IP Essentials: Q&A Series

Q Which jurisdiction has the most comprehensive privacy laws? A Internationally, the European Union’s General Data Protection Regulation (GDPR) that regulates the processing of personal data within the European Union is considered to be the most stringent and comprehensive. Within the United States, California’s CalOPPA and CCPA combine to form the most robust privacy regulations among the currently existing privacy laws. For companies dealing with medical information within the United States, additional consideration should be given to HIPAA and GINA requirements. Q What are the compliance requirements for sharing consumer data with a third party? A Most data privacy laws include procedures and restrictions on sharing consumer data with a third party such as notification and opt-in requirements and limitations on data processing. These procedures and restrictions apply to the selling of customer data, and also to the transfer of data to third parties for the purposes of storing information collected from customers in “the cloud” through a cloud storage provider, using a mail carrier to ship products, collecting online analytics or cookies, sharing a mailing list with an email marketing company, and more.

Q How can my company ensure compliance with the privacy law requirements? A As a company, you should focus on creating a robust a data security protocol for internal use and a data privacy policy to be provided to consumers. Among the things to be considered are: • taking stock of the types of personal information you are collecting from consumers and creating different level of security depending on the sensitivity of the data; • scaling down the amount of data collected to only what is absolutely necessary to run your business, and keep the data only as long as you need it; • developing physical and electronic security protocols to protect the data you collect and to limit access on a “need-to-know” basis; • implementing a policy for safe and responsible information disposal; and • creating a plan for responding to security incidents. Additionally, your data policy should be easily accessible and clearly spelled out for the consumer, and detail what data you collect and how that data is used, with clear instructions on how consumers can access and consent to the collection, sharing and use of such data.




Made with FlippingBook HTML5