It has become difficult to imagine transactions without the digital space. Whether the commerce originated from online marketing, made use of digital payment forms or utilized a payment application, data sent via these processes’ facilities the transaction. Even the simplest transactions use data to make customer tailored offers. These structures are made up of one of the most valuable assets in a digital economy: user data. Or, as most data & privacy laws would call it, ‘Personal Information’.
Interestingly, companies don’t own this asset; it is borrowed, so it’s not yours to lose. How then, do you safeguard and protect user data?
For now, there is no one global regulation, so the answer will depend on where you operate and whose data you hold. Below, we look to OECD countries like the EEA, Australia, and the US to gauge the overarching principles that will inform other jurisdictions’ future legislative action. This also demonstrates how you can future-proof your operations today.
European Economic Area
At the forefront of data protection is the European Union’s General Data Protection Regulation (GDPR). It provides a robust framework to protect personal information and burdens the controllers or processors with safeguarding personal data. All companies who intend to participate in a global economy should be GDPR compliant, simply because it casts the broadest net among the regulations thus far and other jurisdictions are likely to follow. It also applies extraterritorially to all companies doing business in the EEA.
In comparison Australia adopted a set of Privacy Principles in the Privacy Act 1988 (Cth). It governs the treatment of personal information by companies in transactions with customers, with third-parties or intra-company operations. Australia finished a review of this act early in 2022. It is likely that the law will be strengthened including higher penalties for misuse of information as well as broadened the scope of what counts as ‘user data’. The tech and startup space will likely see the effects of this soon, and if you want to avoid getting caught in the ripple, you should think about reviewing your policies and procedures now to see if any major changes need to be made to be compliant.
In the United States, there are many different laws that govern commercial transactions and the use of personal information. Adding to the complexity, these legislations are at the state level, so there are no nation-wide standards that apply systematically. In fact, the American Privacy Acts have geographical limitations to their enforceability, and state laws only regulate state operations and protect state residents. Thus, because the digital stimulates cross border transactions, it is uncertain which laws your company is captured by. The best method is a cautionary one; try to comply with the strictest of those and as many as possible.
The pioneer laws in the US are the California Consumer Privacy Act (CCPA) and the brand-new California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (ColoPA). These jurisdictions are breaking ground in privacy protection and should be monitored for their impact. It is likely these will be models for other jurisdictions in their treatment of private information.
Recent legislative trends are veering towards stringent user data protection. Therefore, anyone wanting to do business in the US should not only comply with these existing laws, but also anticipate new regulation. Yet, state lawmaking is careful and slow and this makes it harder for regulation to keep pace. This is why companies should be considering and reviewing their internal data protection measures even if this goes beyond the current local legislation. Moreover, future governance of privacy rights will certainly focus on data preservation (from a cyber security perspective), user education and disclosures, operational transparency and user control over its own data.
From these broad array of laws, we can set out some principles to understand how businesses should handle its user data.
5 Global Privacy Principles Tech Companies Should Think About
Open, transparent and fair treatment of personal information
Companies must ensure they have mechanisms in place to ensure that users understand how their information is being collected, used and stored. As such, it is vital to think about what kind of information you’re collecting from your users.
Collection methods & consent
Companies may only collect personal information fairly and lawfully. The European, Australian and US Privacy laws acknowledge customers are at a disadvantage when entering into agreements. Therefore, data subjects can require more information and opportunities to make informed decisions.
Browse-wrap provisions (those terms and conditions that users agree to simply by continuing to use the site or platform) were sufficient for internet transactions in the past. Now, these provisions are becoming less adequate in more and more jurisdictions. This is because they rely on a user’s eagerness to navigate through websites and fail to properly inform and disclose all rights and obligations a user might be agreeing to.
The trend is now shifting towards an opt-in and confirmation of opt-in for consent requirements, where reading (or at the very least looking at) the terms and conditions of a product becomes a requisite to move forward on a site visit.
Specific purpose and secondary use
Companies must disclose specifically what they will be using user data for. Though certain secondary purposes are allowed, it must be close enough to the disclosed main purpose. For instance, in healthcare, patients consent to the use of their personal information primarily for the hospital or clinic to diagnose and treat them. The hospital can also use some of that (selected) information for the ‘secondary use’ of public disease reporting.
One way companies navigate this is via a ‘pre-emptive notice of an intention’. This outlines a company’s intent to potentially use the data for an alternative purpose. This protects secondary transactions from a claim of abuse of personal data.
Right to updated and accurate information
Users have a right to update their information and make sure it is kept up to date. This is also to the benefit of companies as it promotes managing and updating data assets. Moreover, the key interest being guarded here is the user’s control over their own data; whether it is to protect it by keeping it updated or to have it destroyed.
Security and access
Companies must ensure personal information is kept safely and only provide restricted access to designated company officers. The key standard here is the “best industry practice” – a dynamic standard that requires ongoing training, process evaluations, performance audits as well as overall systems and operations auditing.
If you need assistance developing your privacy policies in line with these principles, then let us know and our team of global lawyers can build something tailored for your processes.
Implementing Privacy Principles
Customer data should be treated the same way you would treat any other capital of your business: zealously and diligently. There have been a number of significant violations by tech companies in the use and collection of ’personal’ data for targeted marketing without proper consent. This behavior has resulted in multimillion dollar fines, threatening the survival of several corporations.
Not all companies will have the in-house legal team to be able to do this. Hiring an external counsel can help, but only if those lawyers understand data and privacy, and how they operate for your business. Having privacy policies that aren’t suitable for you may instead do more harm than good.
At Biztech, we tackle these issues daily with our team of industry experts and specialists. We play the role of external general counsels for global tech companies, and help them achieve their goals while staying compliant with multi-jurisdictional regulations, without compromising on their mission as service-oriented companies.