Hospitality, Alcohol & Leisure Blog

Beyond the Three-Tier System: Unraveling the Complexities of Consumer Data Compliance

January 4, 2024

By: Jaci Flug, Esq. and Louis J. Terminello, Esq.

The three-tier system is designed to limit how suppliers can directly interact with consumers. Yet today, many suppliers can and do engage directly with consumers. Suppliers now collect personally identifiable information (PII) to facilitate sales thanks to the expansion of direct-to-consumer (DTC) laws. The growth of e-commerce and technology for on-premises suppliers has also created new avenues for consumer data. In an age where data is king, suppliers welcome this new treasure trove of insights and marketing avenues, but with great data comes great responsibility in the form of compliance. Suppliers unaccustomed to engaging directly with consumers must now educate themselves on compliance with the growing web of consumer data privacy laws.

Each year state legislatures pass new consumer protection laws empowering consumers to control their information. These laws require many companies to delete, correct, and limit the sharing of PII if a consumer makes a formal request. The requirements of these laws can apply even if suppliers are not gathering PII from consumers directly, but rather are purchasing the data from data brokers or other third-party partners. Adding further complications, those suppliers that can sell DTC may be collecting it directly in addition to using third parties. If data is being collected or purchased from different sources, different datasets may be subject to different compliance measures. Like the unique three-tier system of each state, consumer privacy laws are being hatched state by state, and there may never be a unified national model.

As suppliers collect and increase their consumer data it would serve them well to create data maps detailing:

  1. What information they are collecting and ingesting;
  2. Where that information is from (both the source of the data and the location of the data subjects);
  3. What systems store the data and;
  4. Where and to whom they have released, shared, or sold the data.

Suppliers should also check all contracts they have entered into that involve data sharing to identify any applicable restrictions or requirements, as well as examine their own contract templates to ensure they are compliant with the newest privacy laws. If a deletion request is received, granular knowledge about the data’s origins and whereabouts is essential. Without the above, compliance with any regulation will prove difficult if not impossible.

Subscribe to Our Newsletters

About Greenspoon Marder

Greenspoon Marder LLP is a full-service law firm with over 215 attorneys and more than 20 office locations across the United States. With operations from Miami to New York and from Denver to Los Angeles, our firm attracts some of the nation’s top talent in key markets and innovation hubs. Our core practice areas include Real Estate, Litigation, and Transactional Services, complemented by the capabilities of a full-service firm. Greenspoon Marder has maintained a spot on The American Lawyer’s Am Law 200 as one of the top law firms in the U.S. since 2015, and our goal is to provide exceptional client service by developing a thorough understanding of each client’s business needs and objectives in order to provide strategic, cost-effective solutions.

Cynthia Howard Chief Marketing Officer (720) 370-1182
[email protected]