Navigating the Privacy HodgepodgePosted 2013-04-01 Email Print
No single privacy law blankets the country. Instead, there is a crazy quilt of laws with which every organization doing business in the U.S. must comply.
· Children’s Online Privacy Protection Act (COPPA): The act originally went into effect in April 2000, addressing the online collection of personal information from children under 13. It requires a notice containing specific details about information practices to be posted on the home page and each area of the Website where personal information is collected from children.
COPPA was updated in December 2012, because of changes in online technology made since the law was originally enacted. The final amended rule, which will be effective in July 2013, includes modifications to the definitions of operator, personal information, and Website or online service directed to children. The amended rule also updates the requirements set forth in the notice, parental consent, confidentiality and security, and safe harbor provisions, and adds a new provision addressing data retention and deletion.
· Family Educational Rights and Privacy Act (FERPA): This1974 act protects the privacy of student education records, giving parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. The act was updated in January 2012, allowing for greater disclosures of personal and directory student-identifying information, and regulating student IDs and email addresses, among other issues.
Currently, no comprehensive federal privacy framework exists. In its absence, most states have developed privacy legislation for their constituents, which is burdensome for organizations doing business in more than one state.
Many state privacy regulations deal with data breaches, but not just to protect citizens from businesses. According to the Privacy Rights Clearinghouse Chronology of Data Breaches, government organizations alone had more than 16 million records affected by data breaches since the start of 2012. Forty-six states have now enacted legislation requiring that organizations notify citizens of security breaches involving personal information. Only Alabama, Kentucky, New Mexico and South Dakota do not have such laws.
The first state to enact a data breach law was California, but the state with perhaps the strictest such laws is Massachusetts. 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth set a new level in state security laws by regulating both the private and public sector entities that handle Massachusetts residents’ sensitive data, regardless of where that entity is located. Massachusetts was the first state to require a comprehensive written information security program, enabling entities to take proactive steps to prevent data breaches and security incidents.
Privacy advocates do not anticipate Congress passing comprehensive privacy legislation any time soon. Instead, they anticipate federal bills that address very specific topics, such as the Application Privacy, Protection, and Security Act of 2013 (APPS Act), which covers the use of data collection on mobile devices.
At the state level, companies can expect more statutes such as those recently passed by Maryland, Illinois and California, dealing with the use of social media and electronic information in employment background screenings or job application screenings. Employers in these states are prohibited from requiring employees or prospective employees to share their password so as to give employers access to their Facebook or other social media accounts.