By now, most businesses have heard of various privacy laws and regulations, whether it’s GDPR, CCPA, HIPAA, or something else on a seemingly ever-growing list. But do all of these laws and regulations actually apply to your business? As we’ll see below, the answer depends on a variety of factors. But make no mistake about it, understanding which laws and regulations impact your organization is crucial for compliance and risk management.
Many of the earlier privacy laws to come on the scene were sectoral in their reach. The Privacy Act of 1974, for example, applies only to federal government agencies. The Health Insurance Portability and Accountability Act (HIPAA) generally covers businesses in the healthcare and health insurance industries. The Gramm-Leach-Bliley Act (GLBA) pertains to a broad category of financial institutions. The Family Educational Rights and Privacy Act (FERPA) covers educational institutions that receive federal funding. And there are others.
More recent privacy laws and regulations – most of which exist at the state level – are not sector-specific, however, and instead can cover almost any type of business. Assessing whether these more broad-based laws and regulations apply to your business involves several considerations:
The specific people whose personal data your business collects, uses, shares, etc.: The first thing to be mindful of is who are the customers and potential customers (including website visitors) from whom you collect or receive personal data and, more importantly, where they are located. For example, the EU General Data Protection Rule (GDPR) applies to “the processing of personal data of data subjects who are in the [European] Union.” Similarly, the various state privacy laws in the U.S. apply to the personal data of “consumers,” which are typically defined as residents of those particular states. It often does not matter where your business is physically located.
The circumstances and context under which your business collects, uses, shares, etc. personal data: Some privacy laws, such as the GDPR and the California Consumer Privacy Act (CCPA), generally (with a few exceptions) cover personal data no matter the circumstances under which it is collected or used. However, under most U.S. state privacy laws that have recently come into effect, personal data is covered only where it pertains to consumers who are acting in an individual or household context and not in a business, commercial, or employment context.
The specific types of personal data your business collects, uses, shares, etc.: Many of the early privacy laws are triggered by more narrowly-tailored sets of information about individuals, such as social security numbers or full names. Not all information that could identify an individual is covered. More recently-enacted privacy laws, however, tend to cut a much broader swath. For example, the Virginia Consumer Data Protection Act (CDPA) defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Other state privacy laws use a similar definition.
The number of people whose personal data your business collects, uses, shares, etc.: Even if your business deals with personal data from consumers of a particular state, that state’s privacy law (assuming it has one) may not apply to your business unless enough of that state’s consumers are involved. In some states, the privacy law will apply only to a business that processes the personal data of at least 100,000 consumers in that state in a year. In other states that threshold is 50,000 consumers, and in others is 35,000 consumers.
The amount of revenue your business derives from selling personal data: Another avenue by which your business could be subject to state privacy laws is if it derives at least a certain percentage (e.g., 20%, 25%, 50%) of its revenue from selling personal data, and in some cases the mere fact that your business sells personal data at all. And it’s important to know that “selling” personal data is not necessarily limited to sharing the data with a third party and receiving money for it. State privacy laws vary on this issue.
Annual revenues for your business: Most privacy laws do not have applicability thresholds that are based on a business’s revenue or profit, opting instead to use the volume of data processed as a proxy for business size. Under the CCPA, however, any business with more than $25 million in annual revenue that deals with even a single Californian’s personal data is subject to the CCPA (unless specific exceptions apply). On the other hand, the state privacy laws in Utah and Tennessee exempt any business with less than $25 million in annual revenue, no matter how many residents’ personal data it processes each year.
Business activities: For the most part, U.S. state privacy laws apply to business that (a) conduct business in the particular state or (b) produce products or services that are targeted to residents of that state. The GDPR is similar but also different in that it applies to businesses that offer goods or services to data subjects in the EU, monitor the behavior of these data subjects, or have an establishment in the EU. While the foregoing requirements may seem fairly straightforward at first blush, there can be grey areas as well, especially where various terms are undefined in the laws or associated regulations or guidance.
Exemptions: Although recent state privacy laws cover a very wide variety of personal data, they are not without limits. Most of these laws exempt de-identified data, aggregated data, and data that is publicly available. Also, most laws include various exemptions at the entity level (e.g., non-profit organizations) and at the data level (e.g., data already covered by sectoral privacy laws).
The Bottom Line
As the above discussion should make clear, determining whether a particular privacy law or regulation applies to your business is no easy task. It all starts with carefully assessing your data collection practices – that’s absolutely fundamental. Don’t assume you’re exempt. And when in doubt, be sure to seek professional legal advice.
