Please ensure Javascript is enabled for purposes of website accessibility

Annual data privacy study focuses on policy

Dan Heilman//March 14, 2023//

Illustration of a close-up of a person's eyes and top part of the nose with computer code of 0s and 1s across the entire picture image

Annual data privacy study focuses on policy

Dan Heilman//March 14, 2023//

Listen to this article

While it’s still subject to mostly a patchwork of state laws, regulations around data security continue to be an important topic for business owners. A recurring study written by Lathrop GPM and published on the website of the Minnesota Department of Employment and Economic Development aims to provide straight answers on the issue.

Michael R. Cohen, a Lathrop attorney, was the primary author of this year’s edition of “A Legal Guide to Privacy and Data Security.” He said The General Data Protection Regulation (GDPR), a European law that established protections for privacy and security of personal data about individuals, has had a ripple effect on U.S. data policies.

“There clearly is a movement toward more rights for individuals,” Cohen said. “California is our federal privacy bellwether. Most businesses do some business there or have customers there, so if California passes a law, they more or less have to comply with it.”

California passed its own data-privacy law not long after the GDPR passed in 2018. An updated version of the law brought in significant rights: consumers can ask to have their data deleted, learn what data is being collected, and for what purposes. Colorado, Virginia, Connecticut and Utah are among states that have similar laws.

“Minnesota doesn’t have a similar law yet, but there have been efforts to introduce legislation that’s similar to these other state laws,” said Cohen. Most of them aim to follow the California law, which is the most stringent. We don’t yet have a law here. So I have to counsel my clients that these are the laws that you have to comply with.”

Two years ago the Minnesota Consumer Data Privacy Act was introduced as HF 1492 in the Minnesota House of Representatives. As introduced, it would apply to companies doing business in Minnesota, including those that provide products or services to Minnesota residents, as long as the companies process personal data of at least 100,000 consumers or generate more than 25% of their gross revenue from the sale of personal data.

The bill gives consumers a variety of privacy rights, including the right to verify, correct, delete, access and opt out of processing of their personal data. No hearings on the bill have been scheduled so far.

“Every state has its own data breach notification law,” said Cohen. “Federal laws that apply to different sectors – if you’re in health care it’s HIPAA. If you’re in finance, it’s Gramm-Leach-Bliley. No one federal law covers privacy.”

The Lathrop/DEED guide advises businesses to establish a customized program around data privacy. If your company doesn’t collect much customer information, compliance program and training is likely to be a lot different than it would be for a business that collects, uses, and shares personal data as a primary part of its business.

“Anyone can create a privacy policy based on what Disney or somebody does,” said Cohen. “That’s not the right approach, because you don’t have an army of lawyers. Look at your business and see what data you collect and store, and for what purpose. More important than the policy itself is what might happen as a result of it. Are you set up to handle requests that come in from California that want you to delete someone’s data? You need to have those processes set up.”

A company’s plan to deal with a data breach should be proactive, the guide advises. The plan should include an incident report system that can track security incidents and data breaches as they happen. A simulated security incident might help test the plan and evaluate the report system.

If a company is faced with a breach that requires notifying customers, the media or a government agency, notification letters should be ready to go. Even if the data breach is handled with little legal risk, media coverage of a breach by the media can be harmful, so a proper communications plan can help reassure consumers about containment of the breach.

“Clients will sometimes ask us if they can just update their website’s privacy policy, since that’s the most outward-facing legal document that most customers see,” said Cohen. “But you don’t have a plan in place because you’re afraid the FTC or the attorney general might come after you. You do it because your customers feel better knowing that their data is protected.”

Top News

See All Top News

Legal calendar

Click here to see upcoming Minnesota events

Expert Testimony

See All Expert Testimony