Whether you are an individual, a start-up, a small LLC or a large corporation, one thing is true for almost every business today – no matter what your good or service is, you have to have an online presence to succeed in today’s marketplace, whether that’s accomplished through an Internet website or a mobile application.
With the evolution of technology and the internet, and the increased use of data collection and targeted online behavioral advertising, consumers and the government have become more and more concerned with the idea of online privacy, and special interest lobby groups as well as state and federal governments have begun to intervene in order to establish a legal framework for protection of internet users’ personal information and enforcement against businesses who do not comply with it.
PART I: An Overview of Federal Regulation and Enforcement by the FTC
As of now, there is no comprehensive Federal law that protects consumer privacy online. There are, however, specific statutes and other regulations that have been enacted that impact consumer privacy online.
An act or practice is “unfair” if it causes or is likely to cause substantial injury to consumers, which is not reasonably avoidable and is not outweighed by countervailing benefits to consumers. 15 U.S.C.A. §45(n).
An act or practice is “deceptive” if it is likely to materially mislead a reasonable consumer in similar circumstances. 15 U.S.C.A. §45(n).
In 2012, the FTC published its recommendations to guide businesses in drafting their online privacy policies. The basic framework includes:
- Privacy by Design – the FTC advises businesses to plan at every stage of its development for privacy concerns including: planning for reasonable security of data, limiting the collection and retention of data to that which is necessary or appropriate for the context of the website/online service, and reasonable protections to ensure the accuracy of the data collected.
- Simplified Choice – the FTC recommends a “Do Not Track” or Opt Out option that allows consumers to decide what information is shared and with whom. Whether an Opt Out option is required turns on whether or not the collection of personal information is consistent with the context of business, product, or service. For example, information gathered for product fulfillment or fraud prevention will not necessarily require an Opt Out option.
- Greater Transparency – the FTC recommends that businesses disclose conspicuously and in plain, clear language, the details of what and how personal information is collected and to provide consumers access to the data that is collected about them. In addition, consumers should be notified and their consent should be obtained if any changes are made to an existing policy.
What is Personally Identifiable Information (PII)? Personally Identifiable Information means information collected online about an individual consumer, such as: first and last name, a physical street address, an e-mail address, a telephone number, or any other identifier that permits the physical or online contacting of a specific individual. PII also includes information concerning a user that is collected online, such as birthday, weight, hair color, etc., and is maintained by an operator in personally identifiable form in combination with one of the above identifiers.
In In Re Eli Lilly & Co., an email sent to 669 people unintentionally disclosed personal information of consumers. The FTC alleged that this disclosure was caused by Eli Lilly’s failure to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information and its failure to adequately train and supervise its employees regarding consumer privacy and information security.
As mentioned above, the FTC has come to rely on a detailed list of industry standards to identify what are adequate security practices (see In re Microsoft Corp). Applicable examples from this list are: (i) Failure to contract with third-party for protection of information; (ii) Failure to have an adequate username/password protocol; (iii) Lack of encryption and failure to implement procedures to control access to information; (iv) Failure to manage third party access to data; (v) Failure to implement reasonable security measures to protect personal data.
The above checklist will be discussed in further detail in my next post, Part II – FTC Regulation and Enforcement – An In Depth Look at Guidelines and Best Practices.