This article is the first in a four-article series discussing how certain federal laws impact data custodians, those who collect, store, process, disclose, and otherwise use consumer data.

The widespread necessity for businesses to establish an internet presence has transformed many conventional businesses into data custodians.  While some businesses embrace this new-found role and attempt to create additional revenue by selling data to third parties, others simply strive to minimize the impact of data custodianship on their core business.  Regardless of where in the spectrum your business falls, all data custodians must be aware of their responsibilities.  Failure to comply with applicable privacy and data protection laws may result in significant financial harm.  To begin, businesses need to ask important questions, such as: “How may I collect data?”, “What types of data may I collect?”, and “How may I use that data?”

Rapidly evolving technological risks and the often-slow-moving legislative process underpin the dynamic field of privacy and data protection.  To address the concerns above, businesses must consider many factors, such as: the source of the data, the purpose for collecting data, and whether the business must notify or obtain consent from the individual from whom it collects data.  Data custodians should also take reasonable measures to maintain the security and integrity of the data in their possession, ensuring both the safety and accuracy of said data.  Best practices suggest, and some laws require, that businesses also establish processes for consumers to view, verify, or even remove their information.

This series will consider several laws that implicate privacy and data protection concerns, including: the Federal Trade Commission Act (“FTCA”), the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), and the Children’s Online Privacy Protection Act (“COPPA”).  While this series only addresses these laws, there are many others that address privacy and data protection best practices, including:  the Privacy Act, the Health Insurance Portability and Accountability Act (“HIPAA“), the Family Education Rights and Privacy Act (“FERPA“), the EU’s General Data Protection Regulation (“GDPR“), the California Online Privacy Protection Act (“CalOPPA“), and self-regulatory private-sector privacy policies.

Ultimately, the failure to follow applicable law may result in regulatory fines, additional government oversight, injunctions against certain business practices, disgorgement of profits, and civil litigation with individual victims.  While the collection of consumer data provides a means to pursue scientific research, targeted marketing, and many other uses, no company wants to be the next VIZIO. Whether your company utilizes data brokerage revenue streams or not, businesses must carefully analyze their unique circumstances to best mitigate data custodianship risks when tailoring privacy and data protection strategies.  Since the law does not always respond quickly and effectively to balance business incentives with consumer protection, businesses must continuously maintain awareness of the legal implications of data custodianship, as the body of privacy and data protection law matures.  The next article in this series will consider one of the broadest-reaching consumer protection mechanisms, FTCA Section 5.