Compliance Begins With Careful Assessment of Data Collection, Lawyers Say
Among the first steps toward compliance is determining what privacy laws and regulations apply to your organization, said Downs Rachlin lawyers in a blog post Wednesday. But it's "no easy task," said Matthew Borick and Jennifer Drake: Start with a careful assessment of "your data collection practices" and "don’t assume you’re exempt."
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Whether a law or regulation applies "depends on a variety of factors," they said. Especially with the more recent privacy laws, which are mostly state-level, several considerations go into this assessment.
Who customers are and where they are located is the first thing to look at, as most laws apply to where consumers are residents, the lawyers said. The type of data collected also matters, as "not all information that could identify an individual is covered," though many more recent laws have broad definitions.
"Under most U.S. state privacy laws ... personal data is covered only where it pertains to consumers who are acting in an individual or household context and not in a business, commercial, or employment context," so circumstances matter, Borick and Drake added. Also, the attorneys noted that some laws depend on the amount of revenue a business derives from selling personal data, while others have applicability thresholds tied to total annual revenue.