If you are a lawyer who does not specialize in privacy, you may be familiar with the feeling of dread that creeps into your heart when a client requests your counsel on how to comply with data privacy laws. The feeling is well-founded. There is no single statute you can consult to provide the needed advice. In the United States, the law of privacy is commonly referred to as “sectoral,” meaning that there is no overarching legal regime covering privacy generally, but rather a series of federal laws (and often accompanying regulations) that each govern a particular subject matter. Nor is privacy protection exclusively on the federal level; federal law does not generally preempt state privacy laws, and state legislatures have not been shy about enacting their own privacy regulations. If your client operates an internet-based business or otherwise serves customers beyond the borders of the United States, the client may also be subject to the privacy regulations prevailing in other countries and trading blocs, which are in many cases intentionally written to have extraterritorial effect.
For those of you who may be experiencing this sort of dread, the ABA’s Cyberspace Law Committee now offers a helping hand. The committee’s Consumer Privacy and Data Analytics Subcommittee has assembled an international group of privacy experts and tasked them with compiling a guide to privacy laws from multiple jurisdictions around the world—the Global Privacy Checklist. The Checklist is a valuable starting point for any lawyer who counsels clients on complying with privacy laws. It serves as a pointer to the most salient of those laws in multiple jurisdictions: U.S. federal, U.S. states, Australia, Canada, the European Union’s General Data Protection Regulation, and the member states of the European Union.
The Checklist is an Excel spreadsheet, with each of the covered jurisdictions occupying its own tab. It is organized around a user-friendly “if-then” framework. For example, the U.S. federal tab includes the “if” statement: If “You collect and use email addresses for commercial purposes.” The “then” statement points the user to the relevant legal rules: “Then consider the applicability of” the “Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM): 15 U.S.C. §§ 7701–7713.” What follows is a summary of the rules that must be followed to comply with the CAN-SPAM Act.
Defining the scope of laws to include within the privacy rubric is more difficult than it may seem. Laws addressing data privacy are related to, and sometimes overlap with, those addressing data security; therefore, the Checklist’s coverage sometimes includes security laws. Coverage of all U.S. state laws relating in some way to data privacy would exceed the scope of the project and the resources available to it. To make the project manageable, the Checklist’s U.S. states tab is limited to the five most commonly encountered areas of privacy regulation: general privacy, data of children, biometric data, health data, and financial data. Coverage of the EU member states is also limited to a few key subject areas.
As valuable as the Checklist is, it has a few important limitations. It does not cover case law or determinations by regulatory agencies. Nor does it include proposed legislation, which is voluminous in light of the number of jurisdictions included among the U.S. states and the EU member states. The authors of the Checklist have sought to represent the state of the legal landscape as of the date of its publication. Inevitably, however, there will have been recent legal developments in some of the many covered jurisdictions that will not have come to their attention in time to include them. Given the dynamic nature of regulation touching upon privacy and the limited resources available, it is not feasible to keep the list continuously updated. We hope to update the Checklist annually, however, as resources allow.
Readers are encouraged to communicate with the Checklist’s editors and let us know of any new or additional laws or regulations that should be considered when the Checklist is updated. Our contact information: John Isaza, John.Isaza@RimonLaw.com, and John Rothchild, jrothchild@wayne.edu. The editors extend a hearty thanks to the team of volunteers whose efforts made this Checklist possible. They are listed in the contributors tab.