Privacy policies: You must choose, but choose wisely
Posted on 03/10/2016 at 12:00 AM by John Lande
Almost every business now has an online presence. Many businesses, including financial institutions, have expanded their online presence to include interactive features that collect customer information. This information can be valuable to businesses and provide added convenience to consumers. However, organizations that find themselves in possession of private consumer information should be careful to protect that information from unauthorized access.
Under the Gramm-Leach-Bliley Act (“GLBA”), financial institutions are required to provide consumers with privacy policies that explain to consumers how their personal information will be protected and used. The Consumer Financial Protection Bureau (“CFPB”) has enforcement authority over privacy policies for financial institutions while the Federal Trade Commission (“FTC”) enforces privacy obligations for non-financial organizations. Both the CFPB and FTC have the authority to enforce the privacy requirements if either agency considers an organization to be engaged in unfair, deceptive, or abusive acts or practices (“UDAAP”).
Recently, the FTC has indicated that it views an organization’s failure to comply with its online privacy policy a UDAAP violation. For example, the FTC required the company TRUSTe, Inc. to disgorge $200,000 of profits after the company failed to perform promised security audits of companies it certified as meeting specific privacy requirements.
In another case, the FTC commenced an enforcement action against Nomi Technologies, Inc. (“Nomi”) based on a violation of Nomi’s own privacy policy. Nomi provided a location tracking service that allowed retailers to track customers’ movements inside stores via consumers’ mobile phones. Nomi’s privacy policy stated that consumers had an option to opt-out of the service at Nomi’s website or at specific stores. According to the FTC, this assertion turned out to be false. Nomi eventually entered into a settlement with the FTC that will last for 20 years and impose various reporting requirements on Nomi.
In yet another example, Adobe Systems, Inc. (“Adobe”) was the target of a lawsuit filed by consumers when Adobe failed to adhere to its own privacy policy. Adobe’s privacy policy stated that it would provide “reasonable” security controls to protect consumer information. After a data breach exposed consumer credit and debit card information several consumers sued Adobe. During the litigation it was revealed that Adobe had failed to take basic steps to secure consumer information, including not adequately encrypting customer data. The consumers did not bring a challenge under UDAAP, but rather a California consumer protection statute. Nevertheless, the case is an instructive example because it is yet another example of an organization’s failure to comply with its privacy policy serving as a basis to hold that organization liable.
Organizations of all kinds should be wary of the terms that are contained in their privacy policies, particularly privacy policies required by GLBA, Health Insurance Portability and Accountability Act (“HIPAA”), Children’s Online Privacy Act (“COPPA”), and others. The responsibility for protecting consumer’s data doesn’t end when the privacy policy is completed. Rather, organizations must incorporate review and updating of their privacy policies a regular part of their compliance program. Failure to comply with the terms of your own privacy policy could result in civil liability and regulatory enforcement actions.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.