The protection of personal information is an increasingly important issue for organizations large and small across all industries. On the consumer front, data protection has traditionally been perceived as largely a “tech” issue. However, as data collection and stricter global regulations proliferate, this narrow perception is outdated. The reality is that organizations collect personal information and lots of it: whether it relates to customers, users or employees, data collection is ubiquitous.

Understanding the Patchwork of Data Protection Laws

California is among the states with the most stringent privacy laws. The California Online Privacy Protection Act (which became effective in 2004 and was amended in 2013) requires operators of commercial websites that collect “personally identifiable information” from California residents to conspicuously post and comply with a privacy policy that meets specific requirements, as well as disclose what tracking they do. The more recent California Consumer Privacy Act (“CCPA”) carries a number of additional requirements for organizations that meet its thresholds, including a number of consumer rights. Notably, the CCPA defines personal information very broadly: the categories of personal information listed in the CCPA extend well beyond what was traditionally “personally identifiable information,” to include data such as IP addresses and device identifiers, inferences made about consumers and biometrics. The CCPA also applies where personal information is collected online and offline – meaning that many retailers, restaurant groups or more traditional brick and mortar companies that meet the CCPA thresholds and physically collect information must comply, even if their website is merely informational.

California, like most other jurisdictions, also requires companies to secure personal information by implementing reasonable security measures. As security breaches skyrocket, having the right security in place is critical—all the more so under the CCPA because it includes a private right of action for breaches of certain unencrypted personal information, with statutory damages that can be very costly.

Organizations based in California may also be subject to other states’ laws, federal rules and regulations (such as the Children's Online Privacy Protection Act if dealing with children under the age of 13), as well as rules outside the United States. This depends in large part on where individuals are located whose personal information is processed by the organization, as well as the nature of the organization’s business activities and the types of personal information processed. Many businesses located only in California are, for instance, subject to the EU’s stringent General Data Protection Regulation (“GDPR”), either because they offer goods and services to individuals in the EEA or provide services (e.g., SaaS platforms) to organizations that are themselves subject to the GDPR. Data protection is a complex web of overlapping rules with which organizations must comply at varying levels, depending on their business and data processing activities.

So What Does This Mean?

Organizations should first take stock of all personal information they hold. At a very high level, this means identifying what personal information is collected, the sources and purposes of collection, and the third parties to whom the personal information may be disclosed. This is also referred to as “data mapping” and it is the starting point for any privacy program.

Once the inventory of personal information is complete, a privacy expert can assess applicable laws, which will each separately dictate what must be done to achieve compliance. One nearly standard requirement is providing accurate and complete consumer-facing policies and disclosures because transparency is a key element of data privacy. Internal policies (that are actually enforced) also guide an organization’s protection of personal information, and even if not specifically required, will demonstrate an organization’s commitment to data protection in the event of a regulatory audit or lawsuit. Agreements with third parties and vendors that involve personal information should also be carefully crafted, because understanding and monitoring the personal information supply chain is critical not only for meeting transparency requirements, but also because many data breaches begin with third-party vendors that organizations have entrusted with personal information they have collected.

The Bottom Line

Not paying attention to privacy and security can negatively impact an organization’s value in the eyes of both consumers and investors. For instance, in the context of funding, investors now almost always require companies to disclose their privacy and security practices. On numerous occasions, I have seen transactions delayed or otherwise impacted because a company simply had no privacy program in place. The same goes for M&A transactions. In addition, while California has been considered a pioneer of privacy here in the United States, other states are catching up. Many states are now considering new privacy laws, and Virginia just recently adopted one, effective in January 2023, alongside the new California Privacy Rights Act, which passed by ballot initiative last year and expands on the CCPA. Finally, with data breaches through the roof, organizations must prioritize security. In other words, it is no longer possible to ignore the fast-changing landscape of data protection laws or the vastly increased security threats.

Developing a comprehensive privacy and security program may be viewed by many as costly, but in reality, much of the legwork can be done internally with the right processes and procedures and with the assistance of experienced privacy counsel to navigate the patchwork of data protection laws. One thing, however, is certain: ignoring data privacy and security is increasingly likely to be a much costlier bet.