Geography, or “place,” plays a crucial role in the application of privacy laws. Privacy laws typically apply to residents of the jurisdiction where the privacy law has been passed. Still, some privacy laws cast a wider net and reach beyond their territorial borders. Much attention has been paid to privacy laws coming from places like California, Brazil, and Europe because of their broad potential geographic scope. Knowing the locations where the people involved live, work, and, potentially, travel will identify the geography-specific privacy laws that should be evaluated.
The mechanisms that are used to collect, store, or share information can alter privacy obligations. There are several privacy laws that only govern certain platforms, such as websites, phones, cameras, Internet of Things devices, and vehicles. Additionally, the owners of certain platforms such as mobile app stores and social media networks have imposed specific privacy requirements on their users.
Finally, the purposes for which information is being processed will round out the privacy identification process. Is the collected information being used for advertising? For treatment? For security purposes, such as to verify someone’s identity? The purposes of any personal information collection, use, and sharing, can trigger additional legal obligations.
Four Ps in Practice
The four Ps can help companies gauge overall privacy compliance or assess compliance obligations when they undertake new initiatives that implicate one or more of the four Ps. So, how does this work in practice? Say, for example, a brick-and-mortar retailer in Buffalo, New York, wants to set up a website to sell its merchandise and wants to start sending marketing emails to its customers. The company is based in New York, but its brick-and-mortar customers may be from other places, like Canada or Pennsylvania since the company is setting up a website that may sell merchandise to other jurisdictions. The people newly within the scope of this company’s potential privacy obligations are website visitors and customers. The platforms being added are a website and emails. Finally, the purposes of the website and emails are to facilitate e-commerce transactions and potentially to track individuals who access the website or open the emails and to market to them.
Going through the process of assessing the four Ps will set the company on the right path to identifying and evaluating the specific privacy laws it needs to consider as it undertakes new initiatives.