X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
During the past two years, an increasing number of Web sites have adopted privacy policies describing for users how the sites collect and use personal data. Significantly, these policies generally have been adopted to meet user expectations and not because of any legal or regulatory requirement to do so. Many companies therefore operate under the false assumption that there can be no legal risk to posting a comprehensive privacy policy. However, in a number of recent cases, federal and state regulators, as well as private litigants, have alleged that companies engaged in unlawful deceptive practices by failing to adhere to their own privacy policies. In order to minimize the risk of such legal and regulatory action, companies need to consider carefully how they will use personal data, draft a policy that is consistent with such usage, and then monitor and audit their data activities on an ongoing basis to ensure compliance. INTERNET PRIVACY LANDSCAPE Today, consumers who buy tulip bulbs from a catalog they received in the mail can be assured that within a few weeks they will receive catalogs from a wide variety of garden product vendors. This is the direct result of their name being sold as part of a mailing list of individuals with certain buying preferences. Direct marketers have been able to engage in this type of activity for years because, in the United States, there are only a small handful of statutes protecting consumer privacy. When the Internet evolved into a robust medium for communicating and transacting with consumers, e-tailers assumed that they also could make broad use of personal information to promote and market their products and to sell that information to interested third parties. While these e-tailers were correct as a matter of law, few anticipated the widespread consumer backlash against the use of personal information that was collected on the Internet. A number of theories have evolved as to why this backlash developed, including the sheer power of the Internet as a technology to collect and mine data and the loss of control consumers have as to how their information might be used. Whatever the cause, Web-site owners now operate in an environment where privacy policies are not only highly scrutinized, but where broad-based legislation might soon be enacted. Congress is currently contemplating several on-line privacy bills, partly in response to a request from the Federal Trade Commission that it do so. [FOOTNOTE 1] The FTC’s request was the result of a Web site survey it conducted earlier this year, in which it found, in its view, that numerous Web sites did not have a privacy policy or had privacy policies that did not provide consumers with sufficient information about how their personal information might be used. [FOOTNOTE 2] LEGAL CHALLENGES Although most privacy legislation is still only pending, Web sites must nonetheless be vigilant about strictly following their stated policies. The action by the New York State Attorney General against InfoBeat LLC earlier this year provides a good illustration of the difficulties companies may face. [FOOTNOTE 3] The InfoBeat site provided content and e-commerce for companies looking for marketing strategies on the Internet. The site also included third-party advertising banners that linked to the advertisers’ Web sites. As is common practice, these advertisers received a referring uniform resource locator (URL) address that allowed them to track if a user had linked from InfoBeat. In its privacy policy — titled its “Statement of Integrity” — InfoBeat stated that it never shared an individual user’s personally identifiable information (e.g., name, e-mail address or phone number) with third parties. Unbeknownst to InfoBeat, however, the e-mail addresses of InfoBeat users were inadvertently being imbedded in the referring URL sent to two of InfoBeat’s advertisers. [FOOTNOTE 4] Relying on state consumer protection laws, the New York Attorney General alleged that by sending these e-mail addresses, InfoBeat had violated its own privacy policies and thereby engaged in deceptive business practices and false advertising. InfoBeat was required to enter into an official Assurance of Discontinuance with the New York Attorney General under which it was required to distribute an e-mail message to all of its current members summarizing its privacy practices, hire an independent third-party auditor to review its information practices and refund to the Attorney General’s office the $75,000 cost of the investigation. In some cases, Web sites have found that activity they would have thought to be perfectly legitimate might violate their privacy policies. For example, in June 2000, Toysmart.com placed its assets, including customer records, up for sale as part of its bankruptcy proceeding and received several bids for the customer data. [FOOTNOTE 5] In response, the FTC and 41 states’ attorneys general filed suits against Toysmart.com alleging that such proposed sale was in direct violation of its privacy policy which had stated that such information would never be shared with a third party. [FOOTNOTE 6] The FTC eventually entered into a settlement with Toysmart.com under which Toysmart.com agreed to sell all of its assets to one entity, rather than separately selling its customer data. [FOOTNOTE 7] A federal bankruptcy judge held the settlement to be unenforceable, however, and the ultimate determination of Toysmart.com’s data rights remains uncertain. [FOOTNOTE 8] A company’s failure to adopt, adhere to, and internally audit its privacy policy can also lead to costly class-action lawsuits. DoubleClick Inc., an Internet advertising company, at one time faced 25 lawsuits alleging that it deceptively tracked, recorded and sold for profit personally identifiable user information and failed to provide adequate safeguards for inadvertent disclosures of such information. The plaintiffs alleged that DoubleClick violated its own privacy policy by falsely stating that its proprietary ad-serving technology did not identify users personally and that all users who received an ad targeted by DoubleClick would remain completely anonymous. [FOOTNOTE 9] The plaintiffs requested, among other remedies, that DoubleClick publish in general circulation newspapers and on the Web sites using its advertising services an admission that it had been collecting personal information without the consent of users. PROACTIVE PRIVACY POLICIES Web sites can usually avoid the problems that InfoBeat and others have faced by establishing proactive, ongoing privacy practices. Draft a Policy That Reflects Practice. One of the traps that Web sites sometimes fall into is drafting a privacy policy that, from the beginning, does not accurately reflect how the site actually intends to use the data it is collecting. This is often the result of preparing privacy policies in a vacuum or merely copying the privacy policy of another site in a similar line of business. To avoid this trap, all areas of the company that might use data collected on the Web site should be consulted about, and actively involved in, the drafting of the site’s privacy policy. The company should broadly consider how it is currently using data, and how it may do so in the future. At a minimum, any comprehensive privacy policy should accurately set forth: (i) the means by which user information is collected (e.g., through registration forms, e-mails sent to the company, etc.); (ii) what types of information are collected; (iii) how the information may be used by the Web site; (iv) with whom, if anyone, such information is shared; (v) how such information is kept secure; and (vi) the process by which a user may correct or delete any information previously collected. Web sites that are drafting new privacy policies or updating existing ones should also take into account the data protection safe harbor principles recently adopted by the U.S. Department of Commerce and the European Commission. [FOOTNOTE 10] Sites that adopt these principles will be deemed to have complied with the EC’s requirement that entities provide an “adequate” level of protection for personal information they receive regarding individuals residing in EC member states. While the safe harbor only applies to information received from the EC, many believe that any U.S. legislation will likely be shaped by such safe harbor provisions. In addition to the six areas of disclosure set forth above, the safe harbor also requires that users be given the opportunity to choose whether disclosure of their personal information is permitted and that reasonable precautions be taken to protect personal information from loss, misuse or unauthorized access. Finally, companies should consider whether they are subject to any existing privacy legislation, such as those statutes protecting the use of financial information or the use of information collected from children. [FOOTNOTE 11] Update the Privacy Policy. As diligent as companies may be in drafting their initial privacy policies, the business reality is that their data usage practices will evolve over time. If a company fails to update its policy to reflect its new practices, it will expose itself to possible lawsuits and regulatory actions. In order to address this, companies should be sure to include in their privacy policies a statement that they may update the policy from time to time and that data collected under the old policy will be subject to the terms of the new policy. Companies might also want to specify how the new policy will be disclosed to its users. This might include merely posting the new policy on the site and including a notice on the home page that the privacy policy has changed, or e-mailing a notice of the new policy to the users. For example, Amazon.com recently blanketed its customer base with an e-mail advising of its updated privacy policy. [FOOTNOTE 12] In the event that the new policy allows the site to make broader use of a user’s personal information, the site should strongly consider allowing existing users to opt out of such new uses. Audit Privacy Practices. A company can maintain or update its privacy policy only if it is aware of its data activities. This can be accomplished through a regular and formal data privacy audit. To accomplish this, a company should form a team that is dedicated to addressing on-line privacy matters. [FOOTNOTE 13] This will provide valuable consistency and accountability to the process. Given the growing complexity of privacy matters due to new and evolving legislation, both in the U.S. and internationally, and new technological means to acquire and exploit personal information, the team should include legal, business and technical representatives. The team should first implement and conduct employee training regarding the company’s privacy policy. Knowledgeable employees can better spot potential issues prior to any actual problems. Such training should also minimize the possibility that employees enter into agreements where the company is making data sharing commitments with third parties that are inconsistent with the company’s stated policies. Indeed, a company may want to require that any contract that involves data use be reviewed by a member of the team. Second, the team should adopt audit procedures to be undertaken at various times during the year. Such procedures might include the following measures: (i) meeting with the marketing department to learn what data uses are being considered and evaluating whether they are consistent with the company’s privacy policy; (ii) testing all specific practices mentioned in the privacy policy to verify system integrity (e.g., the ability of a user to correct or update information previously collected on the Web site); (iii) reviewing the integrity of database security measures; (iv) “stress-testing” the site to make sure that no personal information is being inadvertently disseminated; and (v) monitoring legislative and regulatory developments in the U.S. and, if applicable, internationally, to make sure that the site is in legal compliance. Some companies have elected to outsource the audit function to third parties. For example, to increase consumer confidence in its privacy practices, Expedia.com hired PricewaterhouseCoopers to conduct a privacy audit. [FOOTNOTE 14] Whether or not to hire an independent, professional firm to conduct a privacy audit will depend, among other factors, on the size of the company and the extent to which it uses personal data. Regardless of whether it handles these matters in-house or outsources the function to a third party, any company collecting personally identifiable information on-line should strongly consider a privacy audit procedure. As demonstrated by the recent actions taken by the FTC and state attorneys general, inadvertent disclosures of personally identifiable information contrary to a published on-line privacy policy can result in swift and potentially damaging monetary penalties and negative press. By adopting the proactive measures suggested above, a company can build user confidence in its site’s privacy practices and avoid possible legal actions. Stuart D. Levi is head of, and Andrew M. Goldner is an associate in, the Internet and e-Commerce practice group at Skadden, Arps, Slate, Meagher & Flom LLP. ::::FOOTNOTES:::: FN1 Many consider the leading piece of proposed legislation to be the Consumer Privacy Protection Act of 2000 (the CPPA). The CPPA would require, in part, that consumers be given notice of personal information that is being collected on-line and the opportunity to consent to the use of such information. Companies would also be required to keep such information secure and establish a viable enforcement mechanism to safeguard consumer’s privacy rights. The Consumer Privacy Protection Act of 2000, S. 2606, 106th Cong. (2000). FN2 FTC Staff Report: Privacy On-line: Fair Information Practices in the Electronic Marketplace, A Report to Congress (May 2000). The FTC vote was 3-2 and included a strong dissent from Commissioner Orson Swindle who stated that the FTC’s survey was flawed, and the recommendations too broad given the potential impact on the industry. FN3 In the Matter of InfoBeat LLC, Attorney General of the State of New York Internet Bureau, Assurance of Discontinuance, dated January 2000 (Assurance of Discontinuance). FN4 “Assurance of Discontinuance”, at Paragraph 18 FN5 “Failed Dot-Coms May Be Selling Your Private Information,” CNETNews.com, The New York Times, July 1, 2000. FN6 “Who Are the Privacy Police?,” Keith Perine, The Industry Standard, Aug. 7, 2000. FN7 Id. FN8 “Judge Overturns Deal on Sale of On-line Customer Database,” Michael Brock, The New York Times, Aug. 18, 2000. FN9 See, e.g., Katie L. Steinbeck, et al. v. Doubleclick, Inc., Plaintiff’s Brief, 10-11. FN10 “Safe Harbor Privacy Principles” issued by the U.S. Department of Commerce, 65 Fed. Reg. 45666 (2000). FN11 With the exception of the collection of certain sensitive information, neither the federal government nor any state currently requires the on-line posting of a privacy policy. Specifically, the law mandates certain privacy practices regarding the collection of information from children under the age of 13 and financial information. The Children’s On-line Privacy Protection Act of 1998 both prohibits the collection of personal information from children under the age of 13 without the prior, verifiable consent of a parent or legal guardian and also requires the disclosure of all such practices. The Financial Services Modernization Act of 1999 prohibits certain financial institutions from disclosing to unaffiliated third parties “nonpublic personal information” and requires consumer privacy disclosures. FN12 Tamara Loomis, “New Amazon Privacy Policy is Road Map,” New York Law Journal, Sept. 21, 2000. FN13 For example, DoubleClick recently established a Consumer Privacy Advisory Board and has added the position of Chief Privacy Officer (CPO) to its executive staff. FN14 “Sellers Hire Auditors to Verify Privacy Policies and Increase Trust,” Bob Tedeschi, The New York Times, Sept. 18, 2000, at C12.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.