Privacy has become one of the most controversial and debated
issues of the internet age. Neither Congress nor the Courts have entirely kept
pace with the subject—making it difficult for businesses to know precisely how
to deal with the issue. Adding to the
complexity is the fact that privacy may be protected under state constitutions,
state privacy acts, insurance record laws, unfair and deceptive trade practices
acts and state common law. Plaintiffs
have been casting wide nets in privacy cases, alleging a myriad of wrongs
including misrepresentation, failure to disclose, breach of contract, state advertising
violations, trespass to chattels, basic invasion of privacy, and more. Given this backdrop, companies must take care
when developing on-line privacy policies and practices, and must also take care
not to do anything contrary to their adopted policies. To avoid liability, companies should be
familiar with the potential triggers for FTC investigations and personal causes
- Inadequate Security: Promising security, but then failing to provide adequate security. This can be true even if a data breach does not occur. See In the Matter of Microsoft Corp. (2002); In re Guess.com, Inc. (2003).
- Security Issues and Failure to Train: Suffering a data security breach due to negligence or failure to properly train employees about adequate security practices. FTC v. Eli Lilly (2002).
- Deceptive Data Collection: Collecting data deceptively even if the individual is not visiting the company’s website. FTC v. ReverseAuction.com, Inc. (2000).
- Inadequate Disclosure of Extent of Data Gathering: Failing to clearly and conspicuously inform users about the extensiveness of internet browsing tracking software. In re Sears Holdings Management Corp. (2009).
The federal government created multiple statutes to address the technology age and privacy, such as, The Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C.A. § 1030 (enacted to make it a criminal offense to damage or steal data by accessing a computer without authorization or by exceeding any authorized access); The Children’s Online Privacy Protection Act (“COPPA”) U.S.C.A. §§ 6501 et seq., (enacted to addresses children's privacy on the Internet); and The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN SPAM”), (enacted to regulating unsolicited commercial e-mail, and others), to name a few. States have also taken action by creating laws similar to those we see on the federal level and by adopting relevant language in insurance codes, consumer protection statutes, and industry specific regulations. The wireless industry has created an onslaught of privacy concerns. The Electronic Privacy Information Center (“EPIC”) has taken action against violators of privacy policies and is quickly demonstrating its dedication to protecting consumer privacy. More recently, the Obama administration created new regulations referred to as a “Privacy Bill of Rights.” This has not yet been signed into law, but would require companies to increase protection of consumers’ online information, maintain reasonable expectations of security, collect of only necessary information, and hold companies accountable for lost data.