How-to guide: How to use personally identifiable information (PII) in online marketing (USA)

Updated as of: 18 September 2025

Introduction

This guide will assist in-house counsel when briefing internal marketing and sales departments, and/or private practice lawyers, on how personally identifiable information (PII) may be used. It sets out an overview of PII alongside analysis of US privacy laws and guidance in the context of using PII when marketing online to consumers.

It covers:

  1. What is personally identifiable information (PII) and what is available to be used in the context of marketing to consumers?
  2. A legal framework for the use of PII when marketing to consumers

This guide can be used in conjunction with the following How-to guides: How to implement privacy by design within your organization and How to develop, implement, and maintain a US privacy law compliance program; Quick view: Key data privacy and data security terms and Checklist: Developing key privacy and data security contractual terms and provisions (B2C).

Section 1 – What is personally identifiable information (PII) and what is available to be used in the context of marketing to consumers?

1.1 What is PII?

The National Institute of Standards and Technology (NIST) defines PII as: ‘Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.’

Information that may directly and independently identify an individual includes, for example, information such as a person’s full name, address, email ID, Social Security number, contact number, login details, and credit card details. Other types of information may not directly identify someone, but when combined with something else may indirectly do so. This would include, for example, information such as the first or last name, location, gender, age group, and work details (ie, job title, company).

1.1.1 What information is not considered to be PII?

Non-PII data (sometimes referred to as anonymous data) is defined by some experts as any data that cannot be used to identify a specific individual or customer. Non-PII is commonly used by marketers because, while it does not provide identifiable details for targeting marketing campaigns, it can collect meaningful information such as the location of users, or when prospects and customers visit ‘touchpoints’ (ie, locations where customers and potential customers interact with a business online). Non-PII data includes cookies and device IDs, and since it does not directly link to one individual, it is not considered to be PII.

1.2 How do marketers obtain PII?

There are four primary categories of PII data collection methods that marketers might use:

  • zero-party data – includes information customers provide intentionally from interactions, such as when responding to surveys on a brand’s website;
  • first-party data – the data that marketers collect from customers, subscribers, and prospects who interact or transact with them directly on websites, mobile applications, social media channels, marketing emails, and other touchpoints;
  • second-party data – the data that one organization collects straight from its audience and then subsequently sells directly to another company. One example of second-party data is the data media publishers sell to advertisers; and
  • third-party data – data that an aggregator collects from various sources, compiles into a single dataset and then sells as a package.

1.3 How is PII used in marketing?

Marketers that utilize PII, regardless of how it is obtained, will have a competitive advantage over marketers that do not, or do not utilize it effectively. Using PII, especially first-party PII can provide for a more personalized, targeted, and contextual marketing approach. Marketers use the data to run customer analytics, identify behavioral patterns, and identify segments or specific individuals. Businesses can improve investment return by making marketing messages more personalized leading to higher sale conversions. Analysis of consumer shopping behaviors and personal preferences can be used to target communications to engage interested prospects and existing customers.

A few examples of targeted advertising using PII include:

  • advertising to individuals based on a record of their purchases (eg, ads for pet supplies sent to customers who buy pet food);
  • advertising based on web searches which can be personalized to align with preferences and behavior;
  • research – PII analytics can be used for statistical purposes to gain insights into customer behavior and engagement;
  • endorsements – testimonials may use PII (eg, name, city or state of residence, occupation, etc) to demonstrate the accuracy and verifiability of an endorsement.

1.4 Limitations to the use of PII

1.4.1 Mandatory disclosures

Marketers must follow any mandatory disclosure requirements set out in relevant laws, such as the Children’s Online Privacy Act (COPPA) or Health Insurance Portability and Accountability Act (HIPAA), as well as obtaining ‘informed consent,’ before using PII. This requires giving prospects and customers full disclosure on what PII is being collected, how long it will be stored and how their personal data will be used internally and externally. Further, all employees that are involved in the process of marketing utilizing PII must be trained to comply with consent standards while handling data collection processes dealing with web forms, sign-in or registration pages, order pages, etc. Generally, consent can be provided in a couple ways, such as by selecting an opt-in or opt-out box when a customer gives their email address, or by agreeing to the company privacy policy and terms of service at the time of signup.

For further information, see How-to guides: How to determine and apply relevant US privacy laws to your organization and How to develop, implement and maintain a US information and data security compliance program, and Checklist: Understanding privacy laws in the US.

1.4.2 Informed consent

‘Informed consent’ means, in essence, that the person whose data is being collected or used must understand that their PII is being collected and must also have been informed of their rights regarding that collection or use. The specifics of that consent will depend on the context in which data is collected. For example, the Centers for Medicare and Medicaid Services of the US Department of Health and Human Services state that the informed consent that agents and brokers must obtain from customers who participate in the health insurance marketplace must:

  • be provided in specific terms and in plain language;
  • identify the entity collecting or using the PII, and/or making the disclosure;
  • identify the specific collections, use(s), and disclosure(s) of specified PII with respect to a specific recipient(s); and
  • provide notice of an individual’s ability to revoke their consent at any time.

1.4.3 Limits on data collection

Other factors that marketers need to take into consideration include:

  • do not call registries – prohibits contacting registered consumers on the National Do Not Call Registry who have asked not to be contacted;
  • time restrictions – how long certain types of PII can be retained;
  • opt-out requests for sales and sharing – regulatory controls such as the General Data Protection Regulation (GPDR) in Europe and the California Consumer Privacy Act (CCPA) in California may have special opt-outs and other requirements related to the use of PII. See section 2 below;
  • ethical practices in gathering and using PII – generally one could assume that consumers try to limit how and with whom they share their PII, or having it used by marketers without their consent, highlighting the importance of full disclosure and consent that exists independently of any legal requirement;
  • geographical complexity – differing legal or regulatory requirements when marketing or collecting PII cross national borders, especially in countries subject to the GDPR (see section 2.3); and
  • anonymization of data – is there some PII that must be anonymized before use? If so, will it still be useful for marketing purposes?

It is important that all stakeholders of a business are engaged when considering the use of PII. From the start, the discussion should include legal, compliance, sales and marketing teams, and IT personnel to ensure ethical and responsible use of PII when marketing. Remembering the ethical considerations behind privacy will minimize the possibility of misuse of data, since those handling data will be less inclined, for ethical reasons, to cut corners and come close to non-compliance.

For further information, see Checklist: Drafting internal privacy policies and procedures.

1.4.4 Privacy by Design

Privacy by Design (PbD) is a concept related to systems engineering and business processes and aims to ensure that privacy is incorporated into the design of technologies, systems, and processes through the entire lifecycle. PbD is an essential part of compliance with the GDPR and is regarded as a best practice for all organizations, of whatever size, that process data, and being privacy-first is important from a marketing point of view.

While PbD is not a legal requirement for US-based companies, implementation of PBD will go a long way toward reducing the risk of privacy breaches, and the legal liability and reputational damage that flows from such breaches. Marketers can take control and ownership of the customer privacy experience when designing campaigns, which will help make privacy issues easy to resolve, and breaches or violations of privacy rare.

For further information, see How-to guide: How to implement privacy by design within your organization.

Section 2 – A legal framework for the use of PII when marketing to consumers

2.1 Federal laws – general consumer protection laws

2.1.1 Federal Trade Commission Act

The Federal Trade Commission Act is the primary statute that enables the Federal Trade Commission (FTC) to police unfair trade practices that cause harm to consumers. While the Act does not specifically prohibit the use of PII in marketing it does require that disclosures or claims be truthful. For example, if a business claims that PII provided by a consumer will only be used for limited, specific purposes then that claim must be truthful. If the claim is that data will be anonymized, the business must be prepared to show that the data is in fact anonymized, so that identification of the person to whom the data relates cannot be identified.

In one example of the FTC seeking to protect consumer PII, the FTC sent a letter to officials of the Borders Group, a now-defunct retail chain, expressing concerns regarding a potential sale of customer information during a bankruptcy proceeding, and noting that the sale may constitute a deceptive trade practice. In this instance, Borders gathered a significant amount of information from customers, including records of the books and videos those customers purchased. A critical consideration is that Borders assured its customers that it would not disseminate that information without their consent. To avoid litigation, the FTC letter advised that any transfer of customers’ personal information in connection with a bankruptcy sale should occur only once customers provided their consent to Borders or upon the condition that significant restrictions be placed on the transfer and use of such information. Ultimately, the Bankruptcy Court approved the sale of the PII not as a separate, standalone asset, but as a part of the intellectual property of Borders, to the Barnes and Noble bookstore chain. In re Borders Group, Inc, No 11-10614 (Bankr SDNY Sept 27, 2011).

2.1.2 Restore Online Shoppers’ Confidence Act (ROSCA)

The Restore Online Shoppers’ Confidence Act (ROSCA) has a focus on the transfer of consumer information. It was enacted to prevent a post-transaction third-party seller from charging a consumer’s account during the course of an Internet-based transaction unless it has clearly disclosed all material terms pertaining to the transaction and received the express informed consent of the consumer. A third-party seller is a seller that markets services or goods online through an initial merchant after a consumer initiates a transaction with that merchant. See How-to guide: The Restore Online Shoppers’ Confidence Act – what is it and why does it matter.

Some of the requirements of ROSCA include:

  • no additional charges without express customer authorization;
  • making written and verbal disclosures to consumers;
  • affirmative action by customer indicating consent (eg, clicking on a box) required; and
  • negative option or data pass contracts (where silence on the part of the consumer is deemed acceptance) are prohibited except in certain limited circumstances (eg, where the seller clearly and conspicuously discloses all material terms, including the negative option or automatic renewal provisions).

To be in violation of ROSCA means the FTC must determine that certain conduct was unfair or deceptive. If such a determination is made, the FTC has procedures that notify the business of the violation. If, after receiving notice, a business engages in practices deemed violative, the FTC can pursue civil penalties against the business in an amount up to $53,088 per violation in federal court (as of 2025). Thus, to be ROSCA-compliant, the business should avoid engaging in deceptive business practices and act in the best interests of the customer. At a minimum, the business should heed the notifications issued by the FTC and modify their business practices accordingly.

In November 2023, the FTC announced action against Amazon.com, Inc (see here), for ROSCA violations. The allegations stem from Amazon’s longstanding practice of enrolling consumers in its Prime program without gaining their consent while knowingly making it confusing and burdensome for consumers to cancel their Prime subscriptions. The FTC charges that Amazon intentionally deceived millions of consumers by getting them to unknowingly enroll in Amazon Prime by manipulative, coercive, or deceptive user-interface designs, resulting in consumers automatically renewing Prime subscriptions. Further, Amazon also knowingly made the cancellation process complex for Prime subscribers who sought to end their Prime membership. The FTC alleges that:

Consumers who attempted to cancel Prime were faced with multiple steps to actually accomplish the task of canceling, according to the complaint. Consumers had to first locate the cancellation flow, which Amazon made difficult. Once they located the cancellation flow, they were redirected to multiple pages that presented several offers to continue the subscription at a discounted price, to simply turn off the auto-renew feature, or to decide not to cancel. Only after clicking through these pages could consumers finally cancel the service.

Further details on the complaint, in particular the company’s knowing failure to address non-consensual subscriptions and cancellation trickery are detailed in this FTC webpage.

2.2 Privacy laws

2.2.1 Children’s Online Privacy Protection Act (COPPA)

For operators of online services or websites directed toward children under the age of 13, and the operators of other online services or websites that have actual knowledge that they collect personal information online from a child under 13 years of age, the COPPA imposes certain unique requirements. Specifically, COPPA was designed to ensure that children under 13 years of age do not provide their personal information on the Internet without having the express approval of their parents.

Definition of personal information under COPPA

The COPPA Rule includes a specific definition of personal information for the purposes of that rule. The rule defines personal information as including the following:

  • first and last name;
  • a home or other physical address, including the street name and the name of a city or town;
  • online contact information;
  • a screen or username that operates as their contact information online;
  • a telephone number;
  • a Social Security number;
  • a persistent identifier that can be used to identify a user over the course of time and across various online services or websites;
  • a photograph, video, or audio file, where the file has a child’s image or voice;
  • biometric identifiers, such as fingerprints, voiceprints, retina/iris scans, and genetic data (added under the 2025 COPPA amendments);
  • geolocation information that is sufficient to locate the street name and name of a city or town; or
  • information regarding the child or the child’s parents that the operator obtains online from the child and combines along with an identifier described above.
Rules applicable to PII and children

Operators who are covered by COPPA have the following obligations to:

  • post a clear and thorough online privacy policy that describes their information practices pertaining to personal information that is collected online from children;
  • provide direct notice to parents and receive verifiable parental consent, with a limited number of exceptions, prior to the collection of children’s personal information online, as detailed here;
  • give parents the option of providing consent for the operator to collect and use a child’s personal information on the condition that the operator is prohibited from disclosing the child’s information to third parties (unless such disclosure is necessary for the site or service, in which case the operator must clearly communicate this fact to parents);
  • provide parents with a way to access and review their child’s personal information and/or a means by which they can have their child’s personal information deleted;
  • provide parents with the ability to prevent any further online collection or use of their child’s personal information;
  • maintain the confidentiality, integrity, and security of children’s information (including, but not limited to, employing measures to ensure that such information will only be released to parties that are able to maintain the confidentiality and security of the information);
  • retain children’s personal information that is collected online for only as long as is required to exact the purpose for which it was collected in the first place, and delete children’s information with the use of reasonable measures that can help protect against any unauthorized access to or use of that information; and
  • do not condition a child’s participation in an online activity, such as a game or contest, upon the child providing more information than that which is reasonably necessary for the child to participate in such activity.

Violations of COPPA may result in civil penalties of up to $50,120 for each violation.

In April 2025, the FTC finalized amendments to the COPPA Rule, effective June 2025 (with a compliance deadline in April 2026). The amendments clarify parental notification requirements. Operators must now specifically identify the categories of third parties with whom they share children’s data, explain how they collect and use persistent identifiers, and disclose how they handle audio files containing a child’s voice.

In December 2022, the FTC issued a press release announcing that it had reached a settlement with Epic Games, Inc, the maker of the video game Fortnite, to pay a total of $520 million in penalties to resolve allegations that the company violated COPPA and deployed design tricks, known as dark patterns, to dupe millions of players into making unintentional purchases. In addition to the monetary penalty, Epic must adopt strong privacy default settings for children and teens, ensuring that voice and text communications are turned off by default.

Assistance with compliance with COPPA is aided by reviewing the Frequently Asked Questions that have been provided by the FTC.

In the next few years, it is likely that COPPA will be amended by the Children and Teens’ Online Privacy Protection Act (COPPA 2.0). It is meant to strengthen the protection regarding children’s personal information and expands the applicability of the statute to cover teens under the age of 17.

See also How-to guides: How to develop, implement, and maintain a US privacy law compliance program and Issues surrounding online advertising; and Checklist: Online advertising directed to children.

2.2.2 Fair Credit Reporting Act (FCRA)

The Fair Credit Reporting Act (FCRA) is designed for the protection of information that is collected by consumer reporting agencies, such as credit bureaus, medical information companies, and tenant screening services by limiting the dissemination to only those that that have a purpose specified in the Act.

The FCRA also regulates the sharing of information between affiliated entities. An ‘affiliate’ is generally defined as any company that controls, is controlled by, or is under common control with another company. Businesses need to determine the type of information shared and the purposes of sharing such information (ie, for marketing or non-marketing purposes). This will help the business determine how the information is to be disclosed and whether the consumer maintains any right to opt out of the sharing and/or use of their information.

Marketing solicitation rule

The FCRA has a marketing solicitation rule (12 CFR 1022.20), which states as follows:

  • In general, you may not use eligibility information about a consumer that you receive from an affiliate to make a solicitation for marketing purposes to the consumer, unless:
    • it is clearly and conspicuously disclosed to the consumer in writing or, if the consumer agrees, electronically, in a concise notice that you may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes to the consumer;
    • the consumer is provided a reasonable opportunity and a reasonable and simple method to ‘opt out’, or prohibit the business from using eligibility information to make solicitations for marketing purposes to the consumer; and
    • the consumer has not opted out.

‘Eligibility information’ is defined by the Consumer Financial Protection Bureau, the agency charged with the enforcement of the FCRA, as:

includ[ing] not only transaction and experience information, but also the type of information found in consumer reports, such as information from third-party sources and credit scores. Eligibility information does not include aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.

Included in section 1022.20 of the regulations that implement the FCRA are numerous examples that demonstrate where pre-existing relationships exist and where they do not, that are helpful to business in determining how the FCRA regulations should be applied.

A knowing violation of the FCRA may subject the violator to a civil penalty of not more than $2,500 per violation. In addition, a consumer injured by a violation may bring a civil action for damages of not less than $100 and not more than $1,000 per violation, plus punitive damages and costs and attorney’s fees for a willful violation, or actual damages, plus costs and attorney’s fees, for a negligent violation.

2.3 Sector-specific laws

2.3.1 Health Insurance Portability and Accountability Act (HIPAA)

Specific to the health care industry, the Health Insurance Portability and Accountability Act (HIPAA) and the privacy rules adopted thereunder (45 CFR parts 160 and 164 subparts A and E) was enacted to regulate the permitted uses and disclosures of medical information. Under HIPAA, PII is referred to as ‘Protected Health Information’, or PHI. Included within the definition of PHI under HIPAA is any health data created, transmitted, or maintained by a HIPAA-covered entity or the covered entity’s business associates. It includes electronic records (ePHI), written records, lab results, x-rays, and bills. Verbal conversations, to the extent they include PII may also come within the definition of PHI. Examples of covered entities include doctors’ offices, health insurance plans, and health maintenance organizations (HMOs). For further information on the HIPAA, see the HHS’s HIPAA guidance for professionals.

Use of PHI in marketing

When considering how PHI may be used in marketing, the US Department of Health and Human Services (HHS) has issued guidance on how it may be used and disclosed for marketing purposes.

Specifically, the guidance states that:

The Privacy Rule defines ‘marketing’ as the act of making ‘a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.’ If a communication falls under the definition of ‘marketing’, then, generally, the communication can only take place if the covered entity receives an individual’s ‘authorization’ first. The definition of marketing under the Privacy Rule contains certain exceptions, as discussed further below. Examples of ‘marketing’ communications that require prior authorization include:

  • A communication from a hospital that provides information to former patients regarding a cardiac facility that is not a part of the hospital and that can provide a baseline EKG for $45, when such communication is not for the purpose of providing the former patient with treatment advice.
  • A communication from a health insurer that promotes a home and casualty insurance product that is being offered by the same company.

Some other examples that may be considered marketing, or advertising include:

  • before or after pictures for cosmetic surgery;
  • photographs in clinic premises; and
  • informational brochures.

Subject to certain exceptions, any communication that meets the definition of marketing requires the covered entity to obtain authorization from the individual. To determine what constitutes an acceptable ‘authorization’ is dependent on a number of factors, which are provided in section 45 CFR 164.508. For example, if the marketing involves either direct or indirect compensation to the covered entity from a third party, the authorization must state that such compensation is involved.

The exceptions to the authorization rule include:

  • a face-to-face communication made by a covered entity to an individual does not require an authorization;
  • if the covered entity provides a promotional gift of nominal value to the patient;
  • for drug refill reminders; and
  • for communications about programs sponsored by the government.

Violating HIPAA can lead to severe consequences, including civil monetary penalties ranging from $141 to over $2 million per violation, depending on the severity and intent. Intentional violations can even result in criminal charges, leading to hefty fines and imprisonment. Furthermore, state attorneys general can pursue civil actions, leading to additional financial damages. In addition to these penalties, organizations may be required to implement corrective action plans to address compliance issues and ensure they meet HIPAA standards. These potential consequences underscore the importance of HIPAA compliance for any entity handling protected health information.

Several examples of situations where penalties were imposed for improper disclosure of PHI are provided below:

In Northcutt Dental-Fairhope, LLC (March 8, 2022), a dental practice impermissibly disclosed patients’ PHI to a campaign manager, as well as a third-party marketing company hired to assist with a state senate election campaign; the practice agreed to take corrective action and paid $62,500 to settle its potential violations of the HIPAA Privacy Rule.

In Dr U Phillip Igbinadolor, DMD & Associates, PA (March 8, 2022), a clinic impermissibly disclosed PHI in a response to a negative online review and was assessed a civil penalty of $50,000.

See also How-to guide: How to determine and apply relevant US privacy laws to your organization.

2.3.2 Gramm-Leach-Bliley Act (GLBA)

Designed to regulate the financial sector, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to disclose information-sharing practices to customers and to safeguard personally identifiable information. PII under GLBA is defined as:

information that a consumer provides to obtain a financial product or service; information about a consumer resulting from any transaction involving a financial product or service; or information about a consumer that is ‘otherwise obtained’ in connection with providing a financial product or service to that consumer.

The term does not include information lawfully obtained from public records or information.

Under the GLBA, a financial institution (defined in the regulations as any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities) may not use account information for marketing without prior consent.

Included within scope of the GLBA is the FTC Safeguards Rule (the Safeguards Rule). The Safeguards Rule (which took effect in 2003) is to ensure entities that are covered by the Rule maintain safeguards for the protection and security of customer information. In June 2025, the FTC released Frequently Asked Questions (FAQs) that discuss the requirements of the Safeguards Rule, and how it specifically applies to motor vehicle dealers. The FAQs make it clear that motor vehicle dealers who finance vehicle purchases are regarded as financial institutions for purposes of the Safeguards Rule.

Penalties for non-compliance with the GLBA may include fines of up to $100,000 per violation, with fines for officers and directors of up to $10,000 per violation.

Example

An insurance agent was given access to a database of policyholder information for an insurer whose policies they sold. The insurer terminated their agency, but the agent used their access to the database to obtain information about customers. The customers had not consented to the use of their information for marketing. The agents used that information to solicit business. The agent violated GLBA.


Resources available from the FTC for financial institutions looking to maintain compliance with the GLBA include FTC Safeguards Rule: What Your Business Needs to Know and How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act.

For further information, see How-to guide: How to develop, implement and maintain a US information and data security compliance program.

2.4 State privacy laws

2.4.1 California Consumer Privacy Act (CCPA)

In 2018, California enacted the most comprehensive state-level legislation regarding consumer protection. The CCPA provides consumers with more control over the personal information that business entities collect about them. This important law establishes new privacy rights for California consumers, including the rights to:

  • know about the personal information a business collects about them and how it is used and shared;
  • delete personal information collected from them (with some exceptions);
  • opt out of the sale or sharing of their personal information; and
  • non-discrimination for exercising their CCPA rights.

In 2020, California voters amended the CCPA by approving Proposition 24, also known as the California Privacy Rights Act (CPRA), which added new privacy protections that became effective January 1, 2023. Beginning January 1, 2023, consumers now have new rights, in addition to the rights above, including the right to:

  • correct inaccurate personal information that a business has about them; and
  • limit the use and disclosure of sensitive personal information collected about them.


In 2024, legislation in California expanded the scope of PII protections under the CCPA/CPRA to reflect emerging technologies. AB 1008, approved by the Governor on September 28, 2024, clarified that personal information now explicitly includes data processed and stored in AI systems, such as identifiers, biometric data, and other attributes handled by generative AI.  A parallel bill, SB 1223, broadened the definition of sensitive personal information to include neural data, meaning information that captures activity of the central or peripheral nervous system, thereby placing this category under enhanced privacy safeguards. SB 1223 was also approved by the Governor on September 28, 2024. The two bills have been codified in Section 1798.140 of the Civil Code.

2.4.2 Other states with comprehensive statutes

A number of other states (see eg, Virginia Consumer Data Protection Act, Colorado Privacy Act and Utah Consumer Privacy Act) have enacted privacy protection laws. For further information, see State-by-State Guide to Data Privacy Laws.

2.4.3 Common law privacy torts

In addition to the federal and state legislation discussed above, marketers should also be aware that action may also be permitted under several common law torts, where it is recognized that an individual’s right to privacy may be invaded in different ways including:

  • Publication of private facts – where the defendant publicizes private information about the plaintiff, this is also referred to as ‘publicity given to private life’ and is actionable by the person whose privacy was invaded (if the matter publicized is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public) – see Restatement (Second) 652D.
  • False light – when offensive and false information or innuendo about a plaintiff is spread publicly that would be considered objectionable by the average person, plaintiffs may be able to sue for ‘false light’ – see Restatement (Second) 652E.

Example

A cosmetic surgeon uses a patient’s photographs in an advertising brochure without their consent. The photographs are ‘before’ and ‘after’ comparisons, and the patient is identified by their first name and initial, and the city in which they live. Use of the photographs without consent is a violation of the prohibition against publication of private facts (the patient’s medical treatment), as well as a HIPAA violation.

2.5 EU General Data Protection Regulation (GDPR)

In addition to domestic law, if a business has the objective of operating in Europe or serving European citizens, it must also comply with the strict code of the GDPR. The GDPR was a landmark piece of data privacy legislation and is generally regarded as the standard by which other privacy laws are measured. Passed in 2016 by the European Union (EU), the GDPR was promulgated to protect the data privacy rights of EU citizens, and it defines the ways in which businesses and organizations are allowed to collect and process data gathered from their users, employees, or other persons or businesses that they interact with. Note that while the GDPR applies to all companies that handle EU citizens’ data, including those based outside the EU, it does not apply to the personal data of citizens of other countries, such as the United States. For more information see How-to guides: How to ensure compliance with the GDPR, Making an international transfer of personal data under the GDPR, How to reduce the risk of a GDPR data breach and How to deal with a GDPR data breach.

Additional resources

Related Lexology Pro content

How-to guides:

How to determine and apply relevant US privacy laws to your organization
How to develop, implement and maintain a US information and data security compliance program
How to manage your organization’s data privacy and security risks
How to manage third party supply chain data privacy, security risks, and liability
How to evaluate the effectiveness of a data security or data privacy compliance program
How to draft a privacy policy, and privacy and data security provisions in contracts
How to implement privacy by design within your organization
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws

Checklists:

Understanding privacy laws in the US
Completing a data and information security risk assessment
Completing a data privacy risk assessment
Completing a data incident response plan assessment
Drafting internal privacy policies and procedures
Drafting a consumer privacy policy
Privacy and data security law training
Responding to a data breach

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.

Filed under

Topics