Post Authored By: Kasim Carbide, Esq.
With the recent controversial announcement from Apple that the company will be reviewing iCloud photo uploads for child abuse images, more and more companies and consumers are paying attention to data privacy and collection.[i] The 21st century has seen the proliferation of mobile applications, smart devices, and the internet of things, which has caused consumers and governments to re-examine how and what information a company may collect on a consumer.
While some consumers may willingly opt-in to data collection, many consumers are harmed by data collection and privacy, particularly when hackers decide to target unprotected companies like T-Mobile and compromise millions of social security numbers and driver’s licenses.[ii] Once upon a time, data collection and privacy was approached as take it or leave it. However, since the European Union’s General Data Protection Regulation (“GDPR”) was enacted, more and more states are passing legislation that raises the bar and places the power in the hands of the consumer.[iii]
The current legal framework for privacy regulation and data protection begins with an examination of the GDPR, which required privacy agreements with consumers to specify data collection practices, and further provide consumers with a method of opting-out of such practices when they are not essential to the service provided.
Closely following the GDPR, California passed the California Consumer Privacy Act (“CCPA”), which provided consumers with the right to know about the personal information collected on them, as well as the right to delete such information and opt-out of data collection. The CCPA was the first legislation of its kind in the US. Colorado and Virginia have quickly followed up with their own versions of state data privacy and collection legislation.[iv] While these laws will not take effect until mid 2023, prudent businesses should begin to draft data collection and privacy provisions pursuant to these laws for maximum protection.
While not in effect, law firms and in-house counsel should understand these laws and begin incorporating specific provisions into vendor contracts, and limit use downstream to prevent being held liable for another company’s improper data collection practices. If companies like T-Mobile can be hacked due to lax data collection and security policies, nearly every business faces a cognizable risk.
Businesses need to be aware of current and pending legislation to remain compliant with data collection laws, or risk private rights of action from consumers, as well as reputational damage that often follows non-compliant collection practices.
[i] Adi Robertson, Apple’s Controversial New Child Protection Features, Explained, The Verge (Aug. 10, 2021), https://www.theverge.com/2021/8/10/22613225/apple-csam-scanning-messages-child-safety-features-privacy-controversy-explained.
[ii] Dave Sebastian and Drew FitzGerald. T-Mobile CEO Apologizes for Data-Security Breach, The Wall Street Journal (Aug. 27, 2021), https://www.wsj.com/articles/t-mobile-ceo-apologizes-for-data-security-breach-11630071045.
[iii] State Laws Related to Digital Privacy, National Conference of State Legislatures, https://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx (last visited Sep. 3, 2021).
[iv] Virginia Passes the Consumer Data Protection Act, International Association of Privacy Professionals, https://iapp.org/news/a/virginia-passes-the-consumer-data-protection-act/ (last visited Sep. 3, 2021).
About the Author:
Kasim Carbide concentrates his practice in Corporate Law, Bank Secrecy Act/Anti-Money Laundering Compliance, and counseling FinTech startups. When he is not reading or billing, Kasim enjoys cooking, watching the Office, and playing Catan with family and friends.