By Mark L. Farina, Klineburger & Nussey
Privacy policies, we have all seen them. Whether large booklets of small type, pop-up messages requiring an affirmative “click,” or long scrolling lists of dense text, their universal intent is to inform users about the collection and interaction of data they provide. For this article, “users” refers to those persons who access a website or make an inquiry while “consumer” refers to someone who seeks to purchase a good or service.
If a business fails to fulfill its promise, the FTC may consider that breach of promise to be a “deceptive” practice under Section 5 of the FTC Act. In this context, “deceptive” will involve a material statement or omission likely to mislead consumers who are acting reasonably under the circumstances. These include false promises, misrepresentations, and failure to comply with representations made in privacy policies.
Beyond deception, the FTC may also bring actions under “unfair” practices. Unfair practice claims exist when injuries to consumers are substantial, lacking in offsetting benefits, and could not be reasonably avoided.
Although no overarching federal law requires privacy notices, certain sector-specific statutes such as Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley, and Health Insurance Portability and Accountability Act (HIPAA) apply under particular circumstances.
Extra care should be taken when a minor’s information is collected, as this will require compliance with COPPA and any non-preempted state requirements, such as parental consent.
Knowing is Half the Battle
Businesses must understand what consumer information they hold, and which stakeholders legitimately need access. In gaining an understanding, businesses should be able to answer the following series of questions.
A. Types of Information
Can the information be used to identify the person providing it? Does it include Social Security numbers, financial information, health information, or driver’s license information? Is the information likely to be publicly available?
While there is no singularly correct answer, businesses should aim for reduction at every stage. Collecting only vital information is a good starting point. Beyond reduction, information that is collected should be correct and updated regularly.
B. Time of Collection
At what point in the consumer interaction is information collected? During registration or account setup? Is the consumer required to review and update their information at some interval? Are updates optional? Are updates encouraged through reminders?
C. Storage of the Information
Once collected, how is consumer information stored? Onsite, offsite, or in a cloud? Does the business handle storage, or is that outsourced? If outsourced, what liability does the third-party have? What control of the third-party does the business hold?
After collection, secure storage is a must. Engaging a third-party for information storage is both acceptable and widely unitized. However, such engagement must include a written contract containing explicit language regarding the third-party’s methods and liability. Verifiable practices and procedures of third-parties are always preferable.
D. Access to the Information
During collection or storage, who has access to consumer information? Is access tracked and recorded? Is access limited to only those roles?
Only employees with legitimate business purposes should have access to personally identifiable consumer information. Limiting access also limits legal exposure.
Advice should be sought from a privacy professional if a legitimate business purpose necessitates collecting Social Security numbers, financial information, health information, or driver’s license information, as compliance with one of the various privacy regulations may be required.
Under certain circumstances, including but not limited to the European Union’s General Data Protection Regulation (GDPR), the CCPA, and HIPAA, providers of data must also have access to that same data. Such access may also include the right to have that same data amended and or deleted.
Kept it Short and Sweet
Businesses should limit the information they collect and maintain to what is required for their legitimate business purposes. A possible future need, as tempting as it may be, brings present exposure to legal ramifications. Furthermore, customers equate the collection of seemingly erroneous information as “big brother,” “creepy,” and undesirable.
Security as a Way of Life
Through risk assessment and implementation of procedures for electronic security (computer hard-drivers, cloud storage, etc.), physical security (access to buildings, devices, paper records, etc.), employee training, and vendor management, businesses can protect the information they hold.
An essential part of security is access control. As mentioned above, limit employee or third-party access as much as possible. Legitimate business interests should be the measuring device.
For those who do have access, strong passwords, and authentication that disallows bypass, is a must. Although employees may bristle against this, or productivity may slow slightly, the gains in security are more valuable.
Finish as You Started
Secure disposal generally includes digital techniques such as erasing, wiping, or overwriting, and physical techniques such as burning, melting, pulverizing, and de-magnetizing that render the information unreadable. Although retention of personal information may be necessary, once the legitimate business purpose is complete, it may be imprudent to retain it.
Contingencies Are a Must
In the current global climate, exposure to a hacking attempt is inevitable. Therefore, businesses should have a plan in place to respond to security incidents when they occur. A proper plan could reduce or eliminate liability when that inevitable incident occurs.
The first stage of any plan should be verification that a breach in personal information actually occurred. Breaches may take many forms, including unintended disclosures, hacking or malware, payment card fraud, insider disclosures, or physical losses. Look to the applicable privacy regulation for definitions qualifying when a breach has occurred.
The second stage is to contain and analyze the breach.
The third stage is the notification of the consumers affected. Such notification requirements (including when notification is required; how long before notification provided; who must be notified; the method of notification; and the amount of information shared in notifications) vary state-by-state. Businesses must be aware of all applicable rules.
The final stage is internal self-assessment, third-party audits, and additional training.
Mark L. Farina, Esq. is an associate with Klineburger & Nussey.