Every business owner dreams of being the next Google or Facebook. Yet, when it comes to handling of privacy, these two giants have attracted their fair share of bad publicity and lawsuits. Respect of privacy (or lack thereof) is a serious matter and can lead to major legal headaches.
- Don’t be evil overseas. Earlier this year, three executives at Google were found guilty of criminal charges in an Italian courtroom, in a well-publicized case stemming from video made by Italian students who were bullying a classmate with Down Syndrome. The video was posted to Google Video in 2006, online for two months and removed by Google within 24 hours of complaint. The Milan court ruled that the Google execs (including, notably, its global privacy counsel) were guilty of criminal invasion of privacy, and sentenced them to six months in jail.
- Don’t be evil here, either. Google recently dodged a huge bullet in the US when the FTC decided to slap them on the wrist for past privacy violations, including the use of roving vehicles for its Street View mapping project, not only photographing streets and residential houses, but also to collecting data from private, unsecured wi-fi networks. The FTC concluded its privacy probe after Google apologized, promising not to use the data and pledging to improve their privacy safeguards.
- That Social Network. Facebook’s CEO and co-founder Mark Zuckerberg famously said that the era of social networking has ushered in a new “social norm” which essentially renders many conventional notions of privacy obsolete. Unsurprisingly, the website has been the subject of much litigation related to privacy, yet continues to grow in mass appeal, at 500 million members and counting, despite repeated allegations that it breaches its own published privacy policies.
What is PII, exactly?
Privacy Policies – what are they, and what do they cover?
What laws and regulations apply to privacy policies?
Although it may come as a surprise, the US has no explicit, constitutional right to privacy aside from the general guarantees provided by the First and Fourth Amendments against privacy invasions by governments and state actors. Individuals are not otherwise protected from collection and use of personal information by private businesses, and tort remedies are often inadequate where monetary damages are difficult to prove. In response to these concerns, the FTC enacted regulations to protect PII, including:
- The FTC Act: prohibits unfair or deceptive acts and practices in the marketplace by enforcing companies' own privacy promises about how they collect, use and secure consumers' personal information.
- The Gramm-Leach-Bliley Act: governs privacy policies for financial institutions, and mandates industry-specific privacy notices and safeguards for PII. The FTC works with the Securities and Exchange Commission, the U.S. Treasury Department and other federal agencies to protect and enforce consumer privacy in the financial sector.
- Access: How can my users view and correct their personal information? Companies should allow users to access and review PII concerning them upon request, and should establish a quick, easy and inexpensive process by which consumers can correct factual inaccuracies.
What other best practices should I follow?
- How will I notify my users of changes to the policy? If you make material changes to your privacy practices, you should ensure your users are aware of the changes – for example, requiring acceptance of the updated policy, sending an email notification, or posting a conspicuous website announcement. The FTC has flagged the retroactive application of new privacy policies, or unannounced policy changes, as potentially deceptive or unfair as a business practice.
What remedies might I face for privacy violations?
The FTC and State AGs are empowered to impose fines, restitution damages and other sanctions if a law or regulation has been breached. They can increase notice and disclosure requirements and require affirmative consent for certain practices such as online data collection. Just this year, the FTC has brought high-publicity cases against Rite-Aid for HIPAA violations, Twitter for failure to establish an adequate information security program, Dave & Buster's for compromising customers' credit and debit cards, and ControlScan for misleading its customers about certification of online retailers as private and secure. As we saw in the Google-Italy case, repercussions can include criminal prosecution and imprisonment in rare cases. In countries were laws and religious culture are intertwined, seemingly innocuous business practices or offerings might result in criminal liability.
What about “safe harbor”?
Companies in the technology sector are exposed to foreign liability for privacy violations under a myriad of international laws and regulations. International laws related to sales taxes are a common problem area, as are contests, sweepstakes and other promotions, which may violate foreign consumer protection laws. US companies transacting business in Europe can opt-in to the Safe Harbor program, designed to streamline compliance with the EU Data Protection Directive. Participation in the Safe Harbor program mitigates risk by certifying that the US company took good faith measures to follow the Directive, thus limiting or eliminating liability for legitimate mistakes or excusable violations.
Call to action.