Watch Out for Data Privacy — A Primer on Risks
Patrick Kellermann (a regular contributor) and Tom Cohn, both from LeClair Ryan, are guest contributors today and provide an important posting on data privacy, a fast growing and important issue which creates significant risks for all businesses. Patrick and Tom can be reached here and here, respectively.
This post, the first in a continuing series, will focus not on crime or corruption, but on compliance of a different sort; data privacy compliance. Any time a business collects, stores or shares information about consumers, data privacy questions must be asked and answered. Do you collect only what you say you do? Do you gather only what you think you do? How do you maintain the information? For what purpose? With whom and how do you share the information? What do they do with it? What can they do with it? And for each of these questions, ask: are you sure?
In the past two years, the Federal Trade Commission (FTC) has flexed its enforcement muscles, taking on Internet behemoths Google, Facebook, Twitter, and earlier this month, Myspace. The FTC will continue to focus much of its enforcement efforts on individuals and companies that violate consumers’ data privacy rights. That’s not a prediction, it’s a certainty.
The FTC’s primary enforcement tool is Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC often brings cases on a “deception” theory, based on a business’s failure to live up to representations in its own privacy statements or policies, or its failure to disclose material facts about its privacy-related practices. (We’ll use the term “privacy statement” to cover all name-variations including privacy policy or privacy notice.) For example, according to the Myspace complaint, in contrast to averments in its privacy statement, the company shared information with third parties without notice to, or permission from, users; enabled advertisers to individually identify users; shared member web-browsing information with advertisers, and violated principles of the US-EU Safe Harbor Framework.
For engaging in these allegedly deceptive practices, Myspace was ordered to implement a comprehensive privacy program, conduct periodic privacy audits and provide biennial privacy assessment reports to the government for a 20-year period, and retain certain materials for a five year period.
You may wonder, why issue a privacy statement, if it triggers legal exposure? After all, outside of industry-specific laws/regulations—i.e., Gramm-Leach-Bliley (finance); HIPAA (health)—federal law does not require companies to make a public privacy statement. Here are some reasons:
- Competitive Advantage. A seller may offer the privacy assurances to prospective customers to distinguish it from competitors.
- Good Corporate Citizenship. Privacy statements are emblematic of good corporate citizens that respect consumer privacy.
- State Law. Though federal law does not mandate public advisement of data practices, certain state laws do.
- Business Enabling. Most businesses, and every large company, dealing in consumer information require publicized privacy assurances as a prerequisite to building a business relationship.
- Legal protection. Privacy statements offer an opportunity to eliminate allegations that a business did not provide notice of its consumer data usage, to limit liability for an associated entity’s conduct, or to reserve the right to amend its policies.
Also note, enforcement under Section 5 of the FTC Act need not rely on a deceptive Privacy Statement. To protect consumer data privacy, the FTC, with increasing frequency, charges “unfairness” for acts or practices that: (1) cause substantial consumer injury which is (2) not reasonably avoidable by consumers and (3) not outweighed by countervailing benefits to consumers or competition. Recent examples of alleged practices deemed “unfair” by the FTC include: the failure by Upromise, a membership rewards service, to take reasonable and appropriate measures to protect consumers’ data (2012); the design of FrostWire’s peer-to-peer sharing software causing consumers to unwittingly share personal files (2011), and Facebook’s unilateral and retroactive change to user’s privacy selections, without users’ informed consent (2011).
A privacy statement or policy is just one part of an overall data privacy compliance program that respects consumer’s privacy, invites business opportunities, and mitigates enforcement risk. Stay tuned for later posts that will flesh out these and other elements.