A Brief Primer On The History Of Privacy Policies
Privacy policies geared toward companies operating online have been around practically since the advent of the Fourth Industrial Revolution when digital and the internet made the electronic collection of personal information increasingly ubiquitous. Thus, even before the flurry of recent privacy laws, such as the GDPR and the CCPA, came into effect, there was a steady move toward providing users of websites and apps with at least a minimum amount of clarity about what information was collected and processed.
As technology and associated tracking and data-backed advertising proliferated with “data becoming the new oil,” there was a growing concern among consumers and governments about the potential for abuse or danger from such unbridled collection and processing of personal information. Spurred by incidents where personal data was used for what was perceived as nefarious purposes, new, often complex, and potentially arduous privacy laws have been passing rapidly.
The Size and Type Of Business
The Data Processing Activities Of The Business
The Location Of The Business
The Location Of Customers
Beyond the physical location of a business and its legal nexus, in the context of privacy laws, more focus is put on the location of the persons having their personal information collected or processed. For example, the European Union’s GDPR focuses on residency in the EU, and the CCPA uses the terminology of “California consumers.” Therefore, though a business might be outside of the EU or California, it very well might be subject to the regulations contained therein if it collects personally identifiable information (PII) of residents of a jurisdiction with a privacy law framework with extraterritorial reach.
Updates As The Privacy Law Regulatory Landscape Evolves
Handling Requests Relating To Consumer Rights
Another common theme that runs through the current privacy law frameworks revolves around requests from consumers exercising their rights under the relevant regulations. For instance, under both the GDPR and CCPA, there are rights where a consumer can contact the company in question that has collected their personal information and request that such information is provided or deleted, among several other Data Subject Access Requests (DSARs). A whole host of nuances come into play with such requests, including how to respond and under what legally allowed timelines, among other legally mandated procedures. Not following the required methodologies can result in regulators deeming a business to be non-compliant and subject to enforcement measures.
What If There Is Regulatory Action?
The Dynamic Nature Of The Privacy Law Landscape