I’m going to guess that if you’re reading this blog, you’re likely already aware that under current US law, there is no comprehensive Internet privacy protection scheme working to place limits on the gathering and use of Americans’ personal data. Most of the Western nations have such statutes in place (including all the states of the EU – and even Canada!), and I’ve little doubt that’s a boon to compliance officers mournfully tasked with keeping current on International Policy and Regulatory concerns. But apart from zeroing out your vacation hours before each legislative session, what can be done to ensure that your company’s Internet privacy policies are going to continue to fall in line with the letter of the law?
Here are a few tips to make sure you don’t bloody your nose:
- You follow any applicable state laws that may apply. (As a reminder to my fellow Texans, last year’s H.B. 300 will go into effect on 9/1/12 and will make substantial changes to our exisitng data breach notification law applicable to _all_ persons “conducting business in” Texas. This also includes anyone whose sensitive personal data was – or is even believed to have been – acquired by an unauthorized party. As you might expect, the penalties for failure to notify have also increased.)
- You make no attempt to mislead, mischaracterize or otherwise deceive your Internet users regarding your collection and use of their data.
- You maintain compliance with and awareness of any additional rules/reporting applicable to your specially-regulated industry (e.g., the healthcare or financial industries).
- Think of the children! There are incredibly strict regulations regarding dealings with children under the age of 13. Familiarize yourself with the Children’s Online Privacy Protection Act or COPPA (for pronunciation help, see: James Cagney (http://www.youtube.com/watch?v=ssdsftKZbcc)) found at U.S.C. §§ 6501–6506. Even if you’re not targeting children, you can still run afoul of the COPPA, so it’s a good thing to keep in the back of your mind.
There you have it. Subject to the above, you generally have freedom as to how you collect, store, buy, sell, use, pillage and exploit an individual’s personal data. As with any topic posted here, these thoughts reflect a snapshot in time and you _absolutely must_ continue to keep your ear to the ground for new legal developments at both the state and federal level. If you’ve ever wondered why “Compliance Officer” is a full-time job, there’s your answer.