|
Privacy Matters: Mistakes To Avoid
By Justine
Young Gottshall
It is all too
easy for a business that is not subject to a specific privacy statute
or that does not transact sales over the Internet to assume that
privacy is not an issue it must seriously consider. Although the topic
of privacy is far too broad to cover in one article and almost
certainly demands in-depth, fact-specific consultation with
knowledgeable counsel, the following are five important mistakes to
avoid:
Do Not Ignore the Issue
Too many
businesses are playing a reverse lottery, assuming they will not be
one of the few targeted for a government investigation, a class action
lawsuit or a reputation-damaging article in a major newspaper.
However, the potential consequences – ranging from hefty fines or
judgments to stock prices plummeting to customer loss and/or ongoing
regulatory oversight and forced change in business practices – make
the stakes too high to ignore privacy as a business issue. The Federal
Trade Commission (FTC) and a number of State Attorneys General (AG)
are extremely active in this area. Many organizations (for example,
Microsoft Corporation, Eli Lilly and the ACLU, just to name a recent
few) have found themselves settling privacy related cases with the FTC
and/or certain AGs.
Don’t Say It if You Don’t Mean It
Ultimately,
each statement made – whether within a privacy policy, elsewhere on a
website or otherwise to the consumer – should be considered an
enforceable privacy contract. Do not make promises you cannot keep.
Ensure that your privacy statements are complete and accurate. It
sounds simple, but separate divisions within a company (for example,
the General Counsel, the Chief Technology Officer and the Vice
President of Marketing) often have separate business objectives and
different bases of knowledge and produce conflicting answers to the
same questions regarding their business’s practices related to
consumer data. It can be the lawyer’s job to make sure all parties
talk to one another, both in drafting an accurate privacy policy and
ensuring that its statements are followed and upheld.
Do Not Address Privacy Issues Merely by Visiting Your Competitors’
Websites
Although this
may seem self-evident, clients will often say “but so-and-so is doing
this,” or they will produce a privacy policy for “approval” that they
have simply cut and pasted from one or more other websites. Such
actions violate both principles set forth above (aside from any
additional concerns such actions may raise). Moreover, the “everyone’s
doing it” defense is ineffective. Just because a competitor is
engaging in a practice does not necessarily make it a wise or legal
option.
Do Not Assume Privacy Issues are Limited to Online Issues
While website
privacy receives the most attention, any privacy statement must be
treated seriously. For example, in 2002 the FTC brought suit (and
settled) a case alleging that three defendants sold personal
information collected from high-school student surveys to third-party
marketers, despite statements contained on the surveys that the
information would be used only by education-related entities.
Monitoring offline privacy practices is as important as monitoring
online privacy practices and, it raises particular issues for a
business that collects consumer data both online and offline.
Do Not Assume That It Is Okay to Share Information with the Government
For many
companies, being a good corporate citizen dictates cooperation with a
government agency that requests information. Unfortunately, if such
information-sharing runs afoul of a stated privacy promise, a company
may find itself with legal difficulties. For example, JetBlue Airways
recently admitted to violating its privacy policy when at the request
of the Department of Defense it shared passenger itineraries with a
third party working with the Department on a project relating to
security. At the time of this writing, both the FTC and the Department
of Homeland Security have opened investigations into the matter.
Whether or not any penalties ensue, JetBlue is certainly suffering
negative publicity and the strain of potentially severe consequences
for its willingness to comply with the government’s request. A similar
concern could arise, for example, if a company received a request from
government criminal investigators for information relating to a
website visitor that participated in a user forum or downloaded
software. Although one’s initial instinct may be to comply with a
governmental request, it may be necessary to demand a subpoena first
or to take other steps with counsel to protect the company.
Conclusion
Privacy issues,
both online and off, are becoming increasingly important to address.
Even an unintentional error can lead to thousands of dollars (in some
cases totaling in excess of six figures) in fines, lost revenue and/or
other costs and penalties. Thus, although the above rules are only a
starting point, each is an important issue that should be carefully
considered by all businesses and their counsel. |
