Puerto Rico Legislature Considers Significant Overhaul of Data Privacy Laws
On November 8, 2023, the Senate of Puerto Rico approved House Bill No. 1548, “The Consumer Data and Personal Information Protection Act” (the “Bill”) with minor amendments, placing the Bill on the road to the House and Senate Conference Committee and potentially full legislative approval. The Bill, as proposed, would be a significant overhaul to the data collection and privacy laws applicable in Puerto Rico, placing us in alignment with more regulated jurisdictions such as California or the European Union (through the GDPR). Among the new changes proposed in the Bill, all of which are effective immediately upon the Bill becoming law, are:
- Requires all individuals or entities who collect consumer data (“Data Controllers”) to, not only have a visible privacy policy in place, but to review and update it every six (6) months. Currently, the legal obligation is to simply have a privacy policy publicly available should consumer data be collected.
- Requires the privacy policies to be in the consumer’s “maternal tongue” (which should be read as, at the very least, in Spanish and English), to be written in a clear and understandable language (which should be read as being less of a legalese document and more of a consumer friendly document), and must be actively visible to the consumer (meaning it cannot be buried at the bottom of the page, but rather placed front and center to the consumer).
- Requires for privacy policies to disclose the manner in which users can request the right to delete their personal data, correct any information on their personal data (such as name, gender, etc.), and request a copy of their personal data in order to transfer it to another service or carrier, and in the case of larger Data Controllers (entities who do not fall under the definition of a PYMES), requires additional disclosures such as the sources of where the data is being obtained from, the purpose for collecting said data, all third parties with whom the data will be shared, and the time for which the data will be stored by the Data Controller.
- Places a limit on how long a consumer’s data can be kept, with said limit being twenty-four (24) months, save for specific exceptions provided for in the Bill.
- Prohibits the practice of Data Mining.
- Requires active consumer consent upon accessing the site to personalize ads (or not).
- Requires Data Controllers to have reasonable measures and policies in place as to the technological safeguards used to store the consumer data.
The Bill would present considerable legal and technological challenges to existing companies in Puerto Rico in order to comply with its provisions, especially if the Bill retains its immediate effective date. Under the Bill, the Puerto Rico Department of Consumer Affairs (“DACO”, for its Spanish acronym) would retain jurisdiction to receive any consumer complaints and adjudicate them accordingly. Given the ease by which any consumer can file a DACO complaint, the potential costs of compliance for companies operating in Puerto Rico are not insignificant.
Companies doing business in Puerto Rico should not wait for the Bill to be approved to begin mapping out the compliance costs and technology adjustments that are needed in order to comply with the Bill. At Ferraiuoli, we are ready to work with companies who would be subject to the Bill’s provisions to ensure smooth and prompt compliance with the Bill should it become law.