPA, there were no statutory efforts in the U.S. to create a comprehensive regulatory regime to protect the privacy of consumer data and information. There were, however, some limited and targeted efforts to protect consumer privacy. One of the more important efforts was the Illinois Biometric Information Privacy Act (“BIPA”) passed in 2008. Among other features, the BIPA defined “biometric” data and regulated how and under what circumstances private businesses could collect, use, share and store such data.
The BIPA is very broad and has many components. Here we focus on a few of the important features of data privacy laws in general. In part, the BIPA prohibits businesses from collecting, using/processing, sharing, or storing a person’s uniquely identifying biometric information unless the business:
- Provides notice to the person – in writing – that biometric identifiers or information will be collected, used, shared, and/or stored;
- Provides notice to the person – in writing – of the specific purpose and length of term for which such biometric identifiers are being collected, stored, used, and shared;
- Obtains from the person written consent – a release – allowing the collection, use, sharing, and storage of biometric data;
- Creates and publishes written retention schedules and policies/procedures for permanently destroying the collected biometric data.
Note the key data privacy concerns expressed in the BIPA:
- Data and information that uniquely identifies a person
- Data that is collected
- Data that is used/processed
- Data that is shared
- Data that is stored
Note further how the Illinois General Assembly attempted to protect consumers from abuse of their collected biometric data:
- Requiring written notice to consumers –
- That biometric data is collected, used/processed, shared, and/or stored,
- Of why the data is collected,
- Of how long the data is to be retained.
- Requiring informed consumer consent in writing.
- Requiring notice to consumers of retention and data destruction policies.
Importantly, the BIPA also provides that consumers have a private right of action, which means that they can sue businesses that violate the BIPA. Also, the BIPA applies to anyone, not just consumers. Thus, for example, employees are covered by the BIPA when employers collect and use biometric data for various purposes (like workplace security and time-clock management).
These are the same concerns and protection efforts that animate all of the existing data privacy statutes and currently proposed legislation. For example, ten years after the passage of the BIPA, the California Legislature adopted these same concerns and protection efforts and greatly expanded them. As originally enacted, the CCPA expanded statutory protections for ALL uniquely identifying data – often called “personal identifiable information.” Personal identifiable information (“PII”) can generally be defined as any information or data – from a single data set or a combination of data sets – that allows a person’s specific identity to be known or reasonably inferred, either directly or indirectly. Further, the CCPA expanded the privacy rights of consumers from not merely having the right to know what personal data is being collected and why, but also the rights to:
- “Opt-out” – refuse permission to have information/data sold under various circumstances,
- Know whether personal information is sold, shared, or disclosed;
- Know with whom personal information is sold, shared, or disclosed;
- “Opt-in” for certain types of data collection involving those under the age of 16;
- Access personal information stored and to know, thereby, what information/data has already been collected;
- Non-retaliation for refusing permission – the CCPA phrased this as a right to “equal service and price” when a consumer exercises any privacy rights.
Subsequently, other rights have been added, including the rights to:
- Have personal information deleted and destroyed – this is the so-called “right to be forgotten;”
- Direct that a company share stored personal information as directed by the person – this is the idea of “portability of data.”
Further, amendments to the CCPA have expanded the scope of what data is protected. Not only is PII protected, but also what is called “sensitive personal information” (“SPI”). SPI includes protection for information like Social Security and driver’s license numbers, account login passwords and codes, geolocation information, personal beliefs, racial and gender data, etc.
As with the BIPA, the enforcement mechanisms used by the CCPA involve disclosures and consents. Among other requirements and prohibitions, businesses that collected personal information and data are required to disclose – in writing – that data was being collected, the business purpose or purposes for the collection, what use/processing are to be done with the data, whether the data is to be shared/disclosed, and with whom. The CCPA also mandated that obsolete data must be destroyed and that businesses establish reasonable state-of-the-art computer system security policies and protocols to protect consumer data from unauthorized access and exfiltration. Unlike the BIPA, the CCPA provides NO private right of action for consumers except when data has been accessed or exfiltrated through a data breach or unauthorized access.
Baer Reed provides effective legal solutions for organizations looking for data privacy investigation and compliance support. To learn more about our attorneys and organization, contact us today.
- On January 18, 2022
- Back to post list