Complying with UK and EU data privacy regulations often presents a significant challenge for startups based in those regions. UK and EU startups expanding to the US similarly need to be aware of US data privacy regulations and whether their existing efforts will be sufficient.
1) Do I need to care about US privacy law if I don’t have offices in the US?
Yes, if you have US users or customers. The authority of the US Federal Trade Commission (FTC) extends to acts or practices that cause, or are likely to cause, reasonably foreseeable injury within the US or involve material conduct occurring within the US. The FTC has used that authority in the past to bring actions against companies outside the US that have engaged in activities affecting US users.
2) What are the main US privacy issues I need to worry about?
a) Do what you say and say what you do. Make sure your privacy representations are truthful and complete.
b) Secure the data you collect, particularly sensitive data. Make sure your cybersecurity house is in order. Data breaches can be enormously costly, both financially and reputationally.
c) Determine which US privacy laws apply to you, and make sure you comply if they do. Common trip-ups include knowingly collecting information from children in violation of the Children’s Online Privacy Protection Act (COPPA) and running afoul of the Telephone Consumer Protection Act (TCPA) when using text messaging for marketing. There can be harsh consequences for non-compliance.
3) If my company complies with UK/EU privacy law, is that enough?
4) What does the US privacy law landscape look like?
Unlike the comprehensive UK and EU data protection regulations with which you may be familiar, US federal and state laws typically address data privacy issues on a sector-specific basis.
For example, if you offer services to hospitals or other healthcare providers and receive information about their patients, you likely need to comply with regulations under the Health Insurance Portability and Accountability Act (HIPAA), enforced by the Department of Health and Human Services. Other sectoral regulations include the Gramm-Leach-Bliley Act (GLBA) for financial account data, the Fair Credit Reporting Act (FCRA) for information contained in consumer reports, the Video Privacy Protection Act (VPPA) for video viewing information, and the TCPA and CAN-SPAM Act for phone and email marketing.
More generally, if you offer an app or website that collects information from children under the age of 13, you need to comply with regulations that implement COPPA, a law enforced by the FTC.
In addition to these specific laws, the FTC commonly brings privacy and data security cases against companies based on its broad authority to stop “unfair or deceptive acts or practices.”
Activities that may lead the FTC to act include:
(1) failing to keep privacy promises (e.g., offering an opt-out that doesn’t work);
(2) making material changes to privacy policies without adequate notice and consent;
(3) failing to keep security promises (e.g., saying data is encrypted when it isn’t); and
(4) failing to use reasonable security measures to safeguard consumer information (e.g., failing to patch well-known vulnerabilities, which leads to a data breach).
Other states impose data security requirements for customer data and restrict the collection and use of biometric information, like fingerprints and face scans. If you experience a data breach, virtually all states have laws that require you to send breach notifications to affected consumers if certain types of information are impacted, which can vary state to state. And, some states have their own general consumer protection laws and frequently join the FTC and other states in privacy actions or bring their own privacy actions independently.
Finally, many self-regulatory bodies issue additional rules and guidance for member companies in various industries. For example, online interest-based advertising is covered by two self-regulatory groups, the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA), who police their members’ compliance with the privacy rules they issue. If your startup operates in the online advertising space, it’s very likely you will have to comply with these rules even if you aren’t a member, as members you may do business with often impose these rules by contract for their own compliance purposes.
5) What are the consequences for not complying?
Additionally, some privacy laws, such as the TCPA and VPPA, allow for private rights of action and frequently attract expensive class action litigation.
While this primer should get you started, you’ll ultimately want to check with US counsel to make sure you’re following the right approach for your business.
Post produced in partnership with Lydia Parnes, Chris Olsen, Edward Holman, and Daniel Glazer at Wilson Sonsini Goodrich & Rosati. Lydia can be reached at firstname.lastname@example.org, Chris at email@example.com, Edward at firstname.lastname@example.org, and Dan at email@example.com.
The foregoing does not constitute legal advice and should not be relied upon for business or legal decision