“Setting Up For Data Privacy From Day One” with Tom McNulty of Lando & Anastasi

Jeffrey (0s):
Well, welcome back everyone to Radio Entrepreneurs, the show that features entrepreneurship and business in the year 2022 hard to believe I’ll tell you. And as we regularly do on the show, we’d like to speak with Tom McNulty attorney at Lando and Anastasi. Welcome back.

Tom (22s):
It’s always good to be here.

Jeffrey (24s):
Right? And I know you’re going to talk about one of my favorite subjects, an irritation everyday for me and people. I know privacy, correct.

Tom (33s):
I am going to talk about data privacy. Yes, but I’m going to talk about it. Excuse me. From the perspective of what, you know, entrepreneurs and budding businesses need to take into account as they set up things like their website and their, you know, their financial collection of information, things like that.

Jeffrey (52s):
Right?

Tom (54s):
So, so the United States has no particular, you know, general data privacy law. They’ve got, you know, HIPAA laws and things like that. That covers certain types of information, but they don’t have a general standalone, you know, data protection policy or, or statute, excuse me. In 2018, the European union introduced the statute to a regulation called the GDPR general data protection regulation that governs what businesses can do with the information they collect and set some, you know, some pretty stringent standards. And I’m not necessarily going to go into the GDPR today, but that seems to have been the triggering or bent for various states to start taking, taking the issue up themselves.

Tom (1m 43s):
And, you know, people going into business in the United States, there’s some of these laws that are in effect, and there are a number of states that are considering putting laws like this into effect that will need to be taken into account. The first state that that actually passed one was California. They passed the California consumer privacy act several years ago now. And excuse me, and it creates some, some restrictions on what you can do with data and some rights for consumers to dictate what you can and can’t do with data that businesses collect on you. And the sort of basic rights are you have a right as a consumer to know what data is being collected and who it’s being shared with.

Tom (2m 26s):
You have a right to demand deletion of any privacy personal information that a business collects on you, it’s sort of an opt out provision so they can collect data on you up to the point that you asked them not to. However, for children data collected on children, businesses in California, can’t sell that data without express authorization. So that part of it is opt in. You have a right to be notified before at the point that data is collected of what type of data they’re collecting, what they’re doing with it. And there’s a kind of a last rate where if you choose to, to enforce any of these rights, to have your data deleted, or to have your information, you know, given to you as in terms of what they’re doing with it, businesses can’t discriminate against you.

Tom (3m 15s):
So they can’t offer differential pricing based on whether you let them sell your data or not. They can’t make you waive any of these rights. If you sign any kind of an agreement as part of a purchase that, that purports to waive these rights, that provision will be deemed done enforceable. So it kind of creates a regulatory scheme that that requires businesses to do a lot more in terms of tracking and managing and mapping their data and being able to know, you know, whose data they’ve got, being able to go in and delete individual people’s data, things like that. That really kind of create some, some, I dunno, headaches, probably inappropriate word for it.

Tom (3m 60s):
Some headaches when you’re trying to establish a business. So like I said, California did this several years ago, they’ve actually passed a, a revised version. That’s going to go into effect in January of next year, Virginia and Colorado also have past data privacy statutes that are fairly similar. This is the California statute is, is pretty similar to the European union’s GDPR. And it looks like most of the states that are doing data, privacy are going to model it after this as well. So these are up, these are all provisions that will basically come into play likely over the next several years and in most, if not all states.

Tom (4m 44s):
So why does it take so

Jeffrey (4m 46s):
Long for it to come into,

Tom (4m 48s):
Excuse me? Well, a lot of times, if they pass the law, they’ll give several years for businesses to sort of, you know, gear up in terms of how they’re going to comply with it. They don’t want to have it take effect immediately and start finding businesses without giving them a chance to, you know, get their act together. Really.

Jeffrey (5m 8s):
Does it say a lot about certain states? Like the one we’re in that we don’t have that law yet, California?

Tom (5m 17s):
Well, Massachusetts is there, there is a bill that is pending it’s in a it’s in committee, which may mean that, you know, action is taking place or there may be that that’s where bills go to die. But yeah, it’s, I mean, California is pretty progressive on this stuff, Massachusetts. I would expect not to be too far behind, you know, as of right now, there’s all, but 14 states either have, or are contemplating some sort of general data protection statutes.

Jeffrey (5m 49s):
I was surprised, you know, that you said Virginia, especially, I don’t know the recent, the news about Virginia and, you know, not having masks and vaccination mandates anymore, trying to remove that. So It would be a state that would try to have less controlled than

Tom (6m 7s):
I, I, I guess one way of looking at it is it’s shifting, it’s shifting sort of the rights balancing towards the individual and away from the government and business, that would be, I guess, the way to sort of rectify those two things.

Jeffrey (6m 21s):
Well, so how difficult is this for businesses to comply to, since it takes so much time, is this, is this going to put hardship on some companies?

Tom (6m 31s):
Yeah, a lot of the statutes, the California, actually all three of the statutes that have been enacted and a lot that are being considered have certain notification requirements. So you’re going to have to alter your website to notify people of the types of data you’re collecting. I’m sure every time I open a website these days, there’s a little bar at the bottom telling me to click here, to look at our terms and conditions and click here to accept them and click here to allow us to, you know, use cookies and, you know, all that sort of thing. That’s, that’s all come into being primarily through these types of statutes. Most of them have requirements that the, the, the, the rights that are given to you and the means of enforcing those rights are clearly stated, you know, opt in buttons, opt out buttons, things like that.

Tom (7m 20s):
It can’t be something that’s complicated. It can’t be something that you have to, you know, send in a, you know, an envelope, a written request, months in advance, that kind of thing. So it will require, excuse me, looking at how the websites are built. It will require looking at, you know, what you’re doing with the data you have, excuse me. Like I say, you gotta be able to, you know, to be able to delete somebody data, you have to be able to identify whose data everything is. So it may require a sort of better data mapping, better data management, things like that. And of course, if you’re in the business of collecting data and selling it, which, you know, a surprising number of entities do do that.

Jeffrey (8m 7s):
Nope. I have a, I have a last question. So assuming that this law is pending in a lot of states, yes. Companies start to prepare now.

Tom (8m 16s):
Well, I mean, that’s sort of an interesting question. One of the universals across these, as they protect individuals from their state, but they don’t necessarily apply only to businesses in their state. So the California law, as of right now, if you buy, receive or sell information of 5,000, 50,000, excuse me, or more California residences or resonance, excuse me, households, you know, the, like the law will apply to you, whether you’re a California company or not. So one of the things you, you know, businesses that are looking at this, one of the things they’ll need to do is decide where they’re going to be doing business, where are they going to be collecting data from and whether it will apply.

Tom (8m 57s):
So I guess the short answer is assume that all this is coming and sort of build it in upfront rather than react to it as it, as it moves along.

Jeffrey (9m 7s):
Well, we appreciate your, your thoughts in the area. I know data privacy is an ongoing issue. We’re speaking with Tom McNulty attorney at Orlando and Anasazi. Tom, if someone wants to get ahold of you and learn more about these pending laws or other laws like this that are affecting businesses, how would they find you?

Tom (9m 25s):
They can get me@ateammcnultyatlalaw.com or they can give me a call at (617) 395-7040.

Jeffrey (9m 35s):
Great, thanks for being on a Radio Entrepreneurs. We look forward to more of your reports in 2022, as we know things are continuing to change. Remind everybody, this is Radio Entrepreneurs.