Can Your Private Information Be Sold?

The existing privacy laws established throughout the globe are creating challenges for companies to sell information collected to 3^rd parties, but how do they affect sales for direct sales companies? The main challenges in these situations would be to figure out what is considered compliant with the new regulations and how the client can find new prospects without obstructing the law.

Relevant Laws

Most people are unaware what information companies can collect or might even be unaware that companies are collecting their information. Different places in the world have different laws associated to how, when, and who is allowed to collect this information. In this article, we will discuss the three main laws related to this issue are The California Consumer Privacy Act, General Data Protection Regulation and The Illinois Privacy Act.

• The California Consumer Privacy Act, “CCPA”, is being used in California, United States. This law regulates determines how data is allowed to be collected, managed, shared and sold by companies and/ or entities doing business with/or compiling information about California residents. Companies must disclose whatever information they collect and the purpose of the information. Additionally, these companies must allow the consumer to opt-out of having their information sold to any third party, to view their information, to delete their information that has been collected. According to the CCPA, the company must notify consumers of their rights under the CCPA and what type of information they have obtained or shared/sold.

• The General Data Protection Regulations, “GDPR”, is currently being used in Europe for the protection of its citizens. It is similar to the CCPA in that it aims to be able to give consumers greater control over their data. That said, these two are not identical and do have differences. The GDPR is stricter than any law related to what is legally allowed.  It requires affirmative consent for any data processing; not just reselling data, but collecting it in the first place. The GDPR also makes companies notify the individual that they have obtained their information and must obtain their consent within 30 days of obtaining the data.

• The Illinois Privacy Act requires companies or organizations with any personal information from Illinois residents to proceed with security measures to protect any data from unauthorized access, acquisition, destruction, use, modification, or disclosure. In addition, the Act states that any contract where personal information is transmitted must include a provision requiring the recipient of the information to implement and maintain reasonable security measures.

Are You Covered Under These Laws? 

The scope of these laws isn’t as big as you would expect; they all cover distinct groups of individuals. The CCPA covers any California Resident.  A resident is anyone who has lived in California for a long period of time. For this law to apply to you, you must be an individual and not a company. Illinois Privacy Act covers any Illinois resident; just like in California, a resident must be an individual living in Illinois for a length of a period. As for the GDPR, this covers any European company or individual in the European Union.

Some observers have come to the conclusion that since no one really wants to exclude selling to Californians, the CCPA is acting as a national law on data privacy in absent to federal regulation. These laws do not affect the cold calling business though.

What Happens If A Company Doesn’t Obey? 

As for the potential risk of non-compliance, every law has different type of punishments.

• The CCPA penalty for each individual violation is $2500 if unintentional and $7500 if intentional. Businesses have 30 days to fix alleged violations after they have been notified of their non-compliance.
• The GDPR has the penalty of up to €20M or up to 4% of the total global revenue of the preceding year, whichever is greater.
• The Illinois Data Privacy Act penalty can be up to $5,000 or actual damages for the violation.

Is There Anything You Can Do to Protect Yourself?

The sad reality is that there isn’t much that an individual can do, especially if you are not covered by the CCPA, GDPR, or the Illinois Data Privacy Act. Once a company has your information, they have the ability to sell it to a 3^rd party at their own discretion. This said, there are a few ways that you can personally follow up with your personal information for security purposes.

Best practices for cybersecurity:

• Using complex passwords: Some professions believe that a complex password must meet or exceed certain criteria of changing it every 180 days, must be between 8 and 128 characters long, be unique, and utilize uppercase letter, numbers, lower case letter and/or special characters
• Using two-factor authentication
• Don’t use public internet
• Don’t give out personal information through the phone or email
• Make sure you don’t voluntarily allow for your information to be sold

How Can A Company Protect Individual’s Information?

If a company is keeping any sensitive information for customers or employees, they must follow a few guidelines proposed by the Federal Trade Commission, FTC. Many companies have personal information from customers or employees for various reasons, however, companies need to be aware that if this information falls into the wrong hands, it can have severe consequences. The FTC created a guide for businesses to secure this information.

The 5 key takeaways are:

1. Know what information is in the company’s databases
2. Try to keep only essential information
3. Make sure that any information kept is safe and secure
4. If you do discard any information, make sure it is properly disposed
5. Have a backup plan if any information is compromised

Article By Nouvelle L. Gonzalo Esq. and Sofia Orrantia

Nouvelle L. Gonzalo, Esq. is a U.S. and international corporate lawyer who works with companies across the globe. She is the managing attorney of Gonzalo Law LLC, a U.S. and international corporate law firm with offices in Florida and Ohio. In addition to the active practice of law, she has served as adjunct faculty of international corporate law for several years. She was recognized as a rising star by the national organization, Super Lawyers, in 2019 and 2020. Her practice areas include: international corporate law, intellectual property law, and nonprofit law. You can contact her with any questions or for a complimentary consult at [email protected].

Sofia Orrantia Mc Pherson is a Student Associate and Executive Administrative Assistant at Gonzalo Law LLC. Previously, she worked as a Language Assistant for the English Language Institution at the University of Florida. She graduated from University of Florida with a bachelor’s in arts in Foreign Languages with a concentration in Film & Visual Art. She is a native speaker in Spanish and English and is fluent in Dutch and French.