This is a question I get all the time. While the landscape is always changing, and there are numerous schools of thought driving the new era of privacy compliance and what is identifiable information, there are a couple of key questions to ask yourself as a business owner to properly access your compliance requirements.
1. Personally Identifiable Information. Do I collect store, use or transfer/share personally identifiable information (PII) in my business? PII can be comprised of:
- Individual person’s names (first, last)
- Addresses: Residential, Mailing or Business (including zip codes)
- Dates of birth
- Any individually identifiable account numbers, including, but not limited to:
- Credit and/or Debit Card Number
- Bank Account Number
- Investment Account Number
- Customer ID
- Social Security Numbers
- Telephone Numbers
- E-mail addresses
- IP Addresses
- Photographs or other images
- Biometrics (fingerprints, facial prints, iris scans)
2. Regulated industry sectors. What kind of business do I run? While almost every business sector is subject to some level of privacy compliance under state laws, alone, the following sectors have privacy-specific federal regulations in place.
- Healthcare (HIPAA)
- Financial Services, including banking, investing, insurance and credit management (GLBA / FCRA)
- Children online (COPAA)
- International Business and Employee Management (EU, PIPEDA, APEC)
- Consumer Protection, Generally (FTC Act 5)
If your business uses PII or if your business is regulated by one of these federal statutes, you must have a plan for privacy compliance. While every situation is different, such a plan should ensure your company is somehow addressing these following principles clearly, in both policy and practice:
A. Notice. Customers are told at the time of PII collection why it is needed and for what business purposes it will be used. Such notice should be clear, conspicuous and written in plain language.
B. Choice/Consent. Customer PII should only be gathered with the customer’s permission, or consent. A customer must agree to the use of their PII prior to such use.
C. Access. To the extent possible, customers should have the right to review their PII to ensure such information is accurate.
D. Security. Commercially reasonable means should always be used (and updated) to protect PII against unauthorized use.
E. Limited Use. PII should only be collected, stored, used and shared for a specific authorized purpose. This purpose should have already been authorized by the customer at the Notice/Choice/Consent phase.
F. Minimal Use. Only the minimum amount of PII required to complete the authorized transaction should be used.
All this being said, privacy compliance does not have to be insurmountable, drawn-out, painful and expensive process. But you need to have a plan. Do you? The time to find out is not when you have a data breach or privacy incident. And yes, I meant WHEN, not IF.