We read every day about the myriad of purposes for which enterprises are embarking on Big Data projects. Securing C-suite buy in and funding may be a significant endeavor, as is implementing an analytic approach to yield results that will achieve the project’s overall goals. In the face of those challenges, the legal and regulatory issues associated with the collection, storage, and use of Big Data may not be top of mind.
They should be.
Unexpected legal problems manifesting down the road can derail any Big Data project. Focus on those issues at the outset is infinitely easier and less expensive than managing them later in a crisis situation arising from a breach or legal violation.
Big Data Collection
The collection of certain types of data raises issues under various laws and regulations. It is critical, therefore, to understand what data is going to be collected and all associated legal obligations.
An obvious example of data that raises special concerns is Protected Health Information (PHI) governed by HIPAA, HITECH and/or various state laws. Personally Identifiable Information (PII) is subject to regulation that may depend on the place of residence of the individuals whose information is at issue. Collection of PII relating to children may implicate the Children’s Online Privacy Protection Act (COPPA). Collecting payment card data also triggers special industry-imposed obligations.
The methods by which data is collected also must be considered. Is behavioral advertising being utilized? Are cookies, beacons, or tracking pixels being used? Are Automated Web Content gatherers, such as web crawlers and scrapers, at issue? If data is collected from the company’s own website, have adequate disclosures been made to customers or other third parties about the collection and intended use of the data? Do any issues arise if additional data sets are acquired and aggregated with the company’s data?
Big Data Storage
Depending on the data being collected, certain regulations may mandate how it should be protected. Applicable regulations may provide an obligation to use reasonable security measures to protect the information, and those obligations may extend to vendors retained to store data on behalf of the company. And again, disclosures made to customers or others concerning the storage and security of data must accurately reflect what’s being done.
Use of Big Data
Entities should consider in advance the legal implications of their intended use of the collected data. Are email addresses going to be used for marketing? Many laws and regulations, which vary among jurisdictions, apply to sending unsolicited emails. If phone numbers are going to be used for calls or texts, additional compliance issues should be considered. Use of “push notifications” on mobile applications is regulated in some jurisdictions.
Resale of collected data also has legal implications. The type and source of the data, as well as any restrictions associated with the data — which may arise by operation of law or due to disclosures, for example — all must be carefully considered before data is advertised for sale or actually sold.
Companies are encouraged to take a proactive approach with regard to the legal implications of their collection, storage and use of Big Data. Tackling those issues in advance will prevent missteps and help ensure the ultimate success of a Big Data project.