Meighan E. O'Reardon
Meighan E. O’Reardon is counsel at Pillsbury Winthrop Shaw Pittman LLP in Washington, DC.
Under both federal and state law, U.S. associations have legal obligations to secure and protect personal information of members and others with whom they interact. Here is an overview of relevant legislation.
Associations maintain a large set of personal and sensitive information about members, customers, and employees. Much of it is held in databases that contain names, addresses, Social Security numbers, payment details, and other sensitive information.
In the United States, a patchwork of federal and state data privacy and protection laws imposes obligations on organizations that collect and hold personal information. Requirements vary based on where the organization is located and where the individual data subject resides. Associations need to account for legal compliance obligations relevant to their collection, protection, and use of personal information.
Under the Federal Trade Commission Act, the FTC is empowered to bring enforcement actions to protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations. The FTC has interpreted “deceptive practices” to include an organization’s failure to comply with its own published privacy promises and to adequately secure personal information.
A few key federal data protection and privacy laws relevant to association activities include:
Fair Credit Reporting Act. FCRA, as amended by the Fair and Accurate Credit Transactions Act, restricts the use of consumer reports to determine eligibility for credit, employment, or insurance. FCRA requires truncating credit card numbers on printed receipts and securely destroying certain types of personal information, and it regulates the use of certain types of information received from affiliates for marketing purposes. Collection of financial information, such as payment details, from members and others may subject an association to additional FCRA-related requirements.
Children’s Online Privacy Protection Act. COPPA prohibits the online collection of personal information from children under 13. It imposes obligations on operators of websites or online services directed to children or with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. Collecting information about even a single child is a violation, and penalties are significant, including fines of up to $16,000 per violation.
Any online data collection by an association should include mechanisms to ensure that personal information from children is screened out, unless there are obvious reasons to collect data from children. Any organization that does collect personal information from children should have a COPPA compliance program that is regularly audited to ensure that parental consent is properly acquired and tracked. Also, if an organization collects birth dates, it may be subject to heightened COPPA compliance scrutiny.
The CAN-SPAM Act and the Telephone Consumer Protection Act. Associations frequently engage in marketing and communications campaigns. These can expose the organization to federal laws aimed at curbing unwanted use of individuals’ personal information for email and telephone communications.
The CAN-SPAM Act regulates the circumstances in which an entity may send unsolicited commercial emails. These emails are permitted as long as they contain the following:
Before sending a “blast message” via email, an association should review the message for compliance with CAN-SPAM requirements. It should also consider acquiring consent for future communications from data subjects at the time a person’s data is collected. Taking this step can minimize future CAN-SPAM compliance issues.
Like CAN-SPAM, the Telephone Consumer Protection Act shields consumers from unwanted communications. TCPA regulates calls to mobile and residential phones, requiring that a caller obtain a consumer’s “prior express consent” before making autodialed or prerecorded telemarketing calls to him or her. Under TCPA, text messages are considered calls. In today’s mobile environment, associations often encounter TCPA compliance issues when conducting text-messaging communication campaigns to members.
Associations should ensure that individuals have been provided the appropriate notices, including notice of opt-out rights, before sharing personal data.
Applicable state laws are dictated by the location of the association and the residence of data subjects. Associations with members in multiple states—or whose members may move from state to state—may need to comply with the most restrictive state-law requirements.
While state-level data-protection obligations vary, many of these laws address common issues. A few noteworthy examples:
Written data security policy or plan. A few states require organizations holding personal information to maintain a written data security policy. The most well-known of these requirements is Massachusetts’ data protection regulation which requires any entity that holds, transmits, or collects personal information of a state resident to maintain a comprehensive written data security plan. Among other things, the plan must address the identification and assessment of risks to the confidentiality, integrity, and security of personal information; a process for maintaining oversight of vendors and service providers; and restrictions on the amount of information collected and how long it is retained.
Disclosure of data sharing. Many organizations not only collect personal information on their websites using cookies and other tools, but they also disclose it to third parties for advertising and marketing purposes. California’s “Shine the Light Law” regulates businesses that engage in this practice, requiring that customers be informed of such disclosures. Businesses must allow their customers to either opt in or opt out of having their personal information shared with third parties for direct marketing purposes. Associations may disclose member information to an assortment of third parties, including advertisers. However, they should ensure that individuals have been provided the appropriate notices, including notice of opt-out rights, before sharing personal data.
Use of Social Security numbers. A majority of states have enacted laws limiting how Social Security numbers may be collected, disclosed, and used. Additionally, a growing number of states have laws requiring entities that collect or use SSNs to have written policies addressing how they protect the numbers’ confidentiality and security, prevent unauthorized disclosure, and limit access to SSNs to those with a “need to know.” Some states, including Connecticut, Massachusetts, and Michigan, require organizations to disclose their SSN protection policy to the general public. Any association activity involving the collection of SSNs should be treated with heightened sensitivity and an awareness of SSN-related compliance obligations.
Vendor data security. Several states have passed laws requiring entities that disclose or make personal information available to third-party service providers to obtain written assurances that those providers will implement specific safeguards to protect the data. The Massachusetts law is currently the most stringent, requiring organizations to take reasonable steps to retain third-party service providers that are capable of maintaining appropriate security measures and to include data protection as a contractual obligation. Associations should be sure to include appropriate obligations in vendor agreements that entail sharing or access to personal information.
Data breach notification. Most states have laws governing how, when, and under what circumstances notifications must be provided to data subjects if their personal information is breached. The obligations depend on a number of factors, including what data is breached and whether it is encrypted. These measures also typically describe the acceptable forms of notice.
To fully understand your organization’s specific legal obligations, the most critical step is to assess what personal information your association actively collects and holds. Data privacy and protection legal requirements apply regardless of the association’s size, mission, or tax status, so including the management of data protection obligations as part of your compliance functions’ responsibilities is critical.