by Patrick Kellermann
This article will focus on data privacy compliance. Any time a business collects, stores or shares information about consumers, data privacy questions must be asked and answered.
Do you collect only what you say you do? Do you gather only what you think you do? How do you maintain the information? For what purpose? With whom and how do you share the information? What do they do with it? What can they do with it? And for each of these questions, ask: are you sure?
In the past two years, the Federal Trade Commission (FTC) has flexed its enforcement muscles, taking on Internet behemoths Google, Facebook, Twitter, and earlier this month, Myspace. The FTC will continue to focus much of its enforcement efforts on individuals and companies that violate consumers’ data privacy rights. That’s not a prediction—it’s a certainty.
For example, according to the Myspace complaint, in contrast to averments in its privacy statement, the company shared information with third parties without notice to, or permission from, users; enabled advertisers to individually identify users; shared member web-browsing information with advertisers, and violated principles of the US-EU Safe Harbor Framework.
For engaging in these allegedly deceptive practices, Myspace was ordered to implement a comprehensive privacy program, conduct periodic privacy audits and provide biennial privacy assessment reports to the government for a 20-year period, and retain certain materials for a five-year period.
You may wonder, why issue a privacy statement if it triggers legal exposure? After all, outside of industry-specific laws/regulations—i.e., Gramm-Leach-Bliley (finance); HIPAA (health)—federal law does not require companies to make a public privacy statement. Here are some reasons:
- Competitive Advantage. A seller may offer the privacy assurances to prospective customers to distinguish it from competitors.
- Good Corporate Citizenship. Privacy statements are emblematic of good corporate citizens that respect consumer privacy.
- State Law. Though federal law does not mandate public advisement of data practices, certain state laws do.
- Business Enabling. Most businesses, and every large company, dealing in consumer information require publicized privacy assurances as a prerequisite to building a business relationship.
- Legal protection. Privacy statements offer an opportunity to eliminate allegations that a business did not provide notice of its consumer data usage, to limit liability for an associated entity’s conduct, or to reserve the right to amend its policies.
Also note, enforcement under Section 5 of the FTC Act need not rely on a deceptive Privacy Statement. To protect consumer data privacy, the FTC, with increasing frequency, charges “unfairness” for acts or practices that: (1) cause substantial consumer injury which is (2) not reasonably avoidable by consumers and (3) not outweighed by countervailing benefits to consumers or competition.
Recent examples of alleged practices deemed “unfair” by the FTC include: the failure by Upromise, a membership rewards service, to take reasonable and appropriate measures to protect consumers’ data (2012); the design of FrostWire’s peer-to-peer sharing software causing consumers to unwittingly share personal files (2011), and Facebook’s unilateral and retroactive change to user’s privacy selections, without users’ informed consent (2011).
A privacy statement or policy is just one part of an overall data privacy compliance program that respects consumer’s privacy, invites business opportunities, and mitigates enforcement risk.
Patrick Miguel Kellermann is an associate in LeClairRyan’s Washington, D.C. office. Patrick focuses primarily on white collar defense and compliance matters, with experience representing client in matters involving the Foreign Corrupt Practices Act, securities fraud, the International Traffic in Arms Regulations and other export-control laws, Congressional investigations, and criminal antitrust investigations.