Privacy Laws You Need to Know
Today, every business needs to be privacy-centric. It’s much more than an ethical responsibility. State and federal regulations call for discipline when storing, processing, and destroying data. In this blog, we outline several privacy regulations you should know.
The recently passed California Consumer Privacy Act (CCPA) is scheduled to go into effect in 2020. CCPA is poised to become the nation’s strictest privacy law, requiring companies to be transparent about what consumer data they collect and how they use it. California residents have a right to request that California businesses:
- Disclose the specifics of personal information they collect
- Disclosed the business or commercial purpose for collecting or selling personal information
- Disclose the sources from which personal information is collected
- Not sell their personal information
- Delete any collected personal information
The California Attorney General’s Office enforces the CCPA. Companies found in non-compliance with the law can face civil penalties of $2,500 for each violation or $7,500 for each intentional violation.
California Civil Code 1798.81
California 1798.81 requires businesses that conduct business in California to notify California residents if the person or business suffers a security breach involving “personal information.” The law states that businesses should “take all reasonable steps to dispose, or arrange for the disposal, of customer records” that contain “personal information when those records aren’t needed any longer by, among other means, shredding.”
The Fair and Accurate Credit Transaction Act (FACTA) gives consumers the ability to place alerts on their credit histories if identity theft is suspected. The law requires lenders, credit card companies, and other financial service organizations to dispose of information to protect against “unauthorized access to or use of the information.”
Like FACTA, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain how they share and protect their customers’ information. GLBA’s Safeguards Rule requires financial institutions to develop a written information security plan outlining processes for protecting clients’ personal information. The plan must include:
- Designation of at least one employee to manage safeguards
- Risk analysis plans for each department handling personal information
- Develop, test and monitor an information security program
- Change safeguards as needed
The Health Insurance Portability and Accountability Act (HIPAA) was enacted to combat insurance fraud and medical identity theft. The act’s Privacy Rule states that healthcare providers and their business associates must implement “appropriate administrative, technical and physical safeguards to protect the privacy of protected health information (PHI).” When disposing of PHI, you must prevent unauthorized access to that information.
Understanding these laws enables your business to implement and maintain reasonable security measures to protect your customer’s and employee’s personal data.