00:07
Adam Stofsky
So, Shannon, we've talked a lot about various privacy law principles, things like purpose limitation or data minimization. What can a company actually do with personal data that they have, and what can't they do? What are the rules? How do you know what you can and can't do?
00:25
Shannon Yavorsky
Yeah, that's a really great question. So I think there are three things that a company has to look at. Number one, what they've told consumers in their privacy notices. So what have you said that you're going to collect and what have you said that you're going to do with it? And who have you said that you're going to share that data with? The next thing is that lawful basis of processing? Are you able to say, I've obtained the consumer's consent in order to use the data for marketing purposes or processing this data is my lawful basis is performance of a contract. And then the third thing is, what does the law say that you're allowed to do with this data? So you've told them that you're going to do something. You've established a lawful basis of processing.
01:15
Shannon Yavorsky
Is there anything else in the applicable privacy legislation that would prevent or prohibit or limit the way in which you can use consumers data?
01:25
Adam Stofsky
So there's no one size fits all checklist of things you can and can't do? It really differs from company to company or industry to industry based on what you've said you're going to do and what you're allowed to do.
01:38
Shannon Yavorsky
Yeah, that's fair to say. I think it really depends on the kind of personal data. So looking at whether it's regular name and email address, or are we looking at a bucket of data that is more sensitive, like health data or financial information that might have different rails around it and be governed by HIPAA, the health privacy law, or GLBA, the financial privacy law? So it's really important to think about what is the actual personal information. What have you told people that you're going to do with it, and what do the laws say about the ways in which you might be restricted from using or sharing it?
02:18
Adam Stofsky
Let's do a few examples. It's like hypo time. I'm just making these up. I always make up the so on the fly. So, okay, so I live on a farm up here in upstate New York, and there's a farm store, and they sell meat and eggs and other products. And I think they use Square to process payments, point of sale payments. They take credit cards and we have customer accounts, right? You can go in and there's a purchase history, so they can push out promotions. Hey, we're having a sale on X, Y, and Z. So a specific customer can know. So what can they do with that data and how would you know? What would you ask them to be able to determine what they can do with all that personal data?
03:03
Shannon Yavorsky
I think the first thing is to look at what laws apply. So we're talking about Vermont, new York. New York. So we're talking about New York. We have to think about what laws are applied to companies doing business in New York and then whether you meet the threshold for applicability of those laws. So New York right now doesn't have an omnibus state privacy law, but many other states do, and they're triggered on the company collecting a certain number of individuals details or they're triggered on revenue thresholds. So if, let's say, for example, New York did have a state privacy law, we'd then move on to does that law actually apply to the farm store? And a lot of times most of the state privacy laws right now have a pretty high revenue threshold. So it's meant to give a break to smaller businesses.
04:06
Shannon Yavorsky
And it may be that the business falls outside the remit of any of the applicability thresholds.
04:14
Adam Stofsky
That's less true in Europe, right? Is that right?
04:17
Shannon Yavorsky
Europe doesn't have a de minimis threshold. So Europe would have, even if it's a farm store, arguably with they're out in the countryside in England or in the countryside in France and you've got ten customers a day, the GDPR technically still applies. So they weren't giving a lot of breaks to small businesses in the way that US. Legislation, at least at the state level, really tries to make concessions for smaller businesses.
04:54
Adam Stofsky
So we look at the law and then what do we look at?
04:57
Shannon Yavorsky
So then let's say for the sake of this hypo that the farm store is knocking out of the park and has over $25 million in revenue, which is that's a lot of vegetable sales. So they have revenue in excess of $25 million and they're doing business in New York. And in that case, let's say the state privacy law applies. Then we'd look to whether that privacy law requires the company to draft a privacy notice. So we'd look to whether the privacy notice sets out, how the farm store is collecting using in sharing data and what it says about how you can use that data to improve the business or to provide the services. What are the rails around it that are articulated in the privacy notice.
05:50
Shannon Yavorsky
And then for some of that financial data, that consumer financial data that is coming in through payment gateways. We'd think about whether, first of all, whether the GLBA applies and then separately whether that agreement with the payment provider sets out or allows the farm store to access and use that data in any way because sometimes that's prohibited to allow the store to have direct access to all of that consumer data. So there are lots of different things to think through. There applicable law, the privacy notice, and then here any relevant contracts with providers. Those are all going to set out some of the rules for the road around how the farm store can use, collect and share personal information.
06:42
Adam Stofsky
So it sounds like the kind of bad news is that it's kind of complicated to navigate this and figure this out. But the good news is actually there's quite a bit of flexibility in terms of getting consent from consumers and kind of shaping what kind of data you want to collect and what you're going to do with it. Is that a good way of thinking about it?
07:01
Shannon Yavorsky
Yeah, I think so. I think that's exactly right. A fair amount of latitude. You just have to be really clear about what you are doing with the data and set that out in the privacy notice.
07:14
Adam Stofsky
Great. Thank you, Shannon.