IP: 5 ways to reduce the risk of privacy breach claims
Until Congress implements general privacy legislation, it will remain challenging to strike the right balance in drafting a privacy policy.
August 13, 2013 at 08:33 AM
4 minute read
The original version of this story was published on Law.com
The increasing number of Federal Trade Commission (FTC) enforcement actions in recent years against high-profile companies like Google, Facebook and Twitter for alleged privacy breaches — and the penalties imposed by the FTC, including 20 years of FTC supervision and a record $22.5 million civil penalty against Google — should make companies take a long, hard look at their privacy policies and how they handle their consumers' personal information.
But the courts have recently provided another reason to be concerned. In one of the largest privacy class action suits ever filed, the 7th Circuit in Harris v. comScore allowed a class action to proceed against an online data research company for alleged violations of federal privacy statutes, including the Stored Communications Act (SCA) and the Electronic Communications Privacy Act (ECPA). At the heart of the complaint was the plaintiff's claim that comScore's software collected more personal information about its users than was disclosed in the company's terms of service and that the company secretly sold this information to third parties, who in turn used the data for marketing research.
The holding in comScore may signal a change in this area of the law: Until recently, courts have generally found that putative class members lack standing to pursue class actions where there is no evidence of actual harm, and therefore plaintiffs had difficulty in surviving motions to dismiss in privacy breach cases. In comScore, however, the court rejected the research company's argument that the class was unmanageable because each plaintiff had to prove actual damages. The court instead held that the damages claimed were statutory in nature and thus easily ascertainable in a class proceeding, with no need for individual showings of injury. The SCA, for example, provides a minimum statutory fine of $1,000 for a violation, while the ECPA provides a statutory penalty range of $50 to $10,000.
With the stakes so high, companies should, at a minimum, take the following steps to limit the potential risk for privacy breach claims.
- First and foremost, say what you do, and do what you say. Most FTC enforcement actions and civil privacy cases arise from a company's violation of its own privacy policy. There is no such thing as a privacy policy template. Privacy policies must be thoughtful and must accurately and clearly describe how a company uses the consumer's personal information.
- Monitor all representations made by or on behalf of your company about its privacy policies, and periodically compare these promises to what is done in practice. If the promises change, your policy needs to change. And if the change is material, it cannot be made retroactively unless consumers expressly opt in to the change.
- Educate your information technology, information security, marketing, HR and sales teams about the terms of your company's privacy policy and require senior management approval for any proposed changes to, or deviations from, the policy.
- Ensure that your company abides by all of its privacy promises and establish stated consequences for failure to comply.
- Collect only personal information that is reasonably necessary for your business to provide goods or services to the consumer, and don't retain personal information beyond what is reasonably necessary to complete a transaction or provide a service.
- Make your privacy policy easy to read and provide access to this policy on every single page of your website.
Until Congress implements general privacy legislation, it will remain challenging to strike the right balance in drafting a privacy policy. That said, the FTC has issued guidelines that companies should consider when drafting a privacy policy and deciding what safeguards to implement. The FTC's recent report entitled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers” outlines what the agency believes to be best practices for companies to protect consumer privacy and give consumers greater control over the collection and use of their personal data. This includes building in privacy protections at every stage of product/service development, simplifying consumer choice regarding information sharing, including do-not-track mechanisms, ensuring greater transparency, and disclosing details about the collection and use of consumers' information. The FTC has also issued privacy guidelines specifically for mobile use. At a minimum, it would be wise for companies to consult these and future FTC guidelines and work closely with counsel in crafting a sensible policy with which the company can and will comply.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTarget's Don Liu: 4 Fortune 500 GC Posts, a Singular Focus on Opening Doors for Asian Americans
9 minute readRegulators Say AI Enforcement Sweeps Are Reining in Hucksters, Not Innovation
Trending Stories
- 1The Law Firm Disrupted: Playing the Talent Game to Win
- 2Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 3GlaxoSmithKline Settles Most Zantac Lawsuits for $2.2B
- 4BD Settles Thousands of Bard Hernia Mesh Lawsuits
- 5Monsanto Moves to Pause PCB Trial That Starts This Week
Who Got The Work
Blank Rome partner Andrew T. Hambelton has stepped in to defend Fragrancenet.com in a pending trademark infringement lawsuit. The case, filed Aug. 29 in New York Southern District Court by the Blakely Law Group, targets the defendants for allegedly selling counterfeit fragrance products. The case, assigned to U.S. District Judge Lorna G. Schofield, is 1:24-cv-06521, Abercrombie & Fitch Trading Co. v. Quester (US) Enterprises, Inc. et al.
Who Got The Work
Davis Polk & Wardwell partners Mari Grace and Edmund Polubinski III have entered appearances for Australia-based Bitcoin-mining company Iris Energy and other defendants in a pending securities class action. The action, filed Oct. 7 in New York Eastern District Court by the Rosen Law Firm, contends that the defendants concealed the inadequacy of the company's site in Childress County, Texas, including it being 'ill-equipped' and unable to operate the company's proprietary design. The case, assigned to U.S. District Judge Peggy Kuo, is 1:24-cv-07046, Williams-Israel v. Iris Energy Limited et al.
Who Got The Work
Ryan S. Stippich of Reinhart Boerner Van Deuren has entered an appearance for biopharmaceutical company Veru Inc. and other defendants in a pending shareholder derivative lawsuit. The action, filed Sept. 30 in Wisconsin Western District Court by the Brown Law Firm on behalf of June Ovadias, accuses the defendant of failing to disclose that small sample sizes and other issues rendered it unlikely that the FDA would grant Emergency Use Authorization for the cancer drug candidate sabizabulin as a potential treatment for COVID-19. The case, assigned to U.S. District Judge William M. Conley, is 3:24-cv-00676, Ovadias, June v. Steiner, Mitchell et al.
Who Got The Work
Holland & Knight partners Cynthia A. Gierhart and Thomas Willcox Brooke have entered appearances for Pakistani American Political Action Committee and Rao Kamran Ali in a pending trademark infringement lawsuit. The action, filed Sept. 24 in District of Columbia District Court by Jackson Walker on behalf of Pakistani American Public Affairs Committee, accuses the defendants of using a mark that's confusingly similar to the plaintiff's 'Pak-Pac' marks without authorization. The case, assigned to U.S. District Judge Randolph D. Moss, is 1:24-cv-02727, Pakistani American Public Affairs Committee v. Pakistani American Political Action Committee et al.
Who Got The Work
Lauren M. Rosenberg and Yonatan Even of Cravath, Swaine & Moore have stepped in to represent Israel-based Oddity Tech Ltd. in a pending securities class action. The case, filed Aug. 30 in New York Southern District Court by Pomerantz LLP and Holzer & Holzer, contends that the defendant made materially misleading statements regarding the capability of Oddity's AI technology and ongoing civil litigation, resulting in the artifical inflation of the market price of Oddity's securities. The case, assigned to U.S. District Judge Margaret M. Garnett, is 1:24-cv-06571, Hoare v. Oddity Tech Ltd. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250