Consumer Privacy And The Internet
What Can Trigger An Investigation Or Lawsuit?Privacy has become one of the most controversial and debated issues of the internet age. Neither Congress nor the Courts have entirely kept pace with the subject—making it difficult for businesses to know precisely how to deal with the issue. Adding to the complexity is the fact that privacy may be protected under state constitutions, state privacy acts, insurance record laws, unfair and deceptive trade practices acts and state common law. Plaintiffs have been casting wide nets in privacy cases, alleging a myriad of wrongs including misrepresentation, failure to disclose, breach of contract, state advertising violations, trespass to chattels, basic invasion of privacy, and more. Given this backdrop, companies must take care when developing on-line privacy policies and practices, and must also take care not to do anything contrary to their adopted policies. To avoid liability, companies should be familiar with the potential triggers for FTC investigations and personal causes of action.
Congress has passed various privacy laws directly affecting businesses that collect customer information. The Federal Trade Commission (“FTC”) plays an important role in policing privacy on behalf of the government. It has taken a pro-consumer approach to internet privacy—stating that its role is to “work for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them.” FTC File No. 042-3047. Under the Federal Trade Commission Act (“FTCA”), the FTC can initiate enforcement actions against companies for alleged online consumer privacy violations of section 5 of the FTCA. Section 5 states that “unfair or deceptive acts or practices in or affecting commerce are declared unlawful.” 15 U.S.C.A. § 45(a)(1). The use or dissemination of personal information in a manner contrary to a posted privacy policy constitutes a deceptive practice under the FTCA. 15 U.S.C. § 45.
Thus, it is not enough to have a privacy policy in place: The Company must not use or disseminate information in a manner contrary to the privacy policy. Consider the following key areas that may trigger an FTC investigation:
- Inadequate Security: Promising security, but then failing to provide adequate security. This can be true even if a data breach does not occur. See In the Matter of Microsoft Corp. (2002); In re Guess.com, Inc. (2003).
- Security Issues and Failure to Train: Suffering a data security breach due to negligence or failure to properly train employees about adequate security practices. FTC v. Eli Lilly(2002).
- Broken Promises: Failing to adhere to promises made in a privacy policy. In re Liberty Financial Cos. (1999); Selling customer data when privacy policy states data will not be shared with third-parties. In re Toysmart.com, LLC (2004).
- Retroactive Privacy Policy Changes: Altering a privacy policy to allow more disclosure of personal information without acquiring people’s consent to the change. In re Gateway Learning Corp. (2004).
- Deceptive Data Collection: Collecting data deceptively even if the individual is not visiting the company’s website. FTC v. ReverseAuction.com, Inc. (2000).
- Inadequate Disclosure of Extent of Data Gathering: Failing to clearly and conspicuously inform users about the extensiveness of internet browsing tracking software. In re Sears Holdings Management Corp. (2009).
The federal government created multiple statutes to address the technology age and privacy, such as, The Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C.A. § 1030 (enacted to make it a criminal offense to damage or steal data by accessing a computer without authorization or by exceeding any authorized access); The Children’s Online Privacy Protection Act (“COPPA”) U.S.C.A. §§ 6501 et seq., (enacted to addresses children’s privacy on the Internet); and The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN SPAM”), (enacted to regulating unsolicited commercial e-mail, and others), to name a few. States have also taken action by creating laws similar to those we see on the federal level and by adopting relevant language in insurance codes, consumer protection statutes, and industry specific regulations. The wireless industry has created an onslaught of privacy concerns. The Electronic Privacy Information Center (“EPIC”) has taken action against violators of privacy policies and is quickly demonstrating its dedication to protecting consumer privacy. More recently, the Obama administration created new regulations referred to as a “Privacy Bill of Rights.” This has not yet been signed into law, but would require companies to increase protection of consumers’ online information, maintain reasonable expectations of security, collect of only necessary information, and hold companies accountable for lost data.
Ultimately, companies must keep up with the regulations governing how they use and store consumer information. Companies should evaluate their current privacy policies for any potential issues that could trigger an FTC investigation or private claim. A simple change in current business practices or changes in the use of stored data may lead to a significant FTC inquiry and/or private cause of action. Broken promises and/or retroactive privacy policy changes can create grounds for liability and investigation. Companies are encouraged to seek legal advice when assessing, creating and changing their privacy statements and related privacy policies.