If a company is collecting PII (Personally Identifiable Information) but not selling it, the company should still consider the following:
- Compliance with laws and regulations: The company should ensure that it is complying with all federal and state laws and regulations that govern the collection, use, and storage of PII, such as the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and the General Data Protection Regulation (GDPR) if they are doing business with EU citizens.
- Notice and consent: The company should provide clear and conspicuous notice to users about its data collection practices, and obtain affirmative, opt-in consent before collecting PII.
- Data security: The company should implement reasonable security measures to protect the PII it collects, such as encryption, firewalls, and regular security audits.
- Data retention and destruction: The company should have policies and procedures in place for how long it will retain PII, and for how and when it will securely destroy PII that is no longer needed.
- Data access and control: The company should provide users with the ability to access, correct, and delete their PII, and to opt-out of certain data collection and sharing practices.
- Data breaches: The company should have plans in place for responding to data breaches, such as identifying and containing the breach, notifying affected individuals, and reporting the breach to the appropriate authorities.
- Ongoing monitoring: The company should monitor its data collection, use, and storage practices on an ongoing basis, and make any necessary adjustments to ensure compliance with laws and regulations and to protect user privacy.
Various laws, regulations and guidelines govern PII in the United States
In the United States, PII (Personally Identifiable Information) is governed by various federal, state and international laws, regulations, and guidelines. Some of the key laws and regulations that govern PII include:
- The Health Insurance Portability and Accountability Act (HIPAA): HIPAA governs the protection of PHI (Protected Health Information), which is a specific type of PII that relates to an individual’s health care.
- The Fair Credit Reporting Act (FCRA): The FCRA regulates the collection, use, and sharing of consumer credit information.
- The Family Educational Rights and Privacy Act (FERPA): FERPA governs the protection of student educational records and information.
- The Gramm-Leach-Bliley Act (GLBA): GLBA regulates the collection, use, and sharing of financial information, such as bank account numbers and credit card information.
- The Children’s Online Privacy Protection Act (COPPA): COPPA governs the collection of information from children under the age of 13.
- The California Consumer Privacy Act (CCPA): CCPA regulates the collection, use, and sharing of personal information of California residents.
- The General Data Protection Regulation (GDPR): GDPR is a European regulation that applies to companies processing the personal data of European Union citizens, regardless of the company’s location.
- The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation: NYDFS regulates the collection, use and sharing of personal information of New York residents.
- The Illinois Biometric Information Privacy Act (BIPA): BIPA regulates the collection, use, storage, and sharing of biometric information, such as fingerprints and facial recognition data.
- The Nevada Privacy Law: The Nevada Privacy Law regulates the collection, use, and sharing of personal information of Nevada residents.
- The Massachusetts Data Breach Notification Law: The Massachusetts Data Breach Notification Law requires companies to notify individuals of data breaches that involve their personal information.
- The Colorado Data Security Law: The Colorado Data Security Law requires companies to implement reasonable security measures to protect personal information.
- The Texas data breach notification law: The Texas data breach notification law requires companies to notify Texas residents of data breaches that involve their personal information.
- The Payment Card Industry Data Security Standards (PCI DSS): PCI DSS is a set of security standards that apply to any company that accepts credit or debit card payments, and it’s designed to protect cardholder data.
- The Cybersecurity Information Sharing Act (CISA): CISA encourages the sharing of cyber threat information between the government and private sector.
It’s important to note that these laws and regulations are subject to change and that it’s the responsibility of companies to stay informed about the laws and regulations that apply to them and their handling of PII.
What Laws Govern The Sale of PII
If a data company is selling PII (Personally Identifiable Information) to another entity, the laws and regulations that govern that transaction will depend on the specific type of PII being sold and the jurisdiction in which the data company and the entity buying the PII are located.
Generally, the sale of PII is governed by federal and state laws related to consumer protection and data privacy.
- The Federal Trade Commission Act (FTC Act) is a federal law that prohibits unfair or deceptive acts or practices in or affecting commerce. This law applies to the sale of PII, and data companies must disclose their data collection and sharing practices to consumers and obtain their consent before collecting, using or sharing their PII.
- The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates the collection, use, and sharing of financial information, such as bank account numbers and credit card information.
- The California Consumer Privacy Act (CCPA) is a state law that regulates the collection, use, and sharing of personal information of California residents.
- The General Data Protection Regulation (GDPR) is a European regulation that applies to companies processing the personal data of European Union citizens, regardless of the company’s location.
- The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation: NYDFS regulates the collection, use and sharing of personal information of New York residents.
It’s important to note that these laws and regulations are subject to change and that it’s the responsibility of companies to stay informed about the laws and regulations that apply to them and their handling of PII.
If PII is collected legally can it be sold?
If PII (Personally Identifiable Information) is collected legally, a company may be able to sell that PII to others, but it depends on the specific laws and regulations that govern the collection, use and sharing of PII.
Generally, companies must disclose their data collection and sharing practices to consumers and obtain their consent before collecting, using, or sharing their PII. This is true for federal laws like the Federal Trade Commission Act (FTC Act) and state laws like the California Consumer Privacy Act (CCPA).
In some cases, companies may be able to sell PII if they have obtained the appropriate consent from the individuals whose information is being sold, or if the sale is in compliance with other laws and regulations, such as the Fair Credit Reporting Act (FCRA) which regulates the sale of consumer credit information.
However, it’s important to note that not all types of PII can be sold and that some regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) have specific restrictions on the collection, use and sharing of sensitive information such as personal health information or financial information respectively.
Additionally, it’s important to note that some state laws like the Nevada Privacy Law and the Vermont data broker regulation have specific restrictions on the sale of PII.
It’s the responsibility of the company to make sure that they are in compliance with all the laws and regulations that apply to them before selling PII to others.
Using a Privacy Policy To Collect Consent For The Sale of PII
Privacy policies on websites typically collect consent for the sale of PII (Personally Identifiable Information) by providing clear and conspicuous notice to users about the types of PII that will be collected, the purposes for which the PII will be used, and the third parties with whom the PII will be shared.
Here are a few common ways that privacy policies on websites collect consent for the sale of PII:
- Opt-in consent: Websites may provide users with an opt-in option, such as a checkbox or button, that allows users to actively choose to share their PII. Websites may also provide users with an opt-out option, where users have to actively choose not to share their PII.
- Notice and choice: Websites may provide users with notice about the types of PII that will be collected and the purposes for which it will be used, and give users the option to decline to share their PII.
- Implied consent: Some websites may infer consent from a user’s actions, such as by assuming that a user consents to the collection and sharing of their PII if they continue to use the website after being presented with a privacy policy.
- Do not track: Websites may allow users to set a “Do Not Track” preference in their browser, which signals to the website not to collect or share PII
It’s important to note that the way in which consent is obtained may vary depending on the specific laws and regulations that apply to the website and the PII being collected. For example, under the California Consumer Privacy Act (CCPA), companies are required to obtain opt-in consent from California residents before collecting, using, or sharing certain types of PII.
It’s also important to note that the consent should be specific, informed and freely given. The user should be able to understand what they are consenting to and should be able to withdraw the consent at any time.
Using a Website Terms and Conditions of Use To Collect Consent For The Sale of PII
Using terms and conditions of use can allow companies to collect opt-in consent for the collection and sharing of PII (Personally Identifiable Information) by requiring users to agree to the terms and conditions before interacting with the website, but this is not always the case. The way in which a company can collect consent for the collection and sharing of PII will depend on the specific laws and regulations that apply to the company and the PII being collected.
For example, under the California Consumer Privacy Act (CCPA), companies are required to obtain opt-in consent from California residents before collecting, using, or sharing certain types of PII. However, companies may not be able to collect consent in this way under other laws such as the General Data Protection Regulation (GDPR). The GDPR requires that the consent must be specific, informed and freely given, and the user should be able to understand what they are consenting to and should be able to withdraw the consent at any time.
It’s important to note that the use of terms and conditions to collect consent for the collection and sharing of PII may not always be considered valid under certain laws and regulations. Companies should consult with legal counsel to ensure that they are collecting consent in a way that is compliant with all applicable laws and regulations.
The Federal Trade Commission (FTC) enforces federal consumer protection laws, and it has issued guidance on data privacy and security, including the use of terms and conditions to obtain consent for the collection and sharing of PII. However, the FTC generally takes an “enforcement by case” approach and has yet to provide a specific rule or regulation on this matter.
In general, companies should provide clear and conspicuous notice to users about their data collection and sharing practices, and obtain affirmative, opt-in consent before collecting, using, or sharing PII. But it’s always recommended to consult with legal counsel to ensure that they are collecting consent in a way that is compliant with all applicable laws and regulations in the United States.