A Brief Primer On The History Of Privacy Policies
Privacy policies geared toward companies operating in the online world have been around practically since the advent of the Fourth Industrial Revolution, when digital and the internet made the electronic collection of personal information increasingly ubiquitous. Thus, even before the flurry of recent privacy laws such as the GDPR and the CCPA came into effect, there was a steady move toward providing users of websites and apps at least a minimum amount of clarity about what information was collected and processed.
As technology and associated tracking and data-backed advertising proliferated with “data becoming the new oil,” there was a growing concern among consumers and governments about the potential for abuse or danger from such unbridled collection and processing of personal information. Spurred by incidents where personal data was indeed used for what was perceived as nefarious purposes, new, often complex, and potentially arduous new privacy laws have been passing at a rapid pace.
The Size and Type Of Business
The Data Processing Activities Of The Business
The Location Of The Business
The Location Of Customers
Beyond the physical location of a business and its legal nexus, in the context of privacy laws, more focus is actually put on the location of the persons who are having their personal information collected or processed. For example, the European Union’s s GDPR focuses on residency in the EU, and the CCPA uses the terminology of “California consumers.” Therefore, though a business might be outside of the EU or California, it very well might be subject to the regulations contained therein if it collects personally identifiable information (PII) of residents of a jurisdiction with a privacy law framework that has extraterritorial reach.
Updates As The Privacy Law Regulatory Landscape Evolves
Handling Requests Relating To Consumer Rights
Another common theme that runs through the current privacy law frameworks revolves around requests from consumers exercising their rights under the relevant regulations. For instance, under both the GDPR and CCPA, there are rights where a consumer can contact the company in question that has collected their personal information and request that such information is provided or deleted, among several other Data Subject Access Requests (DSARs). There are a whole host of nuances that come into play with such requests, including how to respond and under what legally allowed timelines, among other legally mandated procedures. Not following the required methodologies can result in regulators deeming a business to be non-compliant and subject to enforcement measures.
What If There Is Regulatory Action?
The Dynamic And Ever Changing Privacy Law Landscape