All Terms

Register

Privacy, Security, and Digital Transactions.

April 29, 2022 by David Jarzabek, Esq. CIPP/US

Businesses conducting digital transactions may be subject to regulations on a state and federal level depending on their products or services offered and the consumers purchasing those products or services. Additionally, the Payment Card Industry Security Standards Council has created an information security standard for organizations that handle credit and debit transactions. In the article below, we will discuss important aspects of these standards to provide readers with the information necessary to make a more informed decision about their privacy and data security needs.

Federal Law

On a federal level in the United States, privacy and data security is regulated sectorally. In other words, privacy and data security legislation is directed towards specific industries. The Gramm-Leach-Bliley Act (“GLBA”) was passed by congress in 1999 and requires companies that offer certain consumers financial products or services to explain their information-sharing practices to their customers and to safeguard sensitive data.

The products or services covered by GLBA include loans, financial or investment advice, and insurance. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

In depth analysis of GLBA subject matter is outside of the scope of this article. We mention it here so that readers engaged in the businesses mentioned above, or offering the same or similar services and products as those mentioned above, will know that they may be subject to GLBA.

We also briefly mention that individual states, for example California with the Financial Information Privacy Act, have passed legislation that supplements GLBA. Any company that may be covered by GLBA, should similarly perform due diligence of any associated state law.

State Laws

In addition to federal regulation, individual states have passed their own privacy legislation. State privacy legislation often includes general privacy regulation absent on the federal level. Early state privacy regulation was limited in that it often required a simple disclosure requirement. For example, CalOPPA, which was the first state privacy regulation in 2004, required notice to users about categories of information collected and the categories of third parties with whom that information was shared. In 2018, we began to see a shift towards more expansive privacy regulation that was comprehensive in nature.

The California Consumer Privacy Act (“CCPA”) was passed in 2018 (California serves as a helpful example as the state often leads the nation in passing privacy regulation) introduced concepts like the rights of access, rectification, deletion, and portability. This is relevant to digital transactions for two important reasons.

A note about the CCPA. The CCPA was passed in 2018, but also amended in 2020 by the California Privacy Rights Act. The California Privacy Rights Act will take effect on January 1, 2023, applying to personal data collected on or after January 1, 2022. Because the effective date is roughly six months from this article's publish date, we will treat the CCPA as inclusive of all CPRA amendments.

First, we can observe a trend where states are increasingly passing legislation similar to the CCPA. Currently there are four states (California, Colorado, Virginia, and Utah) that have recently passed comprehensive privacy regulation and there are roughly fifteen new states with privacy regulations in some stage of the legislative process. State privacy law only applies if an entity operates within the state. As a result, a company may be exempt from the CCPA if it doesn't operate within California or if it doesn't meet the metrics that trigger compliance. If a business is not subject to any recent privacy regulation because it does not operate within California, Colorado, Virginia, or Utah, it should be aware that it may become subject to privacy regulation as additional states pass legislation. This is a good place to remind readers that compliance is a continuous process, not merely just a goal post that can be forgotten once it is reached.

Second, comprehensive state privacy legislation will often place special protections on financial information and cover important non-financial information gathered in the transaction process. The CCPA designates financial account, debit card, or credit card number as “sensitive personal information” when in combination with any required security or access code, password, or credentials allowing access to an account. This categorization provides California consumers with enhanced rights, like the ability for California consumers to limit the use or disclosure off their sensitive personal information. Additionally, businesses must provide in their privacy notices the categories of sensitive personal information collected as well as a clear and conspicuous link that enables the consumer to limit the use or disclosure of their sensitive personal information. Digital transactions are also subject to the CCPA even when not categorized as sensitive personal information. For example, any marketing data collected from users or transaction information that is not financial in nature may be covered as personal information. As a result, this information is also subject to the users' rights to access, rectification, deletion, and portability.

Industry Standards

As briefly mentioned above, the Payment Card Industry Security Standards Council created an information security standard known as Payment Card Industry Data Security Standard (PCI DSS) help protect the safety of transaction data. PCI DSS sets the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions. PCI DSS sets certain compliance standards that are validated on an annual or quarterly basis, depending on the volume of transactions processed.

This standard is directly relevant to businesses when determining their payment integration and conducting transactions online. Often, small to mid-size businesses find that compliance with the PCI DSS control objectives to be overly burdensome. As a result, these businesses will often outsource their payment processing to external sites.

For example, a business can send users to a third party payment processor's web page where users will input all their payment information. This third party payment processor will process the user's transaction and then send the business a validation token via webhook indicating the user's payment has been successful, or alternatively, redirect the user to a failed transaction page operated by the business. This benefits the business by limiting their exposure to financial information and thereby any associated risk.

Of course, businesses may also choose to fully integrate payment within their own systems. This takes a substantially greater amount of technical knowledge. PCI DSS standards require the installation and maintenance of a firewall to protect cardholder data, encrypting the transmission of cardholder data through strong encryption, the use of anti-virus software (including regularly updating such software), and maintaining secure systems and applications.

Conclusion

Privacy and security compliance can be a difficult task; complicated further by the fact that it is a continuous process. For those businesses worried that they may not be able to keep up with the constant evolution of privacy and security compliance, we recommend two steps. First, take the uncertainty out of privacy regulation by integrating a full spectrum solution to privacy compliance. Second, to outsource payment processing to a trusted third party where the third party handles all the relevant financial information. With these two important aspects handled by third party service providers, businesses can focus on what they do well without all the privacy and data security worry.

About

All Terms is dedicated to helping all business types generate and maintain privacy compliance. Our tools were developed based on years of legal working assisting businesses with their privacy needs. We know that privacy compliance is a ongoing task. We've leveraged our experience to lower the costs of generating privacy documents by automating the generation process. Our years of experience in the legal field have exposed the limitations of having an attorney or a team of attorneys ensure accurate and continuous compliance. So we've leveraged technology to make sure that you have access to afffordable, continuous, and available tools to maintain compliance.

Begin Privacy Compliance

  1. Create a privacy notice
  2. View your privacy notice
  3. Review your dashboard