Ask Counselor Tara - December 2023

Leadership Letter

December 2023

ASK COUNSELOR TARA

ASCE’s General Counsel Tara Hoke responds to legal questions faced by sections and branches here each month. Send Tara an email with your question.

How do we ensure we respect members’ rights with regard to their personal data?

Does your membership know what you’re doing with their personal data? While a consumer’s right to control the use of their own personal information has been a hot topic for years, it is only recently that state legislatures have begun to take action to enforce those rights by law. To date, at least thirteen states have adopted some form of consumer data protection law, including: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Montana, Oregon, and Delaware.

In general, these laws include requirements for business entities to:

Only collect the types of personal data that are reasonably necessary for the entity’s business purposes. For example, while a customer’s contact information or job title may be reasonably related to their membership, it is likely that a list of the member’s children’s names is not.
Describe how you will be using the personal data you collect. If you are considering sharing any data with third parties (e.g., sharing your list of event attendees with exhibitors), give individuals the ability to opt out.
Establish security measures to protect against inadvertent disclosure, loss, or interception of personal data. This can include both technical security (antiviral software, multifactor authentication) and physical security (limiting access to membership files).
Establish a method for customers to exercise their rights to:
Find out what information you hold about the customer;
Correct inaccurate information;
Request that information about the consumer be deleted; or
Opt out of the use of their personal data for targeted advertising, profiling, or sharing with others.

While to date, the state laws on data protection only directly apply to businesses in the for-profit sector, it may only be a matter of time before nonprofit use of data sees similar scrutiny. And regardless of their legal applicability, the rules prescribed in these state laws represent a best practice for all entities to follow, to protect your valued relations with members and customers and to reduce the risk of a data breach..

ASCE General Counsel Tara Hoke responds to legal questions faced by sections and branches here each month. Send Tara an email with your question.