We are kicking off a new blog series here at FIC designed to provide businesses the basics on privacy law and some tips on where and how the law can make life simpler, or perhaps more complicated. The impetus for my idea to do the series finds its roots in a few things.
1. Everything old is new again. When you have been at privacy as long as I have, you give a lot of presentations and webinars on the topic. I recently gave a talk on data governance and remarked that many of the basic tenants of good data governance have been around forever. For example, the Fair Information Practice Principles are nothing new, but are the bedrock of good privacy practice. Yet, many times, they are overlooked.
In my talk, I also shared that I often used the same slides today that I used in 2006. This fact can be both reassuring and concerning. It is reassuring in that many of the lessons and principles contained in those slides are tried and true. They work. Therefore, they hold up well, are well understood and easy to implement. It is concerning because in the more than thirteen years I have been working in privacy, there are still way too many people in my audience that are hearing such principles for the first time. Some of these people are experienced, senior leaders. Now, this is no indictment. There are lots of reasons why this is. However, it shines a light on the reality that privacy and data governance continue to be second or third tier compliance concerns.
2. Everything old is new again, again. The laws may be old, but they are still having an impact today. The reality is that in the absence of an omnibus privacy or security law in the U.S., businesses will have to navigate not just the patchwork of state laws, but the sector-specific federal laws, many of which are decades old. An interesting (or maybe frustrating) point is that even as old as they are, the laws are still being actively litigated. A recent example of such an expansion of a statue’s reach will be the subject of our first blog in this series, the Video Privacy Protection Act (“VPPA”). Drafted in a time of actual videotape and video rental stores (remember them?), the VPPA has been invoked as recently as this year in a significant case on which I was asked to comment. So, the language of the law is always important and companies need to be aware of such language in analyzing how existing or new operations will be impacted by these statutes.
3. Blurred Lines. An exciting element of business today is how quickly we can bring products to market and the low barrier to entry into those markets. But this can be a double-edged sword on the data privacy and security side as a business can easily cross over lines into regulated areas it had not originally anticipated. Companies can be regulated entities and not consider themselves, as saw with Spokeo. Or companies can acquire another company. In doing so, they can assume a regulatory burden or expanded risk of liability by not looking into the company’s data practices, breach history, etc. Knowing the rules and the boundary lines are always critical before deciding to play the game.