Data Privacy Rights: An Evolving Area That Cannot Be Ignored

by Robert Goodman

When it comes to small business customer data, be aware of privacy policies

Rinaldo Sells His Own Fashion Line Over the Internet

Rinaldo sells his own fashion line over the internet. His company, Best Fashion, has grown over the years to generate close to $10 million in annual sales. Recently, Rinaldo entered into discussions with Advertising Plus, a digital advertising company with expertise in placing ads on the devices of targeted customers.

Rinaldo’s Idea for Targeted Advertising

Rinaldo’s idea is that he would use the information provided by customers who shopped on his online store to send them targeted advertising designed to encourage them to purchase other products from Best Fashion.

The Importance of a Comprehensive Privacy Policy

In these discussions, Advertising Plus pointed out that Best Fashion did not have an online Privacy Policy. The company posted terms and conditions which stated that customer information would not be sold to third parties, but nothing more than that.

Advertising Plus’s Concerns and Advice

Advertising Plus advised Rinaldo that, until Best Fashion had a more comprehensive privacy policy, Advertising Plus was nervous about using customer information supplied by Best Fashion to place targeted ads. Rinaldo was puzzled about why, even though Best Fashion posted record profits that year, Advertising Plus was hesitant about doing business with it. Rinaldo called up his trusted corporate attorney, Saul Goodman, to discuss the situation. And this is what Saul, who knows something about almost everything, said:

The Global Impact of GDPR

Since 2018, with the enactment by the European Commission of the General Data Protection Regulation (“GDPR”), there has been a veritable revolution in privacy law worldwide. Although the purpose of the GDPR was to protect the personal data of residents of the European Union and the broader European Economic Area, since the regulation governs companies selling to European customers, many of which are located in the United States and elsewhere, the ripples of the GDPR have reverberated internationally. Moreover, the penalties for violating the GDPR are severe. Companies in violation of the Regulation potentially could see fines up to 4% of their worldwide revenue. The GDPR does not impose any specific restrictions on the size of the companies covered, so even relatively small companies selling into the European market and handling European customer data are covered.

Influence on Other Jurisdictions

But the impact of the GDPR has gone even further because it has influenced the laws of other jurisdictions which also have been concerned about the potential abuses of personal data collected from an unknowing public. Most notably, soon after the enactment of the GDPR, the State of California enacted its own California Consumer Rights Act, which adopted many concepts introduced by the GDPR. Updated in 2023, the California Privacy Rights Act (“CPRA”) represents the most comprehensive U.S. based legal regime protecting the rights of U.S. residents. However, as in the case of the GDPR, it affects many companies not even based in California, but which sell to customers located in California.

CPRA and its Coverage

Unlike the GDPR, the CPRA does not cover all companies, only those with gross revenues of over $25 million annually, or those that buy, sell, or share personal information of 100,000 or more California residents, or derive at least 50% of their annual revenues from selling the personal information of California residents. Nonetheless, the potential for the law to focus at some point on smaller companies and/or for other states to begin to regulate more liberally companies handling customer information is a prospect that cannot be ignored.

Meeting Evolving Industry Standards

Moreover, as illustrated by Best Fashion’s failure to engage Advertising Plus, the challenge is not just dealing with government regulators but meeting evolving industry standards that may be even more stringent than what the applicable law requires. In sum, many vendors are standardizing their data management processes to meet the requirements of the most stringent privacy laws, i.e., the GDPR and CPRA, and so are increasingly requiring their customers to do the same.

The Importance of Privacy Policies

Under both the GDPR and the CPRA, covered companies are required to post privacy policies. These policies must contain information, among other things, on the type of data collected, how it is stored, whom it may be shared with, and the terms governing incentives a company may be providing to customers to supply their personal information. But what is the Personal Identifying Information (“PII”) that is of such concern to regulators? The answer is that any information supplied by customers that could identify them or their families would be considered PII. PII could include names and addresses, email addresses, geographic location, phone numbers, IP addresses, credit card numbers, and social security numbers.

Uncovering Hidden PII

But the collection of PII is not always obvious. It is not just information consciously supplied by customers but could also include information that is collected from customers, usually by way of cookies, which are small bits of information that are downloaded to a customer’s computer when they browse a website or make a purchase. Through cookies, companies can obtain information about a customer’s buying habits, including history of purchases, other websites the customer browsed, and search terms they used to identify products they were interested possibly in purchasing. 

So PII is not just information that a customer knowingly imparts to a vendor but also can cover other types of information the customer may provide without even being consciously aware of it. It is this type of information, providing insight into the patterns of a customer’s online behavior, that has become the stuff of targeted online digital advertising, allowing vendors to send specifically crafted digital advertisements to persons who have previously indicated a potential interest in the product or service being sold. This is why a pregnant woman who has shopped online for maternity clothes may subsequently be inundated with advertisements for diapers, baby-ware, and formula.

Empowering Data Subjects

The point of the GDPR, the CPRA, and other evolving legal regimes governing the management of PII, is to make persons who make online purchases aware of the type of information collected from them and how it may be used. But such statutes do not require the posting of privacy policies just to serve an educational purpose, but to make customers aware of certain rights they have to manage their own PII. This is the revolutionary feature of evolving privacy rights law. Vendors may have the right to collect PII, but the person who imparts the PII, the so-called “Data Subject,” has the right to know what data is being collected; has the right to have such PII deleted or corrected; and has the right to limit the vendor’s use of such data by, for example, opting out of processes that would allow the vendor to sell or share the data with others or use the data in certain ways, such as for the purpose of targeted digital advertising.

Comprehensive Privacy Policies

In sum, privacy policies can no longer be limited to advising customers, generally, that their personal information may be collected. They are now expected to be comprehensive documents designed not only to educate the public concerning the types, sources, and uses of PII, but also the ways in which the uses of this data can be controlled and managed.

Future Exploration

In our next series of articles, we will explore, in more depth, the rights of members of the public to manage their own personal information and the impact these rights are having on companies and their vendors. As we will see, drafting a compliant privacy policy is only the first step. The challenge is in creating a data management infrastructure that can allow a company not only to know where its data actually is, but also to be able to access specific customer information as may be required.

The Takeaway

The evolving legal requirements governing the use of personal information require that all companies review their privacy policies with their counsel to ensure compliance with the requirements of prevailing law. The European Union and the State of California have spearheaded a revolution in this area that portends dramatic changes in the laws of many other jurisdictions. Their privacy laws are leading the way, compelling the rest of us to follow suit.

Related Content:

Eight Small Business Obligations Of Data Collection

Does your Data Asset have an Ownership Certificate?

20 years of Data  — Where have we been, where are we going?