On February 27, 2015, the Secretary of the Department of Consumer Affairs of Puerto Rico (“DACO”, for its Spanish acronym) approved Regulation No. 8568 (*.PDF in Spanish) entitled “Regulation to Implement the Publishing of Privacy Policies Regarding Citizens’ Private and Personal Information Management, as Collected in Puerto Rico” (translation ours). It will become effective on June 27, 2015. As its name suggests, Regulation 8568 is intended to rule on the manner in which businesses in Puerto Rico will publish their privacy policies concerning the personal information they gather from their customers and clients when conducting commercial transactions on the internet.
Regulation 8568 defines “personal information” as any name or number that may be used, on itself or coupled with other information, to identify a specific individual, including, for example, his/her name and last name, social security number, birth’s date and place, civil status, gender, postal or physical address, email address, or phone number, among other identifiers.
Regulation 8568 applies to every entity registered to do business in Puerto Rico, or that conducts business in Puerto Rico, and which gathers personal information from Puerto Rico’s residents through the internet. These rules, however, do not apply to internet service providers that do not own or operate commercial web pages.
Businesses will have the option to design their own privacy policies or they can choose to draft and identify their policies around three categories of personal information protection already established by Regulation No. 8568: Level I, Level II or Level III. If a business chooses one of the three default models, it must comply with all the criteria set forth for that particular model and must also used the preset logo corresponding to that particular model. One way or another every policy must contain, at minimum, the following elements:
- Business name;
- Type of personal information collected;
- Policy regarding disclosure of personal information to third parties, and under what circumstances such information is shared with those third parties;
- Date on which any amendment will become effective;
- How does the webpage responds to “Do not Track” signals; and
- Whether third parties can compile personal information regarding the customer’s online activities, in different webpages, or not.