Privacy and Data Security

Posted by Drew Larson Brian McCormac in June 2014 on 6/18/2014

Download a PDF of this article

Hardly a day goes by without a headline about data security and online privacy issues. From Edward Snowden to Target to Heartbleed, the public is being constantly bombarded with reasons to worry about their security and privacy online. The public scrutiny is leading to calls for new regulations and increased enforcement of consumer privacy and data protection laws.While no single article can even come close to summarizing the many data security and privacy rules and regulations that exist, we will highlight some of the major rules that could apply to your business. Before describing particular rules, it is important to note that data security and privacy rules are not just an issue for internet companies like Facebook, Twitter, and Google. Rather, the rules can apply to any business that collects data about its prospects, customers, employees, or vendors.

In general, there is no comprehensive privacy or data security law in the United States. However, there are a number of federal laws that apply to certain types of data that a business may collect, and various states have enacted rules regarding data privacy and security that apply to data about their citizens. Here is a summary of some of the laws that could apply to your business:


The CAN-SPAM Act regulates the use of email addresses for commercial advertisement or promotional purposes. Generally, it (i) prohibits senders of commercial emails from using misleading header information or subject lines, (ii) requires senders to identify the message as an advertisement or solicitation, and (iii) requires senders to provide a method to opt-out from receiving further commercial emails from the sender. CAN-SPAM applies to a business even if it engages a third-party to actually send out the marketing emails.

State Breach Notification Laws

To date, 46 states have adopted data breach notification laws that require notice to affected individuals if there is an unauthorized disclosure of certain personal information. In general, personal information is defined as a person's name plus one of the following (depending on the state): social security number, driver's license number, financial account number, medical information, insurance information, biometric information, passport numbers, date of birth, mother's maiden name, or DNA. In general, there is a "safe harbor" that allows companies to avoid sending notice if the personal information is encrypted. In addition, 35 states include provisions that only require notification if the breach poses, or is likely to pose, a significant risk of harm to the affected individuals.

Data Security Laws

A small number of states have begun to implement data security rules. For example, Massachusetts has implemented laws that require businesses that collect personal information about Massachusetts to implement a written information security program that has appropriate administrative, technical, and physical safeguards for the personal information. Personal information is defined as a name plus a SSN, driver's license number, or financial account number. The laws specify a number of actions that must be taken, including encryption of personal information while being transferred electronically, implementation of secure user authentication and file access protocols, encryption of laptops and portable devices, installing up-to-date firewall protections, and similar requirements. It is expected that more states will implement data security laws in the coming years.

Privacy Policies

While in general a commercial website is not required to post a privacy policy, a number of state laws are moving in that direction. For example, the California Online Privacy Protection Act ("CalOPPA") requires the owners of commercial websites or online services to post a privacy policy if the website collects personally identifiable information from California consumers. Personally identifiable information under CalOPPA covers any information that permits the physical or online contacting of a specific individual, such as name, address, email, phone number, SSN, and the like. The privacy policy must describe the categories of information the business collects, the categories of third parties may receive that information, the method for notifying consumers of amendments to the privacy policy, how the business responds to "do not track" signals, and its effective date. It is also worth noting that the FTC considers a company's failure to comply with its own privacy policy a deceptive trade practice, and has increased its enforcement activities in this area.

California "Shine the Light" Law

California has also passed what is commonly known as the "Shine the Light" law, which requires companies to disclose to an individual within thirty (30) days of a request which information the company has disclosed, and to whom. The law only applies to companies that have shared certain information with a third party for their marketing use in the prior year, and there are certain exceptions if a company has clear opt-in or opt-out policies in its privacy policy. In most circumstances, the law also requires that companies include a description of customers' rights under the law as part of their privacy policy.


Health care providers are subject to stringent privacy and data security rules for personal health information pursuant to the Health Insurance Portability and Accountability Act ("HIPAA"). In addition, businesses that access personal health information by providing services to health care providers are also subject to HIPAA's rules as "business associates." Business associates can include software providers, service providers, lawyers, and others. Enforcement activity has been increasing in this area, and the fines can be substantial. If your business has access to personal health information, it is important that you are aware of HIPAA's requirements.


Gramm-Leach-Bliley Act ("GLBA") governs and protects personally identifiable financial information that is collected by financial institutions such as banks, securities firms, insurance companies, retailers that issue their own credit cards, and other similar businesses. GLBA requires financial institutions to notify customers about their information sharing practices, provide an opt-out method for sharing with unaffiliated third parties, and to implement a written security program to protect against unauthorized disclosures.


The Children's Online Privacy Protection Act is a federal law that regulates the collection of individually identifiable information about a child under the age of 13. In general, websites that collect information about a child must (i) provide certain notices and obtain certain consents from parents, (ii) provide methods for parents to prevent future use and collection of information about this child, and (iii) maintain procedures to ensure the confidentiality, security, and integrity of the child's personal information.

In many countries outside of the United States the rules are even more stringent. For example, if your business collects information about citizens in the European Union there are restrictions on the transfer of that information back to the United States. In general, the trend in the United States is towards increased regulation of data privacy and security. Therefore, it is important for a business (i) to evaluate its data collection, storage, and usage, (ii) to implement a privacy policy (or confirm that it complies with its privacy policy), and (iii) to implement reasonable safeguards to protect the privacy and data of its customers. If you have any questions about how these laws may impact your business, please do not hesitate to contact your BrownWinick attorney.

Drew Larson is an associate at BrownWinick and practices primarily in the areas of corporate formation and transactionsintellectual propertyestate planning, and tax. Drew can be reached at (515) 242-2485 or

Brian McCormac is a member at BrownWinick and assists clients with a wide range of legal concerns, including litigation, business transactions, compliance, and advertising and promotions. Brian can be reached at (515) 242-2431 or