Complying with UK and EU data privacy regulations often presents a significant challenge for startups based in those regions. UK and EU startups expanding to the US similarly need to be aware of US data privacy regulations and whether their existing efforts will be sufficient.

1) Do I need to care about US privacy law if I don’t have offices in the US?

Yes, if you have US users or customers. The authority of the US Federal Trade Commission (FTC) extends to acts or practices that cause, or are likely to cause, reasonably foreseeable injury within the US or involve material conduct occurring within the US. The FTC has used that authority in the past to bring actions against companies outside the US that have engaged in activities affecting US users.

2) What are the main US privacy issues I need to worry about?

a) Do what you say and say what you do. Make sure your privacy representations are truthful and complete.

b) Secure the data you collect, particularly sensitive data. Make sure your cybersecurity house is in order. Data breaches can be enormously costly, both financially and reputationally.

c) Determine which US privacy laws apply to you, and make sure you comply if they do. Common trip-ups include knowingly collecting information from children in violation of the Children’s Online Privacy Protection Act (COPPA) and running afoul of the Telephone Consumer Protection Act (TCPA) when using text messaging for marketing. There can be harsh consequences for non-compliance.

3) If my company complies with UK/EU privacy law, is that enough?

Maybe, unless your business practices fall within the scope of a sector-specific privacy law (more on that below). Also, US law places a greater emphasis on whether privacy claims are deceptive, even if many consumers don’t ever see those claims. For example, if you claim in your privacy policy that you encrypt all user data, but then don’t actually do so, that may be enough to trigger regulatory scrutiny of your practices.

Similarly, don’t assume that terms you’re familiar with – like “personal data” – will mean the same thing in the US as they do in the UK. Definitions of “personal information” can vary in the US from statute to statute, and even from state to state, so it’s important to make sure your intent is clear in your privacy policy and any other privacy statements, and that you understand the implications of using certain terms.

4) What does the US privacy law landscape look like?

Unlike the comprehensive UK and EU data protection regulations with which you may be familiar, US federal and state laws typically address data privacy issues on a sector-specific basis.

For example, if you offer services to hospitals or other healthcare providers and receive information about their patients, you likely need to comply with regulations under the Health Insurance Portability and Accountability Act (HIPAA), enforced by the Department of Health and Human Services. Other sectoral regulations include the Gramm-Leach-Bliley Act (GLBA) for financial account data, the Fair Credit Reporting Act (FCRA) for information contained in consumer reports, the Video Privacy Protection Act (VPPA) for video viewing information, and the TCPA and CAN-SPAM Act for phone and email marketing.

More generally, if you offer an app or website that collects information from children under the age of 13, you need to comply with regulations that implement COPPA, a law enforced by the FTC.

In addition to these specific laws, the FTC commonly brings privacy and data security cases against companies based on its broad authority to stop “unfair or deceptive acts or practices.”

Activities that may lead the FTC to act include:

(1) failing to keep privacy promises (e.g., offering an opt-out that doesn’t work);

(2) making material changes to privacy policies without adequate notice and consent;

(3) failing to keep security promises (e.g., saying data is encrypted when it isn’t); and

(4) failing to use reasonable security measures to safeguard consumer information (e.g., failing to patch well-known vulnerabilities, which leads to a data breach).

In addition to federal law, most states also have their own privacy and data security laws that likely will impact your startup. Chief among these are state laws requiring companies to post a privacy policy for any online services they operate, including both websites and apps. California also requires disclosures in certain circumstances regarding how companies treat browser “Do Not Track” signals and when companies share customer information with third parties for marketing purposes.

Other states impose data security requirements for customer data and restrict the collection and use of biometric information, like fingerprints and face scans. If you experience a data breach, virtually all states have laws that require you to send breach notifications to affected consumers if certain types of information are impacted, which can vary state to state. And, some states have their own general consumer protection laws and frequently join the FTC and other states in privacy actions or bring their own privacy actions independently.

Finally, many self-regulatory bodies issue additional rules and guidance for member companies in various industries. For example, online interest-based advertising is covered by two self-regulatory groups, the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA), who police their members’ compliance with the privacy rules they issue. If your startup operates in the online advertising space, it’s very likely you will have to comply with these rules even if you aren’t a member, as members you may do business with often impose these rules by contract for their own compliance purposes.

5) What are the consequences for not complying?

The consequences for not complying with US privacy laws vary depending on the particular law. In some instances, noncompliance may result in a simple warning, as can be the case for not posting a required website privacy policy. For other laws, noncompliance may result in large fines and requirements to change business practices with burdensome ongoing compliance obligations, including being subjected to biennial third-party privacy or data security assessments.

Additionally, some privacy laws, such as the TCPA and VPPA, allow for private rights of action and frequently attract expensive class action litigation.

#######

While this primer should get you started, you’ll ultimately want to check with US counsel to make sure you’re following the right approach for your business.

Post produced in partnership with Lydia Parnes, Chris Olsen, Edward Holman, and Daniel Glazer at Wilson Sonsini Goodrich & Rosati. Lydia can be reached at lparnes@wsgr.com, Chris at colsen@wsgr.com, Edward at eholman@wsgr.com, and Dan at daniel.glazer@wsgr.com.

The foregoing does not constitute legal advice and should not be relied upon for business or legal decision