The Daily Report
Joshua P. Gunnemann, Daily Report
Increasingly, companies are coming under public scrutiny—from consumers and regulators—for their use and protection of private information.
Every company that gathers information from customers online—whether through a website or mobile application, by email or through any other electronic means—should adopt a carefully crafted policy that shapes its privacy relationship with the users of its services. A policy is necessary to comply with a variety of state laws and federal regulations, and a poorly drafted policy can expose your client to regulatory action or litigation.
No single set of statutes or regulations governs privacy policies. Rather, privacy policies are governed by a patchwork collection of state laws and industry-specific requirements that are rapidly evolving. This article addresses the primary laws affecting most companies, but care should be taken to ensure compliance with all applicable rules and regulations and to be diligent about the rapidly changing legal landscape.
Practically, most companies doing business online need to comply with California's Online Privacy Protection Act (OPPA). OPPA's reach is broad—purporting to reach online services that collect personally identifiable information from California residents, irrespective of where the online service is located. OPPA therefore effectively sets the standard for privacy policies nationally; unless your client excludes California residents from its online services, it should comply with OPPA.
Companies should also be aware of industry-specific, federal requirements that may govern privacy policies. For example, the Gramm-Leach-Bliley Act requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data.
And the Health Insurance Portability and Accountability Act (HIPAA), which provides federal protections for individually identifiable health information held by covered entities and their business associates, requires most covered entities to provide a notice of their privacy practices that describes the ways in which the covered entity may use and disclose protected health information.
In the last few years, the FTC has brought enforcement actions against such well-known companies as Google, Facebook, Twitter, Microsoft and Snapchat, as well as lesser-known companies. State regulatory agencies are also increasingly bringing similar actions.
Laws that prohibit unfair or deceptive trade practices can also often be enforced by private consumers and shareholders, either individually or in class actions. The specific allegations in these complaints depend on individual circumstances, but plaintiffs' firms can be expected to become increasingly aggressive and inventive in their development of legal theories based on claimed privacy violations.
Simply copying another website's policy is a mistake and can expose a company to liability if its own practices differ from the practices of the copied site. Instead, a policy should be carefully crafted to match actual practices for collecting and using private information. Outside technical and legal help may be necessary to craft a careful policy.
Second, confirm that actual practices match the policy. A company's failure to comply with its own policy is one of the quickest ways to get in legal trouble. Companies should take the time to educate their own staff to ensure that employees and agents are aware of their own responsibilities to comply with their policy.
Third, periodically assess policies and practices and any governing legal requirements. A policy needs to stay accurate. If information practices change, then a policy needs to change to reflect those changes. And if the governing law changes, a policy may need to change with that too.