Introduction
This Quick view will assist in-house counsel, private practice lawyers, and data managers in understanding the data privacy and security laws that apply to non-consumer data and considerations for the collection and use of such data and the risks of sharing data in business-to-business (B2B) relationships.
This Quick view covers:
- Types of non-consumer data
- Collection and use of B2B data
- Risks of sharing data
This Quick view can be used in conjunction with the following How-to guides: How to determine and apply relevant US privacy laws to your organization and How to manage your organization’s data privacy and security risks, and Checklist: Developing key privacy and data security contractual terms and provisions (B2C).
1. Types of non-consumer data
Data privacy concerns have generally been raised in the area of consumer rights, but what rights do individuals have when their personal data is collected or used by a business with whom they are not in a consumer relationship? The focus at federal level on consumer data privacy should not be taken to mean there are no concerns when a business collects data that is not consumer data.
Currently, there is no comprehensive privacy law in the United States. While comprehensive federal legislation was proposed (American Data Privacy and Protection Act (ADPPA)) it was never enacted and has not been reintroduced in the current session of Congress. Consequently, privacy laws and practices stem from an array of sources including federal laws, state laws, common law privacy claims, and even pressure from the public to undertake certain privacy protections (eg, necessary protections for health care information provided by the Health Information Portability and Accountability Act). In addition, there is no uniform act for states to either enact or use as a model for their own legislation. As a result, US privacy law is an evolving patchwork of federal and state laws that often overlap with data security law.
The majority of privacy and data security laws apply only to business to consumer transactions (see further, How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklist: Understanding privacy laws in the US). However, in a business-to-business (B2B) relationship it is common for businesses to request data about individuals – for example, about an employee who may be acting on behalf of the other business in a transaction. As such data is not consumer data, this would generally not be covered by US privacy laws. However, recent developments in California and in the other states with comprehensive data privacy laws (Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia) mean that any business with connections to states with such laws should evaluate the implications of these changes on their business. Even businesses that do not have a connection with one of those 18 states should consider those laws as both dictating best practice and as potential harbingers of legislation to come in other jurisdictions.
1.1 Employment-related information
1.1.1 California employment-related information provisions
The California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) was the first comprehensive consumer privacy law at state level and, in many respects, has served as the template for the states that followed. This is important because the Act, as amended, includes specific provisions that cover employment-related personal information and personal information reflecting business-to-business transactions.
In addition to covering data privacy of consumers, the CPRA also now covers:
- personal information collected by a business about a contractor of the business and their beneficiaries and dependents (Employment-Related Information), so long as the business used the information solely in the context of the employment relationship; and
- personal information collected and used by the business about an individual acting as an employee, owner, director, officer, or contractor of another company, partnership, sole proprietorship, nonprofit, or government entity, but solely to the extent the business uses this personal information in the context of conducting due diligence regarding, or providing or receiving a product or service to such company, partnership, sole proprietorship, nonprofit, or government agency (B2B Information).
Employment-Related Information and B2B Information were initially exempted from the provisions of the CPRA, but the exemption for these provisions, as described in Civil Code Sec. 1798.145(m)-(n), expired on December 31, 2022. With the expiration of these exceptions, for those individuals about whom Employment-Related Information or B2B Information is collected, the CPRA now provides for:
- requirements to provide individuals with privacy notices that meet all of the privacy notice requirements of the CPRA and to address the collection and use of all personal information;
- individual rights, such as the right to know (access), right to deletion, and the right to correction;
- the right to opt-out of the sale (as defined in the CPRA) of the Employment-Related Information and B2B Information or the disclosure of such information for cross-context behavioral advertising; and
- the right to limit the use of sensitive personal information for purposes other than the specific purposes enumerated in the CPRA regulations.
It is important to note that the provisions of the CPRA also apply to data collected or used by service providers, contractors, and other third parties (eg, payroll providers, benefits providers, CRM systems, etc).
While California is currently the only state that has enacted these comprehensive provisions, it does tend to be a model for other states looking to enact this type of legislation, so other states may soon follow suit. It is essential that organizations monitor developments in any jurisdiction in which they do business or in which they have employees, in order to be able to take steps to ensure compliance with any new laws.
1.2 B2B or ‘enterprise’ data
1.2.1 What is B2B or ‘enterprise’ data?
B2B or enterprise data is data regarding businesses – both internal data, and external data regarding third-party businesses. This can include a wide range of information, including company size, industry, revenue, location, employee count, and contact information of key decision-makers. It may also include competitive intelligence, such as information on a competitor or potential competitor from publicly available sources such as news media or the annual reports of publicly-traded companies.
1.2.2 Why is B2B data important?
Every business relies on data. B2B data is used in making every decision, from the most mundane (eg, which seller has the best price for office supplies) to the most momentous (eg, whether operations should be expanded into a new territory). Without reliable data it is impossible to function in the marketplace.
Considerations around the collection and use of B2B data is explored further in section 2 below.
2. Collection and use of B2B data
2.1 Collection of B2B data
B2B data is collected in a variety of ways. Often, the data is generated or accumulated by a business itself, by keeping and analyzing its own records. Companies may also obtain enterprise data about other companies. Data about other companies may be obtained lawfully, or through unlawful means.
2.1.1 Lawful means of obtaining B2B data
There are several lawful ways to obtain B2B data. The more common methods include:
- Data providers: third-party providers gather data from various sources, including public records, social media, and business directories. The data is packaged and sold to businesses.
- Web scraping: a technique that involves extracting data from public sources of information such as websites, directories, social media, and other online sources. This may be done by a business on its own behalf, or it may be done by a data provider or other outside researcher hired for that purpose.
- In-house data collection: conducting surveys, hosting webinars, and other lead-generation activities. This type of activity may, for example, provide data regarding customer satisfaction, or interest in a new product or product line, or to predict the success of a new advertising campaign.
2.1.2 Unlawful means of obtaining B2B data
Unlawful means of obtaining B2B data would include industrial espionage or theft of a trade secret by a disgruntled employee. Use of unlawfully obtained information could result in civil or criminal liability, such as a fine or imprisonment for up to 10 years, or both. An organization may face a fine of $5,000,000 or three times the stolen trade secret's value, including avoided costs.
2.1.3 Ensuring that data is obtained legally
A company may generally make any use of publicly available data that it chooses. If data is in the public domain (eg, US government statistical reports), no restrictions may be placed on the use or reuse of the data. A license agreement, even one that does not call for the payment of any fees for its use (eg, a Creative Commons license) may impose some restrictions on the reuse of data that will be enforced by the courts, even though no money is involved.
If data does not come from a public source, there are additional considerations before the data may be used. The source of the data obtained – whether data broker, an independent researcher, or some other provider – must verify that it was obtained by lawful means. If the data is data about another business that was compiled from internal sources (eg, sales figures), the person or entity providing the data should provide means for verifying that their possession and transfer of the data is lawful (eg, the name of a contact person at the business that compiled the data).
The source should also verify that the owner of the data has given their permission for the data to be shared. There should also be verification that there are no restrictions on the use of the data, such as limitations on further disclosure of data provided as a part of contract negotiations, or that any intended use is within the restrictions imposed by the owner. Your organization should verify that receipt of the data would not breach any applicable laws. Companies should review and update their data privacy policies to ensure that the current use of customer data falls within the authorizations provided by the customers.
2.2 Use of B2B data
2.2.1 How might B2B data be used?
Data may be used for many different purposes. In B2B dealings, such as a joint venture or a joint marketing agreement, organizations may use other companies’ enterprise data in many of the same ways that consumer personal data is used: to monitor compliance, understand behavior, make predictions, and gain insights into customers or competitors. Data collected may be used in ways that many would agree are beneficial, such as to improve the customer experience, or even to refine a company’s marketing strategy so that those interested in the products or services become aware of them. For example, a pet food manufacturer may use statistical data relating to the purchase of pet supplies as a way to target advertising in certain areas, to a certain demographic, or to advertise in the medium best calculated to reach the desired market.
It is essential that data collected be used only for legitimate purposes, and that the collection be done in a lawful manner.
Examples:
The Illinois Biometric Information Privacy Act prohibits the collection of biometric data, including fingerprints or thumbprints, without a person’s consent. An amusement park required its customers to press a button with their thumb in order to gain admittance. The thumbprint was then collected and stored, but customers were not informed of the collection of their prints. This collection was unlawful, even though the amusement park did not use the prints in an unlawful manner. Although this involved the use of consumer data rather than B2B data, it provides an example of why it is important to ensure that both collection and usage of data is lawful.
A company is planning to expand into a new area. It lawfully obtains a list of the employees of a competitor already doing business in that area, and sends letters to those employees, soliciting their applications for employment. This type of ‘employee poaching’ is not unlawful so the collection of data was not for an improper purpose.
Assurances should also be obtained that any required disclosures or permissions have been provided – for example, if the data is of a type that may not be collected or stored without consent, it should be demonstrated that all the proper consent was obtained.
2.2.2 When can B2B data be shared?
A business may share its data with others for many reasons. For example, a potential joint venture partner may request certain internal data as a part of doing due diligence before agreeing to a project, data may also be shared with legal or financial advisers in order to determine the feasibility or advisability of a public stock offering, or internal business data on customer or sales patterns may be shared with an external advertising agency to inform the creation of an advertising campaign. In the absence of an agreement to the contrary with a subject of the data, or the party who generated or collected the data, a business is generally free to share whatever data it wishes to share. Virtually every business, however, will have some data that it wants to keep secret. Before any data is shared, the potential sharer should make a determination as to whether this is information it is willing to share, and with whom. The potential consequences of sharing (eg, loss of trade secret protection) should also be considered.
3. Risks of sharing data
3.1 Data or security breaches
Data sharing always includes a risk of data or security breaches. Simply put, whenever data is distributed beyond its source, the originator of the data loses control over the data and is less able to ensure that security measures are in place.
A primary concern is whether an affiliate or third party will have access to the data provided to a business. The broader the access to data, the greater the possibility that an unauthorized person will be able to obtain the data.
The consequences of a data or security breach can be severe. For example, in 2022, Accelion (now known as Kiteworks), a company engaged in the business of securing sensitive content communications on behalf of other businesses agreed to pay $8.1 million to settle a class action suit brought in response to a cyber-attack against its system in 2020. Accelion did not identify the flaws in its system until after the breach. A few more recent examples of business to business data breaches include:
MOVEit - criminals attacked a vulnerability in the file transfer app MOVEit, used by thousands of organisations around the world.
Giant Tiger – this Canadian retailer experienced a privacy breach after a third-party vendor they used was compromised, resulting breach of customer data including businesses.
For further information on data breaches, see How-to guide: Incident response plan readiness and identification of a reportable data breach and Checklist: Responding to a data breach.
To ensure that claims relating to any potential breach are resolved expeditiously and with as little expense as possible, an agreement covering the data sharing should be in place and this may include an arbitration clause. Arbitration may be confidential, eliminating the negative publicity that would likely ensue from protracted litigation over a data breach.
Data sharing also carries with it additional risks, such as creating an opportunity for bad actors, such as disgruntled employees or outside actors using ransomware to use the data for improper purposes such as economic espionage or the theft of trade secrets. A hacker whose ransomware demand is not met may, for example, release or sell private data just for the sake of exacting revenge, or making good on their threats. Organizations should anticipate and prepare for the possibility of such attacks, see further How-to guide: Incident response plan readiness and identification of a reportable data breach.
3.2 Antitrust risk
Sharing information that limits competition or which is used to enter into or enforce an anticompetitive agreement between competitors, could lead to a violation of antitrust laws.
If an exchange of information results in organizations behaving in the same way as its competitors, an inference of anticompetitive conduct could be raised, exposing the companies to potential antitrust liability.
If a company is found in violation of antitrust laws, the company – and sometimes individuals – can be subject to injunctions, heavy fines and, in severe cases, criminal fines and even jail time. In addition to government-initiated legal action, the Clayton Act provides a private right of action against the company for violations of federal antitrust laws. Many state laws may also provide private rights of action, and it is possible to pursue private remedies concurrently at both the federal and state level.
Even if no anticompetitive behavior is found, responding to and defending against investigations and legal actions involves substantial time and expense, as well as possible damage to the reputation of the business and the individuals involved. Accordingly, compliance with antitrust laws should be verified prior to sharing data.
See further, How-to guides: Understanding antitrust and unfair trade practices law and your organization’s compliance obligations, How to identify and manage antitrust and unfair trade practice risk, and Checklists: Meeting with a competitor and Trade association participation.
3.3 Safeguards when sharing B2B data
A business that intends to share data, or to collect or use shared data, should have an internal policy in place to address the handling of that data. The policy should address, at a minimum:
- the person in charge of the use of the data;
- the security measures in place or that will be put in place for the data;
- the use to be made of the data; and
- how the data will be handled when it is no longer being used.
All employees or contractors who use or come into contact with the data should be made aware of the policy, and signify their understanding of it, for example by confirming in writing that they understand and will comply with the policy. Further, the organization should take steps to ensure that only employees that are authorized can access data that is required to carry out their job responsibilities, reducing the risk of unauthorized access and data misuse.
Other safeguards that should be put in place for shared data are technical measures. These are beyond the scope of this resource, see further How-to guides: How to develop, implement and maintain a US information and data security compliance program; How to manage your organization’s data privacy and security risks; and Checklist: Completing a data and information security risk assessment.
Additional resources
Related Lexology Pro content
How-to guides:
How to determine and apply relevant US privacy laws to your organization
How to manage your organization’s data privacy and security risks
How to implement privacy by design within your organization
How to develop, implement, and maintain a US privacy law compliance program
How to develop, implement and maintain a US information and data security compliance program
How to evaluate the effectiveness of a data security or data privacy compliance program
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws
Checklists:
Understanding privacy laws in the US
Completing a data privacy risk assessment
Drafting internal privacy policies and procedures
Completing a data and information security risk assessment
Drafting a consumer privacy policy
Developing key privacy and data security contractual terms and provisions (B2C)
Privacy and data security law training
Completing a data incident response plan assessment
Responding to a data breach
Privacy and data security due diligence in M&A
Quick views:
Key data privacy and data security terms
Regulation of data brokers
Reliance on information posted:
While we use reasonable endeavors to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.