So you know what information you will collect, how you will use it, where you will store it, how you will secure it and with whom you will share it. Put all of this information in a “privacy policy” and you’re done, right?
Wrong.
Following is our list of the top privacy law questions every tech start-up should ask itself before drafting a privacy policy.
1. Do we receive any health information from health plans, health care clearinghouses or other health care providers?
If you do, you may be required to comply with the Health Insurance Portability and Accountability Act as a “business associate.” 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e), as modified by the HITECH Act of 2009. This requirement means you will have to have a written agreement with the provider of the information (the “covered entity”) that describes your permitted and required uses of protected health information, promises you will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law and that you will report misuses of the information and any breaches, promises that you will use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract, and ensures that any subcontractors that create, receive, maintain or transmit electronic protected health information do the same.
2. Do we store, process or transmit payment card information or sensitive authentication data?
If so, you will need to comply with the requirements of the Payment Card Institute Data Security Standard (“PCI DSS”). Among other things, this rule requires that you implement certain security features, such as perform security assessments or, in some cases, hire a third party to conduct security assessments. The risk of noncompliance is monetary penalties, violation of state laws and exclusion from the major payment card systems, such as Visa and Mastercard. If you outsource this task, then you don’t have to comply with PCI DSS. But you should choose your vendor carefully. And you should make sure your agreement with the vendor provides that the vendor will comply with PCI DSS in handling your customers’ data.
3. Do we collect personal information from children under the age of 13?
If you do, you will need to comply with the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501, et seq, as implemented by 16 CFR Part 312. And if your immediate answer is no, you should look at that closely. The rule defines “personal information” broadly to include geolocation data down to a street name, as well as any persistent identifier. The rule also defines “collecting” broadly to include letting information be made publicly available on your website/app, passively tracking a child, or even the collection of such information by another company through your website/app (e.g., through an ad network or plug-in) if your website/app is “directed to” children. COPPA’s requirements are numerous but include, among other things, obtaining “verifiable parental consent” before collecting personal information from a child, providing notice of your practices with respect to that information, including providing a list of all operators collecting or maintaining that information, and allowing parents to update or delete the information.
4. Do we collect any sensitive information, such as Social Security Numbers (“SSNs”)?
If so, you will want to do a couple of things. First, you should consider whether your security measures are reasonable. The Federal Trade Commission (“FTC”) has authority under 15 U.S. Code § 45 to bring actions against “unfair or deceptive acts or practices” (and each state has enacted its own version of that Act). The FTC uses this power to bring enforcement actions against companies for failing to employ “reasonable” security measures to protect personal data. “Reasonableness” is a sliding scale, so the more sensitive the data, the more security measures you need to take in order to reasonably secure it. Generally, SSNs and similarly sensitive data should be encrypted, at least during transmission. Second, you should investigate whether you are required to comply with Massachusetts General Law Chapter 93H and regulation 201 CMR 17.00, which require entities that store or use personal information about Massachusetts residents to develop and enforce a written information security plan.
5. Do we knowingly collect any information from individuals outside of the United States?
If you do, you should take steps to comply with the local laws of the jurisdictions in which those individuals reside. This may take the form of engaging local counsel to review your privacy practices for compliance. Or, if there is an applicable agreement between the United States and that country or group of countries, it may be accomplished by following the steps outlined in that agreement. For example, the United States has a “safe harbor” agreement with the European Union. To qualify for the U.S.-EU Safe Harbor program, an organization can join a self-regulatory privacy program that adheres to the U.S.-EU Safe Harbor Framework’s requirements or develop its own self-regulatory privacy policy that conforms to the U.S.-EU Safe Harbor Framework. The safe harbor requires that companies provide individuals with certain notices, choices and access to their data, ensure those principles apply to onward transfers of the data, maintain the integrity and security of the data and provide an easy enforcement mechanism.
If you answered “yes” (or “maybe”) to any of these questions, consider contacting an attorney in Taft’s Start-Up and Growth Companies practice. We will be happy to advise you and make sure that data privacy and security laws aren’t a stumbling block to your venture’s success.