As businesses gather an increasing amount of consumer information, consumers’ concerns about who knows what about them are becoming more pronounced and businesses’ legal obligations regarding that data are becoming more complex. Pew Research reports that many consumers have elected to not use a product or service due to concerns about how a business may use (or misuse) their data. In response to these concerns, numerous states have enacted consumer privacy laws with seemingly conflicting standards on what information businesses may collect, what they may – and may not – do with this data, and what level of notice they must give to and permission they must obtain from consumers before collecting and using consumers’ personal information. Many states, including Michigan, have similar statutes working their way through state legislatures.
Against this backdrop, Congress is currently considering enacting a national data privacy standard. Until that time, businesses must consider the following factors when collecting consumers’ data:
- Which businesses are subject to each state’s privacy law. Thresholds for which businesses are subject to state data privacy laws include the amount of revenue a company generates, either overall or through certain endeavors relating to the sale of personal data; the number of consumers whose data the business possesses; and whether the business processes or controls personal information in the applicable state.
- What constitutes “Personal Information” and “Sensitive Personal Information.” Personal information generally means information that can be used to identify, relate to, describe, or is associated with an individual, but each state’s definition of “Personal Information” or “Personal Data” has a slight variation on this general description. The definition of what constitutes “Sensitive Personal Information” varies even more from state to state, with many statutes including racial and ethnic origin; religious beliefs; information relating to mental and physical health; sexual orientation; and genetic and biometric data in the category of “Sensitive Personal Information.” Some, but not all, definitions of “Sensitive Personal Information” include geolocation data; information provided by a minor; and citizenship status.
- Whether businesses must allow consumers to opt out from selling or using consumers’ personal information and sensitive personal information. Most jurisdictions mandate that consumers may opt out of the sale or use of their personal information or sensitive personal information. Some states are more specific about the type of use from which consumers may opt out, while others allow consumers to opt out of all transactions that include their personal information. Other differences include what constitutes a “sale” of personal information and whether businesses may treat consumers who have opted out of a sale of their personal information differently than consumers who have not.
- Whether consumers must opt in before businesses use their personal information and sensitive personal information. Some states require opt in, and virtually all state privacy laws contain a requirement that businesses collecting consumers’ information inform the consumers at the point of the collection which data is being obtained and the purpose or purposes for which the data will be used. Additional requirements include notifying consumers how long the business will retain their data and how consumers may exercise any individual rights they have under the applicable statute or regulations.
- Whether consumers can access, correct, and delete their information — and how. Most state privacy laws require that businesses disclose what information they have collected about consumers and allow the consumers to correct or delete this information. However, the means of this disclosure, including limits on how frequently a consumer may make such requests, vary from state to state.
Rhoades McKee shareholder Hal Ostrow, CIPP/US, regularly advises clients on cybersecurity, privacy, data aggregation, information technology, and public policy. He and other members of the Rhoades McKee Technology Transactions, Privacy, and Cybersecurity Team are available to answer any questions you have about state and federal data laws, rules, and regulations.