Consumer Protection Acts, Litigation & Risk Management

Table Of Contents

The Privacy Compliance Challenge 

A growing number of privacy and data protection regulations are being implemented in the US and worldwide. Businesses face an array of international, federal, state, and contractual obligations. How can a company maintain multi-compliance in an efficient, cost-effective manner? The answer is to build a centralized risk-based privacy program that maps to your matrix of laws and contractual requirements in a customized apply-once, comply-many solution. 

Truvantis® can assist your organization in complying with privacy standards by evaluating your environment and applications end-to-end and designing a risk-based, actionable roadmap of steps to achieve privacy compliance. 

Read on to explore the most common privacy standards that apply to you and learn more about our privacy consulting services. 

What is Privacy? 

In the context of statutory requirements, privacy is the right of consumers to have full knowledge and reasonable control over their personal information (PI). The laws define PI and business's responsibilities when collecting, processing or sharing PI.  

PI is generally defined as "any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household is personal information." 

HIGH-RISK PI POTENTIALLY SUBJECT TO LEGAL ACTION: 

  • Social Security Number 
  • Driver's License Number 
  • Credit Card and Bank Account Information 
  • Medical Information 
  • Biometric Data 
  • Criminal History 
  • Racial, Ethnic Origin, Religious Beliefs 
  • Political Opinions, Philosophical Beliefs 

What is the Relationship Between Security and Privacy? 

Simply put, you can have an excellent cybersecurity program and not have data privacy; however, you cannot have data privacy without cybersecurity. For example, if a data breach occurs, resulting in lost PI, any privacy controls in place are rendered ineffective. Cybersecurity and Privacy are distinct. You can think of privacy as being built on or an extension of cybersecurity. 

A robust cybersecurity program includes a risk assessment, determining priorities, plan and remediation. A privacy program adds a data flow analysis, privacy policy creation, controls, training and monitoring and savvy businesses combine disciplines and deploy a centralized risk-based cybersecurity and privacy program.  

The Value of a Risk-Based Privacy Program

A risk-based assessment translates cybersecurity and privacy risk onto the business domain. A risk-based approach allows executives to make logical decisions balancing against other business priorities. A risk assessment also looks at the cost of remediation versus the risk of doing nothing against a specific vulnerability. 

Concerning privacy laws, the business risk is legal action resulting in penalties, fines, loss of reputation, and business disruption. Risk to the business equals the threat of privacy action times your exposure or vulnerability times the probability of facing legal action when the threat manifests.  

Risk = Threat x Vulnerability  x Probability 

RISK TREATMENT OPTIONS: 

  • Mitigate – Take action to decrease the risk factor. Examples:  Patching software and installing anti-malware to defend against ransomware, Pentesting security configurations to eliminate privilege escalation vulnerabilities 
  • Transfer – Liability insurance may protect against certain cybersecurity and privacy incidents. 
  • Avoid – Example: A small business uses a bank payment service versus collecting and processing consumer CC data. 
  • Accept – In some cases, the cost of protecting an asset may be more than the asset value. In that case, it makes business sense to leave the asset unprotected—for example, An obsolete mainframe application scheduled for retirement. 

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) resulted in the HIPAA Privacy Rule and the HIPAA Security Rule.The Privacy Rule addresses the use and disclosure of individuals' health information—called "protected health information" (PHI) by organizations, known as "covered entities," subject to the Privacy Rule. HIPAA established privacy rights for consumers, including the right to know how their PHI is used and control the accuracy and sharing of their health information.  

A primary goal of the Privacy Rule is to assure that individuals' health information is appropriately protected while allowing the flow of health information needed to provide and promote high-quality health care. The Rule strikes a balance that permits necessary data flows to support patient healthcare while preserving patient privacy. HIPAA  certification is flexible and comprehensive to cover the variety of uses in the diverse healthcare market. 

The Security Standards for the Protection of Electronic Protected Health Information (ePHI) establish a national set of security standards for protecting certain health information stored and transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards covered entities must put in place to secure individuals' ePHI. Health and Human Services (HHS) are responsible for HIPAA enforcement through the Office for Civil Rights (OCR), including the levy of civil penalties. 

What is PII in healthcare? 

Protected Health Information (PHI) replaces Personally Identifiable Information (PII) used in other laws. While the acronyms are both pronounced 'pie,' the same PHI is specific to HIPPA regulations in the healthcare continuum.   

Personal Health Information: 

  • A person's past, present, or future health conditions 
  • Specifics of health care to the individual 
  • Related patient payment information 

Similar terms for Protected Personal Information - pronounced 'pie': 

  • PII – Personally Identifiable Information 
  • PHI – Protected Health Information 
  • PI – Protected Information 

When finding violations, the OCR generally takes an approach of working with organizations to comply versus punitive actions. The agency has taken twenty-five enforcement actions. 

2021 OCR Enforcement Actions: 

  • Advanced Spine & Pain Management paid OCR $32,150 after being found to violate the HIPAA right-of-access requirement.  
  • Denver Retina Center paid OCR $30,000 and agreed to corrective actions, including one year of monitoring, following a right-of-access violation. 
  • Cardiovascular disease and internal medicine doctor in NY was fined $100,000 after failing to provide a patient with their medical record and refusing to cooperate with the OCR.  
  • A licensed provider of eating disorder treatment agreed-to corrective actions, including one year of monitoring, and paid OCR a fine of $160,000 for right-of-access violation.  
  • Wake Health Medical Group agreed to corrective actions and paid an OCR penalty of $10,000. 

GLBA

The Gramm-Leach-Bliley Act (GLBA) is a 1999 US Federal Trade Commission (FTC) law intended to protect consumer financial privacy. Its provisions limit when a "financial institution" may disclose a consumer's "nonpublic personal information" to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered financial institutions because they engage in certain "financial activities." 

Financial institutions must notify their customers about their information-sharing practices and tell consumers their right to "opt-out" if they don't want their information shared with certain nonaffiliated third parties. Data use and sharing restrictions apply to any entity receiving consumer financial information. 

 

Financial institutions covered by the Gramm-Leach-Bliley Act must tell their customers about their information-sharing practices and explain consumers' right to "opt-out" if they don't want their information shared with certain third parties. Is your company following the requirements of the Privacy Rule? 

General Data Protection Regulation EU (GDPR)

GDPR is a European Union regulation created to reform, modernize, and harmonize European data protection law throughout the EU and is fully enforceable. The changes in data privacy and protection resulting from GDPR significantly impact the collection, processing, and data retention in all European Union member states. 

"Personal data" refers to any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person can be identified, directly or indirectly, by reference to an identification number or one or more factors specific to physical, physiological, mental, economic, cultural or social identity. Under GDPR, the definition of personal data is expanded to include persistent identifiers, pseudonymous data, and restricted data such as health, race, and government information. 

Consumer rights under GDPR include: 

Right to be Informed: The controller must provide data subjects confirmation as to whether personal data concerning them is being processed, where and for what purpose. 

Right of Access: Individuals have the right to access and receive a copy of their data. 

Right to Rectification: Individuals have the right to correct inaccurate or incomplete data. 

Right to Erasure: The right to be forgotten entitles the data subject to have the data controller erase their data, cease further dissemination of the data, and potentially have third parties halt data processing. 

Right to Restrict Processing: Individuals have the right to restrict processing under certain conditions—for example, unlawful data processing or while a right-to-rectification or a right-to-object action is pending review.  

Data Portability: A data subject's right to receive personal data concerning them, which they have previously provided in a 'commonly used and machine-readable format.' In addition, the data subject has the right to request the transmission of their data to another controller. 

Right to Object: Individuals have the right to restrict the use of personal data in certain circumstances, for example, to stop personal data from being used for direct marketing. 

Automated Decision Making and Profiling: Individuals have the right to restrict automated decision-making, including profiling. The automated decision-making is allowed where it is necessary to perform the service, lawful and based on explicit consent.  

Other GDPR requirements include: 

Transparency: Privacy policies and notices must be clear, concise, transparent, and in an easily accessible form to justify the use of a data subject's data and data minimization. 

Under GDPR, organizations found in breach can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater). The private right of legal action for GDPR breaches enables individuals or groups (e.g., consumer advocacy groups) to sue organizations for failure to meet the requirements set forth under GDPR. 

California Consumer Privacy Act (CCPA)

truvantis-ccpa-california-privacy-policy

The California Consumer Privacy Act or CCPA is a California state law designed to give consumers control over their personal information (PI). The CCPA's objectives are similar to GDPR. Under CCPA, PI includes browsing and purchase history, IP and email address, geolocation data, employment data, inferences, and habits. 

CCPA was passed in June 2018 partially in response to the Cambridge Analytica scandal involving the data mining and misuse of consumers PI. Enforcement of the law went into effect in July 2020. Infraction costs include civil penalties up to $7,500 and fines up to $750 per consumer per incident. The California Attorney General is creating a Consumer Privacy Interactive Tool to assist consumers in initiating CCPA non-compliance notices. 

CCPA Consumers Rights: 

Under CCPA, California consumers have the following rights: 

Right to Know: CA consumers have the right to know what and how their personal information is collected, used, and shared. 

Right to Opt-Out of Sale: Organizations may not sell PI from California consumers who opt-out. Businesses must place opt-out links clearly and conspicuously on a website when PI is collected. 

Right to Disclosure: Upon a verified request, organizations must send the consumer a copy of all personal data collected, sold or disclosed, its usage, categories of whom it was sold or disclosed to and why. Most of this information must also be in the privacy policy at a category level. 

Right to Deletion: A business must delete consumer data from all records upon receiving a legitimate request. 

Non-discrimination: A California Consumer cannot be discriminated against based on the exercise of their CCPA rights unless the difference is reasonably related to the value provided by the consumer's data. 

Notifications: Notification of consumer privacy rights must be visible at the point PI is collected, and limitations of the sale of PI belong to consumers under 16. 

California Consumer Privacy Rights Act (CPRA)

In the fall of 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), as an expansion of the California Consumer Privacy Act (CCPA). CPRA goes into full effect on JAN 1, 2023, and it will apply to all data collected as of JAN 1, 2022. 

CPRA applies to all data collected as of January 1, 2022.  

CPRA Private-right-of-Action 

Effectively, the CPRA brings the CCPA goes beyond GDPR by including the consumers' private-right-of-action provision. In the event of a data breach where an organization is found to violate its duty to maintain reasonable security and privacy procedures and practices, any consumer whose PI or email and password were stolen may institute a civil action to: 

  • Recover damages the greater of $750 per consumer per incident or actual damages 
  • Injunctive or declaratory relief 
  • Any other relief the court deems appropriate 

The CPRA creates the California Privacy Protection Agency (Agency) to enforce California's consumer information privacy laws. Fines:  

  • $2500 per violation  
  • $7500 per intentional violation  

 

Business Obligations Under CPRA 

Transparent Privacy Notifications 

Businesses should inform consumers what and why they collect PI and how they can exercise their CPRA rights. 

Purpose Limitation and Data Minimization 

Only collect and process the information necessary for the clearly stated business purposes. 

Method for Servicing Legitimate Consumer Requests 

Consumers should have the ability to exercise their rights without undue burden. 

Security and Privacy-by-Design 

  • Proactive vs. Reactive 
  • Privacy as the Default Setting 
  • Privacy Embedded into Design 
  • Positive Sum 
  • Full Lifecycle Protection 
  • Transparency 
  • Respect for User Privacy 

Obligations Regarding Vendors and Third-party Processor Agreements 

Chain of custody – vendors and service providers must offer the same levels of privacy protection. Update vendor agreements and service contracts accordingly. 

Automated Decision-making Requirements 

Businesses must publish meaningful information and opt-out rights on automated decision-making technology used for profiling. They must include information on the logic involved and the probable outcome to the user. 

Risk-based Privacy Program 

Risk assessment 

Gap analysis 

Remediation 

Employee Training 

All employees handling PI must be trained in all aspects of relevant privacy rules and obligations. 

 

Colorado Privacy Act (ColoPA)

In June 2020, Colorado passed ColoPA, which:  

  • Specifies how systems must fulfill duties regarding consumers' assertion of their rights.  
  • Requires organizations to conduct a data protection assessment for each of their processing activities  
  • The attorney general or district attorneys are responsible for enforcement 

Virginia Consumer Data Protection Act  

Passed on March 2, 2021, VCDPA defines PI as similar to CPRA California. According to experts, the law has somewhat broader exceptions for the uses of data from which consumers cannot opt out.  

Like other states, VCDPA applies to companies that:  

  • Control or process the personal data of 100,000 or more consumers OR  
  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling PI  

PIPEDA Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian privacy law intended to provide data privacy protections to individuals in Canada. It regulates how private sector organizations collect, use and disclose personal information in commercial business. 

Organizations covered by PIPEDA must generally obtain an individual's consent when collecting, using, or disclosing that individual's personal information. People have the right to access the personal information held by an organization. They also have the right to challenge its accuracy. 

Organizations can only use Personal information for the purposes it was collected. If an organization uses it for another purpose, it must obtain further consent. Appropriate safeguards must be in place to protect personal information. 

PIPEDA Compliance 

Businesses must follow the ten fair information principles to protect personal information, set out in Schedule 1 of PIPEDA. 

The principles are: 

  1. Accountability 
  2. Identifying Purposes 
  3. Consent 
  4. Limiting Collection 
  5. Limiting Use, Disclosure, and Retention 
  6. Accuracy 
  7. Safeguards 
  8. Openness 
  9. Individual Access 
  10. Challenging Compliance 
    • A consumer's ability to challenge an organization's compliance with privacy and security rules 

Examples of Fines

Most businesses are subject to multiple privacy laws. These laws define Personal Information (PI), consumer rights, and business requirements to maintain consumer data privacy.  Given growing legislation and litigation, businesses face an increased risk of legal action and resulting penalties. For example, CPRA's private-right-of-action gives consumers' a platform for initiating a civil action.  

Non-compliance with privacy laws can be expensive!  

2021 Examples: 

Uber - $9 Million  

Uber agreed to pay $9 million to the California Public Utilities Commission (CPUC) after refusing to hand over data about riders and drivers who were sexually assaulted. Uber had a $148 million fine in 2018 for failure to report a PI data breach.  

Plaid - $58 Million  

Plaid Inc agreed to pay $58 million to resolve consumers' claims that they obtained and used bank account credentials and financial information without consent.  

ByteDance - $92 Million  

The lawsuits claimed the TikTok app "infiltrates its users' devices and extracts a broad array of private data including biometric data and content that defendants use to track and profile TikTok users.". 

Prepare Your Business for Privacy Risk 

A risk-based privacy program is an essential tool and market advantage for most businesses in 2022.  

The landscape of privacy regulations is vast and continuously evolving. A privacy consulting organization like Truvantis can help you select and track applicable requirements. We can help build a solid central privacy program to support the entire matrix of international, federal, and rapidly changing state laws. 

Most organizations do not have the internal bandwidth or expertise to independently develop and manage privacy operations. Truvantis has the experience to examine privacy policies, protocols, and procedures the same way regulators and class action attorneys do.  

Truvantis specializes in helping customers improve their privacy posture through practical, effective, and actionable programs— balancing privacy, technology, business impact, and organizational risk tolerance. 

Learn How Truvantis Approaches Privacy Standards

At Truvantis, Inc., we have a team of senior security experts who are experienced in privacy compliance. 

They follow a set process to ensure your organization complies with the proper privacy standards.

Click the button to the right to learn more about how we approach privacy compliance. 

Contact Us Today