U.S. and international privacy regulation

Day by day, information technology shrinks the world around us, opening new markets and exposing business operations to legal requirements within and outside the U.S. Drawing on the experience of the firm’s international business attorneys as well as its privacy and data security attorneys, we help clients comply with data protection obligations worldwide, including the European Union’s data protection directives and the privacy laws of other countries. The regulatory environment is growing, and the U.S. has been considering legislation that would regulate privacy in industries not currently regulated for over a decade.

Examples of sector based U.S. laws and regulations:

  • Data breach notification laws in 46 states, District of Columbia, Puerto Rico and Virgin Islands
  • Other state identity theft and privacy laws
  • The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  • Section 5(a) of the Federal Trade Commission (FTC Act) prohibiting engaging in unfair or deceptive business practices (addressing privacy policies)
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • The Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA)
  • The FTC Telemarketing Sales Rule (TSR)
  • The Telephone Consumer Protection Act (TCPA), enforced by the Federal Communications Commission (FCC) (i.e. “do not call lists” and autodialing)
  • The FTC Disposal Rule
  • The Children’s Online Privacy Protection Act (COPPA)
  • The Gramm Leach Bliley Act (GLBA)
  • The Fair Credit Reporting Act (FCRA)
  • The Fair and Accurate Credit Transactions Act (FACTA), including Red Flag Identity Theft regulations
  • The Electronic Communications Privacy and Stored Communications Acts
  • The U.S. Patriot Act and its suspicious-activity regulations
  • The Payment Card Industry PCI DSS standards (PCI)

Examples of international laws and regulations:

  • The Organization for Economic Cooperation and Development (OECD) Guidelines for the Protections of personal Data and Trans-border Data Flows
  • Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data
  • The E.U. Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Our experience includes:

  • Conducting website audits to advise clients if their site complies with their stated policies, and counseling clients in developing privacy policies that are truly reflective of the client’s actual policies
  • Surveying relevant FTC enforcement actions taken against companies that either violated their own privacy policies, or were determined to have inadequate policies, and using that information in advising our clients, including actions involving non-compliance with the E.U. U.S. Safe Harbor Program
  • Advising clients regarding obtaining E.U. U.S. Safe Harbor certification
  • Advising clients regarding compliance with the Model Contracts clauses for E.U. compliance
  • Advising multi-national company regarding re-structuring their data retention system to comply with current data privacy issues
  • Assisting clients in drafting legal terminology for legally effective implementation of online user, online purchaser or restricted access agreements for website commerce and access-restricted use
  • Assisting clients in developing customer agreements and disclosures for financial products, including internet banking and online account access to ensure compliance with E-Sign
  • Training on-site to counsel marketing and sales teams regarding CAN-SPAM and what procedures and steps should be taken in their day-to-day email marketing and sales activities in order to remain compliant
  • Advising internal marketing departments as to CAN-SPAM noncompliance risks associated with specific email marketing efforts and establishing a checklist of procedures for assuring CAN-SPAM compliance in sending promotional emails and responding to opt out requests
  • Advising consumer sales clients regarding PCI compliance in consumer communication issues