As a business owner, you know better than most just how much sensitive information you collect in a relatively short period of time. From customers’ full names, mailing addresses, and contact information to customers’ credit card information and sometimes even their Social Security numbers, you gather enough information to make any hacker want to target you – and you may be the target if you do not take the necessary measures to protect customers’ information.

There are numerous state, federal, and international laws in place designed to protect consumer data and punish companies that fail to observe said laws. That said, because there are so many laws, it is not uncommon for startups to miss a regulation or two, and to unwittingly violate customers’ rights to privacy. However, even if a company accidentally violates the law, it can still be held liable for damages caused. For this reason, it is imperative that, if you run a startup, you understand your legal responsibilities and make the necessary investments to fulfill them. One such investment is an Alabama business attorney who can advise you in your business dealings and help you take measures to remain compliant.

Federal Laws Governing Data Privacy 

Unlike other countries, the U.S. government has not assumed a comprehensive set of rules outlining what activities are allowable and which are not. Instead, U.S. law has relied heavily on court decisions and government enforcement actions that were based on rules that existed long before the widespread adoption of technology. The only notable exceptions to this are within the financial and medical sectors.

That said, the U.S. courts do frequently turn to one text for guidance. That text is the Federal Trade Commission Act (FTC Act). This act was not originally designed to prevent breaches of privacy, but rather, to prevent the use of unfair and deceptive business practices. According to the FTC, feeble cybersecurity measures falls within the scope of unfair business practices. Furthermore, while the commission does not have set regulations to which companies must adhere, and while it does not specifically necessitate businesses to place their privacy policies on their websites, it does view the failure of a business to uphold their own privacy practices as a deceptive business practice, which is also illegal under the FTC Act.

In addition to the FTC Act, there are several federal statutes that apply to specific business activities that have the potential to put consumers’ private information at risk. Some such statutes include the following:

  • The Telephone Consumer Protection Act (TCPA), which regulates the use of telephone numbers for commercial purposes;
  • The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, which prohibits the use of deceptive or untrue information in email subject lines and headers, and which governs the collection and use of email addresses for commercial purposes;
  • The Computer Fraud and Abuse Act (CFAA), which prohibits the tampering and hacking of protected computers;
  • The Electronic Communications Privacy Act (ECPA), which regulates the unauthorized access, disclosure, or interception of a variety of electronic communications;
  • The Children’s Online Privacy Protection Act (COPPA), which watches over companies that maintain websites for children, or that gathers data from kids; and
  • The Fair Credit Reporting Act (FCRA), which governs how businesses may disclose and use credit card number, credit reports, and other data.

There are additional federal protections in place for companies that operate within certain industries. For instance, banks, insurance companies, and other financial businesses must adhere to the Gramm-Leach-Bliley Act (GLBA), while health companies must comply with the Health Insurance Portability and Accountability Act (HIPAA).

State Laws Regulating Consumer Data Privacy 

In addition to federal laws, U.S. companies must also abide by state laws. State laws, of course, vary, but all 50 states have what are commonly referred to as “little FTC Acts.” These acts are based on the broader FTC Act and prohibit deceptive and unfair business practices. However, state attorney generals and private litigants typically enforce state laws more aggressively. Moreover, state laws generally apply to conduct that the FTC does not consider illegal. For instance, all states now have a law in place that requires businesses to notify consumers if a data breach has occurred. This is the case even if just a few consumers have been affected. Alabama is the last state to have enacted such a law.

Consult With an Alabama Business Attorney 

Because state and federal data privacy laws are ever changing, the best thing you can do for your company, its reputation, and your customers is to keep a knowledgeable Birmingham business lawyer on retainer. At Cloud Willis & Ellis, our team is dedicated to ongoing education and keeps abreast of all the latest developments that pertain to businesses and the law. When changes do inevitably occur, we work with our clients to devise new practices and policies or to modify existing ones so that they comply with all applicable laws. For the legal guidance you need to keep your business in compliance with state and federal privacy laws, contact our Alabama business law firm today.


What Are Deceptive Trade Practices and How Can You Protect Yourself From Them?