On February 27, 2015, the Secretary of the Department of Consumer Affairs of Puerto Rico (“DACO”, for its Spanish acronym) approved Regulation No. 8568 (*.PDF in Spanish) entitled “Regulation to Implement the Publishing of Privacy Policies Regarding Citizens’ Private and Personal Information Management, as Collected in Puerto Rico” (translation ours). It will become effective on June 27, 2015. As its name suggests, Regulation 8568 is intended to rule on the manner in which businesses in Puerto Rico will publish their privacy policies concerning the personal information they gather from their customers and clients when conducting commercial transactions on the Internet.
Regulation 8568 defines “personal information” as any name or number that may be used, on itself or coupled with other information, to identify a specific individual, including, for example, his/her name and last name, social security number, birth’s date and place, civil status, gender, postal or physical address, email address, or phone number, among other identifiers.
Regulation 8568 applies to every entity registered to do business in Puerto Rico, or that conducts business in Puerto Rico, and which gathers personal information from Puerto Rico’s residents through the internet. These rules, however, do not apply to internet service providers that do not own or operate commercial web pages.
Businesses will have the option to design their own privacy policies or they can choose to draft and identify their policies around three categories of personal information protection already established by Regulation No. 8568: Level I, Level II or Level III. If a business chooses one of the three default models, it must comply with all the criteria set forth for that particular model and must also used the preset logo corresponding to that particular model. One way or another every policy must contain, at minimum, the following elements:
- Business name;
- Type of personal information collected;
- Policy regarding disclosure of personal information to third parties, and under what circumstances such information is shared with those third parties;
- Method through which customers are notified of amendments to the privacy policy subsequent to its original disclosure;
- Date on which any amendment will become effective;
- How does the webpage responds to “Do not Track” signals; and
- Whether third parties can compile personal information regarding the customer’s online activities, in different webpages, or not.
Every business must include in its webpage a link that provides customers access to the company’s privacy policy.
Fines for disclosing a privacy policy that inaccurately portrays the way in which the entity manages its customer’s personal information; and for displaying a logo or symbol that has not been authorized by DACO or that does not correspond to the company’s actual privacy practices, can go as high as fifty thousand dollars ($50,000).