When we think about the data privacy rights of people, there tends to be a natural assumption that those people are living. And that’s probably fair. After all, data privacy rights are still in their infancy in the grand scheme of things and there has been no real history of estates suing providers for privacy violations related to a deceased person. But it got me thinking, what data privacy rights, if any, apply to data pertaining to deceased people? Society has always afforded the dead some rights, which may not be immediately obvious. In the brave new world of data privacy, the answer is a little trickier, and it depends on which laws we’re talking about.

Most of the time, when a person dies, their account becomes inactive. (Although, there have been some interesting exceptions in recent years). Facebook has an estimated 10 million to 30 million deceased users which is likely around 1% of its accounts. (Meanwhile, most of us would be glad to have that many visitors in total). And that doesn’t include the various accounts made for George Washington and similar public figures that pre-deceased Facebook. In an article from Time, they estimate that eventually deceased Facebook users will outnumber living ones, sometime in the next 50 years. And the issue is beginning to gain some scholarly attention in terms of what to do about it.

Let’s start with the low hanging fruit. This is a rare instance where the GDPR is more illuminating than our domestic legislation. The GDPR Citiation (27) states;
"(27) This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons."

And also mentioned again it in GDPR Citation (158);
"(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behavior under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes."

So, that was simple enough, the GDPR does not protect deceased peoples’ data, but what about here in the U.S.?

The HIPAA Privacy rule protects medical information of a deceased person for 50 years after the person’s death. But HIPAA applies mainly to medical information, and does not protect much of the financial information that cybercriminals go looking for. And other U.S. privacy statutes generally are not as explicit.

For instance, under the CCPA, a protected “consumer” is defined as "a natural person who is a California resident." Further, the California Code of Regulations defines a resident as "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.” Where does that leave us? While there is no known instance of a CCPA enforcement arising out of a deceased person’s data, is a deceased person a “resident” of California? If we are being really technical, does it matter whether the individual is buried or cremated? Arguably, if they are buried, they would continue to be an individual who is in the state, right? Are they still an individual if they are cremated? These questions are somewhat macabre, and they just beg further questions.

The privacy laws of other states are no more illuminating. In New York, the SHIELD Act protects “persons.” However, there is not widespread agreement of who (or what) qualifies as a person. See Matter of Nonhuman Rights Project, Inc. v. Lavery, 2018 NY Slip Op 03309, 31 N.Y.3d 1054 (2018).

Ultimately, if this issue ever comes up, it is likely to be a question for the courts. Especially in California, it seems inevitable that an estate may eventually sue for CCPA violations. Until then, we can only speculate.

We’ve all gotten those emails. You know, the ones riddled with typos, trying to get you click on something, maybe with suggestive themes or images? And most savvy business people have attained enough tech-competency to know not to click on that stuff. We call it…. SPAM!

But that’s not our marketing emails, right? Our marketing emails are polite, professional, and 100% above board. Right? Well….it depends.

Turns out, there is a federal law, the CAN-SPAM Act that says your email marketing emails must meet certain guidelines. Otherwise, it’s Spam, and could be subject to a fine of up to $43,792 (how did they come up with that number??).

The Federal Trade Commission offers 7 tips for following the CAN-SPAM Act. For the most part, it is pretty straightforward, and I’ve reprinted them, verbatim, below. If you have any questions about whether your marketing emails meet these criteria, we’re happy to help.

These guidelines apply to emails whose primarily purpose is to advertise or promote a commercial product or service, including content on a website operated for a commercial purpose.

Without further ado, straight from FTC:

1. Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.

2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.

3. Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.

4. Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.

5. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.

6. Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

7. Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

If you’d like to book a free 30 minute consultation to discuss CAN-SPAM Act compliance, or any other tech law issue, you can book a free virtual consultation with an attorney here. It’s quick and easy!

All 50 states in the U.S. now have breech notification laws. Many are similar, but some are unique. Places like California, Illinois, New York and Massachusetts have been relatively aggressive in developing a set of regulations to protect their residents from data privacy shenanigans as well as the effects of cybersecurity incidents. Others—I’m looking at you South Dakota—have not.

But we are reaching a critical point in the development of data privacy and cybersecurity law that compliance with the laws of every state are getting to be more and more challenging. The majority of businesses simply throw up their hands, knowing they should do “something”, but they are not really sure what that “something” should be.

More and more, we’re hearing calls for a single, unifying privacy law. One statute to rule them all. Of course, we must be careful what we wish for. If the federal law preempts legislation like the CCPA, or topples the Illinois Biometric Act’s private right to sue, many businesses may welcome the change. Yet, the law could turn the other way instead, opening up data breech litigation in federal courts across the country.

In 2019, Sen. Ed Markey, D-Mass., introduced the Privacy Bill of Rights Act which was followed by the United States Consumer Data Privacy Act. The bills began debate on the issue, but ultimately did not pass.

Realizing that the legislation was bound to fail without a catchy acronym, Sen. Roger Wicker, R-Miss., proposed the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (“SAFE DATA Act”) in September 2020. The SAFE DATA Act in its current form proposes complete state preemption (Sec. 405(a)), thus gutting the CCPA, NY SHIELD Act and Illinois Biometric Act. Further, many of its requirements would not apply to small and mid-sized business with less than 500 employees, less than $50 million in annual revenue, and who do not collect or process the personal data of fewer than 1 million individuals. (Sec. 2(12)). Last, there is no mention of a private right of action. However, State Attorneys General would be empowered to bring suit under the Act. (Sec. 402(a)).

My sense is that there is not yet enough consensus on certain thorny issues, like the private right of action, state preemption and the scope of applicability, for this bill to pass, but it’s a starting point. Further, it seems that federal action, one way or another, is picking up steam, with the likely result being some action, even if half-hearted.

We’ll stay tuned and see what comes of it.