For companies that collect, process and explore innovative uses of personal information, the past month marked a turning point in the continued evolution of the US regulatory landscape. Taking on cosmetics brand Sephora, the California Attorney General announced the first enforcement deal under the new wave of comprehensive state privacy laws that began with the California Consumer Privacy Act (CCPA) and continues with a number of new laws set to come into effect across the country in 2023.
History of US privacy regulations
Historically, US privacy regulation has applied three main frameworks:
Industry laws that tightly control the uses and disclosures of personal information in certain industries (think HIPAA for healthcare information, FERPA for education records, GLBA for financial information)
Activity-specific laws that regulate certain uses of personal information considered particularly invasive (think ECPA for wiretapping, COPPA for children’s online privacy, CAN-SPAM for email marketing, and TCPA for email marketing). phone and SMS)
General prohibitions against false or misleading disclosures to consumers regarding how their information will or will not be processed.
Essentially, this means that unless your business operates in a heavily regulated industry or engages in fairly obviously sensitive activities, your exposure to privacy enforcement or litigation should be negligible, both that your data operations do not directly conflict with your express privacy notice.
But this pattern is changing rapidly, California, Virginia, Colorado, Connecticut and Utah enacting generally applicable (not industry or activity specific) laws that impose a number of positive obligations and substantive restrictions on the point of reshaping what covered businesses must and cannot do with personal data. And more such laws could come, including in New England and at the federal level.
Mistakes from Sephora
What did Sephora do wrong, according to California? By using third-party tracking technologies on its website for analytics and advertising purposes, Sephora sold consumers personal information, did not tell consumers that it was selling their personal information, and did not allow consumers to opt out of the sale of their personal information. .
This law enforcement regulation, which focused on nearly ubiquitous third-party tracking technologies, is a sobering reminder that all businesses must assess their compliance with the new wave of state laws – not just the CCPA, which has been in effect since 2020, but also with the new laws that come into force in 2023 and beyond, which build on the CCPA and extend it by regulating additional categories of activities and giving people new rights.
New Consumer Privacy Series
Over the coming weeks and months, Pierce Atwood’s interdisciplinary privacy and cybersecurity team will publish a series of short articles highlighting aspects of the new laws that are particularly important to our client base, with a focus on medium and small businesses that may be in difficulty. with respect for privacy and exposure to regulations and litigation for the first time.
It is important to note that whether your business is currently subject to one or more of these new national privacy laws (and we will certainly devote a space in our series to the applicability of the laws), we encourage you to pay attention to the general themes that we will highlight.
Even if your business isn’t subject to any of these laws today, chances are it will be at some point in the near future.and knowing what these laws restrict and require can be a significant advantage in ensuring that your products, services and business operations can withstand with minimal disruption the impacts of new privacy laws that are sure to follow. These laws also reflect an underlying shift in the way consumers expect companies to handle their personal information, making them a useful tool for thinking about best practices for reputation and consumer trust in matters of confidentiality..