Before discussing data privacy management, it is helpful to first understand the concept of privacy in the consumer market. Compared to a person’s private life, their legal right to privacy in the consumer market is considerably less. This reasonable expectation of privacy is noted in the United States Constitution and the privacy protections provided in the Fourth Amendment.
Specifically, the Fourth Amendment states that American citizens have the right to be free from warrantless searches in areas in which they have a “reasonable expectation of privacy.” The term refers to specific areas or aspects of someone’s personal life in which a reasonable person would expect some degree of privacy.
Data privacy management, which is also commonly referred to as information privacy management, is a part of the information technology database (“IT”) that involves the ability of a company or an individual to monitor and determine what types of data that is stored within their computer system may be shared with third parties. In general, a company that collects a person’s data, such as a charge card number, will use a data privacy management platform to manage and protect the information that the company collects.
As far as the law on data privacy management and the rules placed on companies, the laws have been rapidly expanding to protect an individual’s privacy rights and information. In fact, there was a recent data privacy legislation that went into effect on May 25, 2018, wherein the General Data Protection Regulation (“GDPR”) forced companies that collect personal, identifiable information of European Union and European Economic Area citizens, to comply with the new regulations.
Although the exact requirements for data management placed on a company that collects data differs by state, in general, a company must get the customer’s consent before collecting any of their data. If the company does not comply, the company will be in violation of the GDPR regulations or other state or federal data regulations.
Companies will often employ any of the following security or data protection measures to ensure data privacy:
- The implementation of security measures, such as network security or firewalls;
- The usage of non-disclosure agreements between partners of the company to keep sensitive information that has been collected private;
- Hiring a data privacy management or online security company to manage data that is collected; and/or
- Retaining legal counsel to continually monitor company privacy policies against state and federal laws as they develop.
- It is important to note that there is no Federal law governing online privacy in the United States.
- There was a bill introduced in the House in 2022, which was the American Data Privacy and Protection Act (“ADPPA”) that was aimed to regulate how organizations keep and use consumer data, with the goal of minimizing the data that data collectors collected down to that which was “necessary, proportionate, and limited to” their purpose, but that bill ultimately failed.
What Are Some Common Data Privacy Violations?
There are numerous common data privacy violations that occur every day, especially in the online marketplace. The most common data privacy violations involve the consent of the person whose data is being collected. If a customer’s personal information, such as Social Security numbers (“SSN”), is sold to a third party without that customer’s consent, then the company will likely have broken the law concerning that individual’s privacy rights.
As mentioned above, there is no federal law concerning online privacy. In fact, it is legal for private firms to sell or reveal an individual’s Social Security number. In 1974 when Congress passed the Federal Privacy Act, it restricted the government’s use of SSNs, but the Act failed to address the private sector’s collection and distribution of SSNs.
However, recent legislation passed by Congress and enforced by the Federal Trade Commission (“FTC”) limited public access to information collected by database companies. The agreement included all three major credit bureaus to agree to limit public access of an individual’s private information. However, compilers of public records are still free to share a person’s information that is collected online to many commercial firms, such as lawyers, debt collectors, hospitals, insurers, law enforcement agencies, banks, and even employers.
An individual’s SSN is utilized in numerous different ways online, and may also be accessed in many different ways. For example, an individual’s SSN may appear on their driver’s license, on their child’s birth certificate, or any application for government benefits, such as Medicare or Medicaid.
As far as global data privacy, when the new GDPR regulations went into effect, companies around the world scrambled to update their privacy policies to ensure their compliance with the rules. Even though many companies did not have a legal presence in the EU or EEA, so long as they had just one customer from any of those countries, they must be in compliance or run the risk of being punished for a data privacy violation.
Examples of other common data privacy violations that may result in criminal penalties include:
- Revealing a private employee’s information to other employers or individuals without the employee’s consent;
- Posting an image of a person’s face in any fashion without that person’s consent;
- Data breaches to a company’s database that stores a consumer’s information, such as their charge card account number;
- The use of fraud, misrepresentation, or deceit in order to obtain an individual’s personal information;
- Identity theft, wherein a person with access to a database steals a person’s identity or sells it to another person who intends to use their identity for financial gain; and/or
- The disclosure of an individual’s sensitive information for financial gain in another circumstance, such as for direct advertising purposes.
Are There Any Legal Remedies for Data Privacy Legal Issues?
In short, yes, there are legal remedies available for an individual who has had their private data accessed or distributed without their consent. In instances where a data privacy breach has occurred, in addition to possible criminal penalties, suing for breach of privacy is an option for the victim.
When a civil lawsuit is initiated based on a breach of data privacy, the following are possible legal remedies for the individual that was harmed by the breach:
- Compensatory damages for the financial losses suffered by the victim of the breach;
- A court order for the implementation of new data privacy management procedures within the company to ensure there are no similar breaches moving forward;
- Punitive damages in the case where a company is grossly negligent in managing the data of its customers; and
- In certain cases, criminal penalties.
Should I Hire a Lawyer for Help with a Data Privacy Lawsuit?
If you believe that your privacy rights have been violated, it is in your best interests to consult with an experienced business lawyer. An experienced business attorney will be able to help understand your legal rights and options according to your state’s specific privacy laws, and will also be able to initiate a civil lawsuit on your behalf, if possible.
Additionally, an experienced attorney will also be able to help you determine which party may be liable for the data breach or transmission of your sensitive data. Finally, an experienced attorney will also be able to represent your interests in court, as needed.