Technology is moving at the speed of light while we all continue to live in a largely virtual world where we interface with each other, online, everyday. Sprinkled in are continued concerns about how companies, large and small, collect, share and retain personal information and a patchwork of laws and regulations to govern personal data. You need only look to the rise in state data privacy laws to witness the continued wave of concern over personal data.
What is required for compliance with these data privacy laws and when a lack of compliance can lead to litigation may elude many. For example, what consent is needed and what is considered a sale of personal information are becoming broader and broader concepts. Consider the debates over what is a sale of personal data pursuant to the California Consumer Privacy Act (CCPA) or the breadth of class action litigation under the Fair Credit Reporting Act (FCRA), Telephone Consumer Protection Act (TCPA) and Illinois’ Biometric Information Privacy Act (BIPA).
Further complicating the landscape are consumer statutes, or statutes in place decades ago to protect the sharing of personal information available in the 1990s, which have been marshalled to police the current technology. The newest example? The Illinois Right of Publicity Act of 1999 (IRPA), enacted with the notion that individuals have the right “to control and to choose” how their personal information—their identity—is used in the commercial space. The IRPA is meant to address the use of a person’s attributes or an individual’s identity for a commercial purpose without prior, written consent. Publicity is typically associated with a public figure, yet this limitation is seemingly not part of the IRPA. The question remains as to whether the use of someone’s name, photograph, image or likeness for advertising or promoting products, merchandise, goods or services, without that person’s consent, could land a company in hot water. And, like many statutes in place to protect personal data, statutory damages could be awarded for a violation.
To avoid potential, class action litigation, consider the following:
Review your data map for the data you are collecting. Advanced technology includes collection of seemingly public data in a variety of ways. Companies are also integrating new systems to sort and retain data at an amazing clip. You should have a clear understanding of your collection of data and the legitimate business purpose for which you collect it. Know your data retention policy—are you exercising appropriate cyber-hygiene by deleting data as required?
Evaluate what written consent and records of consent you maintain. Time will tell as to whether the IRPA, as enforced, requires written notice to private citizens about publicly available information a company collects, stores, uses or “sells.” However, as a matter of best practice, companies should regularly evaluate, review and update the disclosure and consent policies they have in place vis-à-vis personal data of any sort.
Stay alert to pending regulations. Class action has already been filed under IRPA, and given the firestorm of class action litigation under other statutes such as BIPA, this may be another wave of class litigation. Certainly, consumer and employee rights as to their private information are only going to expand over time. Remain aware of data privacy regulations and case law in any state in which you are located and any state in which you reach customers or consumers.
Consult your trusted advisors for compliance and responding to class litigation. Partner with your trusted advisor on an assessment of your consent and disclosure requirements. Should you be faced with class action litigation, consult your trusted class action counsel on strategies for defeating such massive claims at the outset.