A Matter of Privacy
State statutes seek to protect consumer data; what fenestration companies should do about it
December 13, 2019
Privacy of consumer data is a legal issue that will affect the fenestration industry into 2020 and beyond. No less than 27 states are in the process of writing or enacting their own privacy statutes. The various approaches to consumer protection can differ wildly, are very technical, and impose substantial fines for failure to comply.
An example is the California Consumer Privacy Act (CCPA). Passed in 2018, the CCPA becomes effective Jan. 1, 2020, and will start being enforced in July. The act applies to any entity that “does business in California” and generally has gross revenue exceeding $25 million. Its scope protects various forms of personal information, including simple elements like name and address information.
Companies that fit the requirements of the CCPA must be able to address consumer data access requests and opt-out demands, as well as have updated privacy policies. Penalties for non-compliance include injunctions, statutory damages assessed per-resident and per-incident, and fines for each violation, whether intentional or simply negligent.
In addition to California, state efforts in Nevada, Pennsylvania, Massachusetts and Rhode Island are being pursued because there is currently no comprehensive federal system governing consumer data privacy. Internationally, the approach has been to set broader, uniform standards like the European Union’s GDPR or PIPEDA, used in Canada.
These two approaches substantially mirror each other, easing the compliance requirements for companies.
Addressing the issue before it arrives
Because avoiding risk begins with being able to identify it, it is essential to learn what rules might currently apply. Companies must know their market regions, whether requirements apply to the business model in those regions, and what protections are required. Resources for this education include third-party consultants, commerce/consumer divisions of state governments, and fenestration industry association groups.
Next, take stock of what consumer data is being generated, gathered and retained. Websites and newsletters often request or retain information about consumers that might apply to a particular data protection scheme. Cookies and traditional methods to manage data privacy requests can work, but they also present gaps when consumers use various devices to interface with companies. Knowing how consumer data comes in can help identify what protection tools are available in hardware and software, and across access points.
Document compliance efforts if consumer information must be protected, including specific inventories of the data requiring protection, efforts to protect that data, and periodic evaluations of the protections and data sources. This requires a lot of work, but many current data protection regulations require a company to prove its innocence when faced with a potential privacy breach or claim relating to abuses of consumer data. Without established policies and documented efforts to protect consumer information, companies can have little defense to alleged privacy claims.
Finally, with states currently developing various approaches to protections of consumer information, there may still be time to voice concerns about the costs and burdens these systems can impose. Look for opportunities to have input into the development of these protection systems, because their obligations may be with us for many years.