The Data Strategy and Security team at Debevoise & Plimpton LLP has authored the 2022 edition of the Privacy Law Answer Book (Practising Law Institute, 2021), a user-friendly guide to the laws and regulations that govern how companies collect, use, store and transfer the personal information of their consumers and employees.
Edited by Debevoise partners Jeremy Feigelson, Jim Pastore, and counsel Johanna Skrzypczyk, with contributions from other Debevoise partners, counsel, and associates, the guide helps readers keep pace with the latest developments in data privacy and serves as a resource for those looking to make sense of a complicated patchwork of federal and state laws governing privacy in the United States.
Topics in the 2022 Edition include:
• An overview of U.S. Information Privacy Law. A thorough overview of the book’s contents, this section provides a quick point of reference on several of the topics below with references to deeper discussions on each topic throughout the book.
• Privacy Policies. How can a company craft its policies within the confines of the existing regulatory and legislative guidance? How should policies differ by device? What if a company changes its privacy policy? This chapter contains guideposts for organizations looking to craft or update their privacy policies to conform to the current legal environment, with special attention paid to the nuances of the California Consumer Protection Act (CCPA).
• Children’s Privacy. For organizations potentially or actively using children’s data, this chapter offers essential information, especially for those organizations governed by the Children’s Online Privacy Protection Act (COPPA). This chapter provides detailed guidance on the scope and applicability of COPPA under statute and regulation, and this edition incorporates the FTC’s recent revised guidance on the COPPA rule and recent enforcement actions.
• Financial Privacy. Organizations that collect and use consumers’ personal financial information participate in one of the most heavily regulated industries in the market. This section discusses a range of topics, such as the standard regulations that apply to these organizations (including the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA), the Fair Credit Reporting Act of 1970 (FCRA), and the amendments in the Fair and Accurate Credit Transactions Act of 2003 (FACTA)), state laws (like the California Financial Information Privacy Act (FIPA)), as well as some of the most current and relevant FTC settlements, recent litigation in this space, and the growing list of relevant security breach notification laws.
• Medical Privacy. Addressing the medical privacy essentials: HIPPA and the new challenges posed by the rise of telemedicine, especially during the Covid-19 pandemic, this chapter closely examines medical privacy and it contains helpful practice notes pertaining to HIPPA’s intricate definitions and requirements. This year’s edition includes new analysis concerning HIPPA’s interaction with the CCPA and its amendments.
• Mobile Privacy. Mobile phones and devices are ubiquitous across industries, and business owners, management, employees, and customers are all engaging with more data with increasing frequency on their mobile devices. The Covid-19 pandemic has only accelerated the adoption of these devices and their proliferation poses big challenges to organizations trying to comply with their privacy requirements. This chapter includes a discussion of the iOS privacy initiatives that Apple put forth in April 2021, as well as more information about the future of privacy for Android devices.
• Digital Workplace Privacy. As the use of technology in the workplace has increased and the workforce becomes increasingly mobile, the scope of workplace privacy has evolved as well. This chapter addresses workplace privacy and surveillance, including bring-your-own-device policies. This chapter also covers common questions posed by return-to-work efforts during the Covid-19 pandemic.
• Advertising, Tracking, and Privacy. Advancements in digital advertising and tracking have moved quickly across industries and privacy concerns related to these issues have grown as well. Modern online advertising effectively means that no two users have the same digital experience because ads are often provided dynamically and ad content can vary based on the underlying digital content, or on what a user has previously viewed online. With a thorough discussion of the nuances related to advertising and tracking, this section also covers the new privacy laws impacting the industry, including updates stemming from the CCPA, the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act. This chapter also offers some recent case studies and updates on ongoing litigation related to internet tracking at some of the largest tech companies of today.
• Vanguard States. Without federal legislation on data privacy some states have taken action to address privacy concerns. California, Colorado, Nevada, and Virginia have each enacted privacy laws in the past two years. This chapter offers a side-by-side look at how these laws compare in their requirements. This chapter also looks at other proposed legislation from states including Florida, New York, and Washington.
• Privacy Enforcement and Litigation. Federal regulators such as the FTC, state attorneys general, and class action plaintiffs are all policing how companies manage consumer privacy. This chapter addresses the nuts and bolts of how regulators enforce privacy regimes and provides examples of recent enforcement actions. This year’s edition also addresses how changes at the FTC may impact the agency’s enforcement priorities.
• Global Privacy Laws. The United States is only one actor in a complicated system of international privacy regulators. This chapter provides an overview of the global privacy landscape, looking at some of the key concepts and areas addressed by some of the most well-developed privacy regimes around the globe. It also presents regional case studies, setting out trends, and principles of the data privacy law of jurisdictions with robust privacy regimes that are particularly relevant to many U.S. practitioners: European Union, the U.K., Canada, Australia, and Brazil. It also includes a useful Appendix comparing data protection requirements found in more than 50 jurisdictions.
The book is styled as a Q&A so that practitioners can easily find answers to common—as well as uncommon—questions, a sampling of which we’ve included here from the substantially revised Vanguard States chapter:
Does the CCPA apply to service providers who might have consumer data?
Yes. The CCPA defines a service provider as an entity “that processes information no behalf of a business and to which the business discloses a consumer’s personal information for a business purposes pursuant to a business contract.” The contract between the business and the service provider must prohibit the service provider from retaining, using, or disclosing personal information other than for the business purposes specified in the contract.
In addition to the statutory text, companies seeking to comply with the CCPA also must consider the implementing regulations issued by the California Attorney General. The CCPA regulations provide that service providers “shall not retain, use, or disclose personal information obtained in the course of providing services except” in certain circumstances. These circumstances include:
(1) Processing or maintaining “personal information on behalf of the business that provided the personal information or directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA”;
(2) Retaining a subcontractor, “where the subcontractor meets the requirements for a service provider under the CCPA and these regulations”;
(3) Internal use by the service provider;
(4) Detecting “data security incidents or protect against fraudulent or illegal activity”; or
(5) Circumstances otherwise permitted by certain sections of the CCPA.
Notably, a service provider is prohibited from selling data on behalf of a business after the consumer has opted out of the sale of personal information and may respond on behalf of the covered business or re-direct the consumer to the covered business.
How broad is the GLBA exemption under the CCPA?
The federal GLBA exemption and FIPA exemption apply to information, not institutions. Financial institutions thus will be well advised to consider, dataset by dataset, whether their data is covered by GLBA or FIPA. One critical component to understanding the reach of the exemption is examining the definitions of “consumer” and “personal information” under the CCPA, on the one hand, and “consumer” and “nonpublic personal information” under GLBA, on the other.
A consumer is an individual who obtains a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes. The GLBA Privacy Rule protects a consumer’s “nonpublic personal information.” Nonpublic personal information is “personally identifiable financial information” that:
- is “provided by a consumer to a financial institution”;
- “[r]esult[s] from any transaction with the consumer or any service performed for the consumer”; or
- is “otherwise obtained by the financial institution.”
The Privacy Rule defines “personally identifiable financial information” as information:
- that a consumer provides to a financial institution “to obtain a financial product or service” from the financial institution;
- “about a consumer resulting from any transaction involving a financial product or service” between the financial institution and a consumer; or
- that the financial institution “otherwise obtain[s] about a consumer in connection with providing a financial product or service to that consumer.”
The newest edition of the Privacy Answer Book can be purchased from the Practising Law Institute. We hope our clients will find it useful as they address their privacy concerns.
***
To subscribe to the Data Blog, please click here.