Regulatory: Drafting and reviewing your privacy policy
With almost daily news reports of data breaches, hacking intrusions and companies collecting and using information contrary to their stated policies, privacy has become a front-burner issue for C-suite executives.
April 10, 2013 at 04:00 AM
12 minute read
The original version of this story was published on Law.com
This article is the last in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues that corporate counsel need to consider in these areas. Read parts one and two.
The first two articles in this series focused on the need for companies to think about and incorporate privacy into their corporate culture. With almost daily news reports of data breaches, hacking intrusions and companies collecting and using information contrary to their stated policies, privacy has become a front-burner issue for C-suite executives, which means it becomes an issue for in-house counsel. Therefore, counsel are well-advised to review their company's existing policy, or, if one does not exist, to develop one, as well as corporate data security practices. This applies to apps as much as websites.
The first step in developing or reviewing a policy is to understand what such a policy requires. Every week I receive calls from existing and prospective clients seeking a privacy policy ASAP. “Isn't there an “off-the-shelf” policy that you can send me?” they often ask. Unfortunately, there is no such thing as a canned privacy policy that is appropriate for every company. Instead, developing a policy requires thought and input from various stakeholders, so that it accurately reflects the company's actual data collection, use and security practices.
Although there is no federal law that dictates specifically what information a company must include in a policy, there are particular requirements for companies in industries that are governed by specific laws and regulations, such as healthcare providers and payers (the Health Insurance Portability and Accountability Act) and financial institutions (Gramm-Leach-Bliley Act). In addition, websites and online services (including apps) that are directed to or that are likely to be visited by children under the age of 13 must comply with the Children's Online Privacy Protection Act. Also, as noted in my prior columns, some states have laws that require companies to post a privacy policy and maintain certain data security standards. These laws apply to apps as well as websites.
So, unless governed by any of these laws, companies are free to develop a policy in any way they deem appropriate. That said, at a minimum a policy should include certain standard information such as what data the website and app collects, how it is used and, if applicable, how it is shared. With regard to collection, the policy should describe what information is collected from users by their own action (such as name, contact information and account or demographic information, as applicable) and passively, such as through the use of cookies and other tracking mechanisms. The policy should also describe how the website or app operator uses and shares user information, if users have access to and the ability to review and change their information, and the ability to stop sharing.
The policy should also indicate any and what security measures the company uses to protect the data. On that point, a company should accurately describe, and not overstate, its data security policies and procedures. Unfortunately, unless the IT department or those responsible for hosting the website or app are involved, lawyers have virtually no idea how data is maintained and protected. Therefore, it is absolutely necessary to engage these groups in this process.
Once the above issues have been addressed, the policy should include provisions that may not be so obvious. It is incumbent upon counsel to anticipate events that may impact how the company may possibly use data in the future. For example, in the event the company is sold or goes into bankruptcy, the policy needs to make clear that data collected on the website or through the app is an asset of the company and, as such, will be subject to transfer in a sale to another entity.
The need for this provision arose about a decade ago when an e-commerce company tried to sell its customer database in a bankruptcy proceeding. In that case, the Federal Trade Commission (FTC) sought to block the sale of a customer database developed by online toy seller Toysmart, citing the company's privacy policy, which promised consumers that it would not sell or share customer information with any other party. The sale, the FTC argued, would violate Toysmart's privacy policy and thus amount to an unfair and deceptive trade practice in violation of the FTC Act.
Two lessons came out of the Toysmart case. First, be careful not to make a promise in a policy that may limit your ability to use and share user information in the future. While you and your business clients may feel compelled to promise consumers that their information will not be used or shared for any purpose other than for the specific purpose for which the information may have been collected, your ability to change that position in the future will be severely, if not absolutely, hampered, and any such change will apply only to information collected going forward.
Second, be sure to include a provision that specifically identifies user data (both volunteered by consumers and passively collected about them) as a corporate asset, which may be subject to transfer in the event of a sale or liquidation. Without such a provision, your or your successor's ability to transfer a customer database may be challenged and, if so, the value of the assets intended to be transferred may be significantly impacted.
The “Toysmart” provision is but one example of a unique privacy issue that arose from a company's initial good intentions, but which later stymied its ability to enter into a business transaction. Many similar situations have occurred since then that have given rise to other provisions that are now commonplace in today's privacy policies. It is therefore incumbent upon in-house counsel to closely follow privacy developments in order to competently advise clients in this area.
Last, and most importantly, once you develop a privacy policy, you must live by it. With the exception of a few privacy laws, such as the ones discussed above that set forth particular statutory requirements, virtually all cases brought by regulators and consumers have involved a company collecting or using customer data in a manner contrary to its publicly stated privacy policy. In-house counsel must work with internal clients to ensure that all stakeholders understand the importance of developing a policy that everyone can live up to, and do it. If not, the legal and reputational consequences that may result from such actions can be extremely damaging, and perhaps irreversible.
This article is the last in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues that corporate counsel need to consider in these areas. Read parts one and two.
The first two articles in this series focused on the need for companies to think about and incorporate privacy into their corporate culture. With almost daily news reports of data breaches, hacking intrusions and companies collecting and using information contrary to their stated policies, privacy has become a front-burner issue for C-suite executives, which means it becomes an issue for in-house counsel. Therefore, counsel are well-advised to review their company's existing policy, or, if one does not exist, to develop one, as well as corporate data security practices. This applies to apps as much as websites.
The first step in developing or reviewing a policy is to understand what such a policy requires. Every week I receive calls from existing and prospective clients seeking a privacy policy ASAP. “Isn't there an “off-the-shelf” policy that you can send me?” they often ask. Unfortunately, there is no such thing as a canned privacy policy that is appropriate for every company. Instead, developing a policy requires thought and input from various stakeholders, so that it accurately reflects the company's actual data collection, use and security practices.
Although there is no federal law that dictates specifically what information a company must include in a policy, there are particular requirements for companies in industries that are governed by specific laws and regulations, such as healthcare providers and payers (the Health Insurance Portability and Accountability Act) and financial institutions (Gramm-Leach-Bliley Act). In addition, websites and online services (including apps) that are directed to or that are likely to be visited by children under the age of 13 must comply with the Children's Online Privacy Protection Act. Also, as noted in my prior columns, some states have laws that require companies to post a privacy policy and maintain certain data security standards. These laws apply to apps as well as websites.
So, unless governed by any of these laws, companies are free to develop a policy in any way they deem appropriate. That said, at a minimum a policy should include certain standard information such as what data the website and app collects, how it is used and, if applicable, how it is shared. With regard to collection, the policy should describe what information is collected from users by their own action (such as name, contact information and account or demographic information, as applicable) and passively, such as through the use of cookies and other tracking mechanisms. The policy should also describe how the website or app operator uses and shares user information, if users have access to and the ability to review and change their information, and the ability to stop sharing.
The policy should also indicate any and what security measures the company uses to protect the data. On that point, a company should accurately describe, and not overstate, its data security policies and procedures. Unfortunately, unless the IT department or those responsible for hosting the website or app are involved, lawyers have virtually no idea how data is maintained and protected. Therefore, it is absolutely necessary to engage these groups in this process.
Once the above issues have been addressed, the policy should include provisions that may not be so obvious. It is incumbent upon counsel to anticipate events that may impact how the company may possibly use data in the future. For example, in the event the company is sold or goes into bankruptcy, the policy needs to make clear that data collected on the website or through the app is an asset of the company and, as such, will be subject to transfer in a sale to another entity.
The need for this provision arose about a decade ago when an e-commerce company tried to sell its customer database in a bankruptcy proceeding. In that case, the Federal Trade Commission (FTC) sought to block the sale of a customer database developed by online toy seller Toysmart, citing the company's privacy policy, which promised consumers that it would not sell or share customer information with any other party. The sale, the FTC argued, would violate Toysmart's privacy policy and thus amount to an unfair and deceptive trade practice in violation of the FTC Act.
Two lessons came out of the Toysmart case. First, be careful not to make a promise in a policy that may limit your ability to use and share user information in the future. While you and your business clients may feel compelled to promise consumers that their information will not be used or shared for any purpose other than for the specific purpose for which the information may have been collected, your ability to change that position in the future will be severely, if not absolutely, hampered, and any such change will apply only to information collected going forward.
Second, be sure to include a provision that specifically identifies user data (both volunteered by consumers and passively collected about them) as a corporate asset, which may be subject to transfer in the event of a sale or liquidation. Without such a provision, your or your successor's ability to transfer a customer database may be challenged and, if so, the value of the assets intended to be transferred may be significantly impacted.
The “Toysmart” provision is but one example of a unique privacy issue that arose from a company's initial good intentions, but which later stymied its ability to enter into a business transaction. Many similar situations have occurred since then that have given rise to other provisions that are now commonplace in today's privacy policies. It is therefore incumbent upon in-house counsel to closely follow privacy developments in order to competently advise clients in this area.
Last, and most importantly, once you develop a privacy policy, you must live by it. With the exception of a few privacy laws, such as the ones discussed above that set forth particular statutory requirements, virtually all cases brought by regulators and consumers have involved a company collecting or using customer data in a manner contrary to its publicly stated privacy policy. In-house counsel must work with internal clients to ensure that all stakeholders understand the importance of developing a policy that everyone can live up to, and do it. If not, the legal and reputational consequences that may result from such actions can be extremely damaging, and perhaps irreversible.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
What to Know About the New 'Overlapping Directorship' Antitrust Development
4 minute read
Turning Over Legal Tedium to AI Requires Lots of Unglamorous Work on Front End
6 minute read
Khan Defends FTC Tenure, Does Not Address Post-Inauguration Plans
Best Practices for Adopting and Adapting to AI: Mitigating Risk in Light of Increasing Regulatory and Shareholder Scrutiny
7 minute readTrending Stories
- 1DOJ Files Antitrust Suit to Block Amex GBT's Acquisition of Competitor
- 2K&L Gates Sheds Space, but Will Stay in Flagship Pittsburgh Office After Lease Renewal
- 3US Soccer Monopoly Trial Set to Kick Off in Brooklyn Federal Court
- 4NY AG James Targets Crypto Fraud Which Allegedly Ensnared Victims With Fake Jobs
- 5The 'Motherhood Advantage' in Law: Time to Flip the Script
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
