Litigation: Practical and legal considerations for online privacy policies
Most companies with an online presence post a privacy policy on their websites that describes how the company obtains, manages, uses and discloses information regarding their customers (or users of the website), as well as describing any rights that customers have with respect to the companys use of that information....
January 24, 2013 at 04:15 AM
10 minute read
The original version of this story was published on Law.com
Most companies with an online presence post a “privacy policy” on their websites that describes how the company obtains, manages, uses and discloses information regarding their customers (or users of the website), as well as describing any rights that customers have with respect to the company's use of that information. When drafting privacy policies, companies typically seek to provide complete and detailed disclosures while rendering those disclosures in concise language to avoid the risk of customer confusion.
Drafting a privacy policy in language that customers can understand has become more essential as customers are increasingly interested in privacy-related issues. A 2012 survey by TRUSTe, a privacy management solutions provider, found that 94 percent of respondents thought privacy was an important issue, 60 percent of respondents were more concerned about online privacy than a year before and 35 percent of respondents stated that they have stopped doing business with a company over privacy concerns. Moreover, 85 percent of respondents who owned a smartphone say they wouldn't download mobile applications that they don't trust. Given this trend of increasing privacy-related concerns, many companies recognize that their online privacy policy can provide a means of building trust and goodwill with their customers.
Consistent with the growing public awareness of online privacy issues, the Federal Trade Commission (FTC), the Better Business Bureau and the Mobile Marketing Association have issued guidelines for companies that are drafting privacy policies. Collectively, these guidelines suggest that privacy policies be written in easy-to-understand English (not “legalese”) and address, at a minimum, these five topics:
- What information does the company collect and how does it do so?
- How does the company protect the information it collects?
- How does the company use the information it collects?
- Does the company share the information it collects with others, and if so, what is shared and with whom is the information shared?
- Do customers have control over their personal data, and if so, what control do they have?
Although these guidelines can assist companies in drafting a consumer-friendly privacy policy, for some companies the contents of a privacy policy are mandated by law. Both federal and state laws regulate what must be disclosed in a privacy policy by companies that collect, use and share customer information in a variety of circumstances. For instance, the Children's Online Privacy Protection Act governs websites or online services that collect personal information and are directed toward children under the age of 13 or that knowingly collect information from children under the age of 13. In addition, the Gramm-Leach-Bliley Act regulates the use and sharing of financial information by financial institutions, and the Health Insurance Portability and Accountability Act and related regulations govern privacy related to health-care services.
Many states have enacted privacy laws, but one such law that has received significant press recently due to enforcement activities by the California attorney general is the California Online Privacy Protection Act (CalOPPA). CalOPPA governs “any commercial web sites or online services,” including mobile applications, “that collect personal information on California residents through a web site” and explicitly mandates the posting of a privacy policy that describes what personally identifiable information about customers is being collected and what will be done with that information. Although the scope of this article is limited to compliance with domestic laws, companies operating outside the U.S. also need to be aware of laws governing privacy policies enacted by other countries.
Beyond the issue of whether a privacy policy complies with legal requirements, companies should also be aware that making explicit representations in a privacy policy regarding how customer data will be used or maintained can create litigation and regulatory enforcement risks. Indeed, the FTC has launched investigations and filed complaints against companies that allegedly failed to abide by their own privacy policies.
Even companies that are taking steps to protect customer information are potentially subject to claims arising from employee mistakes or intrusions by hackers. For example, in Resnick v. AvMed, Inc., the class action complaint alleged that the plaintiffs had provided private information to AvMed, a health-care services provider that had promised in its service contract “to ensure the confidentiality of information about members' medical health condition being maintained by the Plan and the right to approve or refuse the release of member specific information including medical records, by AvMed, except when the release is required by law.” The plaintiffs further alleged that, despite AvMed's assurances of confidentiality, unsecured laptop computers containing unencrypted, sensitive information of approximately 1.2 million current and former AvMed members were stolen from an AvMed office—thereby subjecting the class to a risk of identity theft, and allegedly resulting in unauthorized financial accounts being opened in both of the plaintiffs' names, among other alleged wrongdoing. The 11th Circuit reversed the district court's dismissal of the action, holding that the plaintiffs' allegations were sufficient to state a claim for breach of contract, among other claims.
For companies that offer products and services to their customers through the Internet, ultimately there is no one-size-fits-all approach to drafting a privacy policy. The appropriate substance and form of a privacy policy depends on the nature of the company's online presence, what information it collects about its customers and what it does with the information. And given the frequent developments in statutory, regulatory and case law in this area, companies should have counsel review their privacy policies regularly.
Most companies with an online presence post a “privacy policy” on their websites that describes how the company obtains, manages, uses and discloses information regarding their customers (or users of the website), as well as describing any rights that customers have with respect to the company's use of that information. When drafting privacy policies, companies typically seek to provide complete and detailed disclosures while rendering those disclosures in concise language to avoid the risk of customer confusion.
Drafting a privacy policy in language that customers can understand has become more essential as customers are increasingly interested in privacy-related issues. A 2012 survey by TRUSTe, a privacy management solutions provider, found that 94 percent of respondents thought privacy was an important issue, 60 percent of respondents were more concerned about online privacy than a year before and 35 percent of respondents stated that they have stopped doing business with a company over privacy concerns. Moreover, 85 percent of respondents who owned a smartphone say they wouldn't download mobile applications that they don't trust. Given this trend of increasing privacy-related concerns, many companies recognize that their online privacy policy can provide a means of building trust and goodwill with their customers.
Consistent with the growing public awareness of online privacy issues, the Federal Trade Commission (FTC), the Better Business Bureau and the Mobile Marketing Association have issued guidelines for companies that are drafting privacy policies. Collectively, these guidelines suggest that privacy policies be written in easy-to-understand English (not “legalese”) and address, at a minimum, these five topics:
- What information does the company collect and how does it do so?
- How does the company protect the information it collects?
- How does the company use the information it collects?
- Does the company share the information it collects with others, and if so, what is shared and with whom is the information shared?
- Do customers have control over their personal data, and if so, what control do they have?
Although these guidelines can assist companies in drafting a consumer-friendly privacy policy, for some companies the contents of a privacy policy are mandated by law. Both federal and state laws regulate what must be disclosed in a privacy policy by companies that collect, use and share customer information in a variety of circumstances. For instance, the Children's Online Privacy Protection Act governs websites or online services that collect personal information and are directed toward children under the age of 13 or that knowingly collect information from children under the age of 13. In addition, the Gramm-Leach-Bliley Act regulates the use and sharing of financial information by financial institutions, and the Health Insurance Portability and Accountability Act and related regulations govern privacy related to health-care services.
Many states have enacted privacy laws, but one such law that has received significant press recently due to enforcement activities by the California attorney general is the California Online Privacy Protection Act (CalOPPA). CalOPPA governs “any commercial web sites or online services,” including mobile applications, “that collect personal information on California residents through a web site” and explicitly mandates the posting of a privacy policy that describes what personally identifiable information about customers is being collected and what will be done with that information. Although the scope of this article is limited to compliance with domestic laws, companies operating outside the U.S. also need to be aware of laws governing privacy policies enacted by other countries.
Beyond the issue of whether a privacy policy complies with legal requirements, companies should also be aware that making explicit representations in a privacy policy regarding how customer data will be used or maintained can create litigation and regulatory enforcement risks. Indeed, the FTC has launched investigations and filed complaints against companies that allegedly failed to abide by their own privacy policies.
Even companies that are taking steps to protect customer information are potentially subject to claims arising from employee mistakes or intrusions by hackers. For example, in Resnick v. AvMed, Inc., the class action complaint alleged that the plaintiffs had provided private information to AvMed, a health-care services provider that had promised in its service contract “to ensure the confidentiality of information about members' medical health condition being maintained by the Plan and the right to approve or refuse the release of member specific information including medical records, by AvMed, except when the release is required by law.” The plaintiffs further alleged that, despite AvMed's assurances of confidentiality, unsecured laptop computers containing unencrypted, sensitive information of approximately 1.2 million current and former AvMed members were stolen from an AvMed office—thereby subjecting the class to a risk of identity theft, and allegedly resulting in unauthorized financial accounts being opened in both of the plaintiffs' names, among other alleged wrongdoing. The 11th Circuit reversed the district court's dismissal of the action, holding that the plaintiffs' allegations were sufficient to state a claim for breach of contract, among other claims.
For companies that offer products and services to their customers through the Internet, ultimately there is no one-size-fits-all approach to drafting a privacy policy. The appropriate substance and form of a privacy policy depends on the nature of the company's online presence, what information it collects about its customers and what it does with the information. And given the frequent developments in statutory, regulatory and case law in this area, companies should have counsel review their privacy policies regularly.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHunter Biden Sues Fox, Ex-Chief Legal Officer Over Mock Trial Series
Judge Sides With McDonald's In Attorney-Client Privilege Dispute With Former Executives
4 minute readMarriott's $52M Data Breach Settlement Points to Emerging Trend
Trending Stories
- 1The Law Firm Disrupted: Playing the Talent Game to Win
- 2Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 3BD Settles Thousands of Bard Hernia Mesh Lawsuits
- 4GlaxoSmithKline Settles Most Zantac Lawsuits for $2.2B
- 5A&O Shearman Adopts 3-Level Lockstep Pay Model Amid Shift to All-Equity Partnership
Who Got The Work
Blank Rome partner Andrew T. Hambelton has stepped in to defend Fragrancenet.com in a pending trademark infringement lawsuit. The case, filed Aug. 29 in New York Southern District Court by the Blakely Law Group, targets the defendants for allegedly selling counterfeit fragrance products. The case, assigned to U.S. District Judge Lorna G. Schofield, is 1:24-cv-06521, Abercrombie & Fitch Trading Co. v. Quester (US) Enterprises, Inc. et al.
Who Got The Work
Davis Polk & Wardwell partners Mari Grace and Edmund Polubinski III have entered appearances for Australia-based Bitcoin-mining company Iris Energy and other defendants in a pending securities class action. The action, filed Oct. 7 in New York Eastern District Court by the Rosen Law Firm, contends that the defendants concealed the inadequacy of the company's site in Childress County, Texas, including it being 'ill-equipped' and unable to operate the company's proprietary design. The case, assigned to U.S. District Judge Peggy Kuo, is 1:24-cv-07046, Williams-Israel v. Iris Energy Limited et al.
Who Got The Work
Ryan S. Stippich of Reinhart Boerner Van Deuren has entered an appearance for biopharmaceutical company Veru Inc. and other defendants in a pending shareholder derivative lawsuit. The action, filed Sept. 30 in Wisconsin Western District Court by the Brown Law Firm on behalf of June Ovadias, accuses the defendant of failing to disclose that small sample sizes and other issues rendered it unlikely that the FDA would grant Emergency Use Authorization for the cancer drug candidate sabizabulin as a potential treatment for COVID-19. The case, assigned to U.S. District Judge William M. Conley, is 3:24-cv-00676, Ovadias, June v. Steiner, Mitchell et al.
Who Got The Work
Holland & Knight partners Cynthia A. Gierhart and Thomas Willcox Brooke have entered appearances for Pakistani American Political Action Committee and Rao Kamran Ali in a pending trademark infringement lawsuit. The action, filed Sept. 24 in District of Columbia District Court by Jackson Walker on behalf of Pakistani American Public Affairs Committee, accuses the defendants of using a mark that's confusingly similar to the plaintiff's 'Pak-Pac' marks without authorization. The case, assigned to U.S. District Judge Randolph D. Moss, is 1:24-cv-02727, Pakistani American Public Affairs Committee v. Pakistani American Political Action Committee et al.
Who Got The Work
Lauren M. Rosenberg and Yonatan Even of Cravath, Swaine & Moore have stepped in to represent Israel-based Oddity Tech Ltd. in a pending securities class action. The case, filed Aug. 30 in New York Southern District Court by Pomerantz LLP and Holzer & Holzer, contends that the defendant made materially misleading statements regarding the capability of Oddity's AI technology and ongoing civil litigation, resulting in the artifical inflation of the market price of Oddity's securities. The case, assigned to U.S. District Judge Margaret M. Garnett, is 1:24-cv-06571, Hoare v. Oddity Tech Ltd. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250