Privacy law touches the lives of all of us in different ways. To a constitutional junky, it simply provides protection from government intrusion. To A-list celebrities, it can help keep candid pictures off the front page of a tabloid. But what does privacy law mean to your business lawyer? The answer boils down to one word - compliance.
Focus on Financial Businesses
In today’s tech-driven economy consumers share increasing amounts of personal information with all kinds of companies. Despite consumers’ willingness to share their private information, businesses bear the burden of properly managing that information. And, the risk is high for failing to do so.
The Federal Trade Commission (FTC) regulates and oversees business privacy laws. Financial businesses are a focus for the FTC because they accumulate vast amounts of personal and financial data about customers. The Gramm-Leach-Bliley Act, signed into law by President Clinton on November 12,1999, is applicable particularly to financial institutions and includes two important subparts for privacy compliance: the Financial Privacy Rule and the Safeguards Rule, found at 15 U.S.C. §§ 6801-6809. Under the Financial Privacy and Safeguards Rules, each financial institution has an obligation to respect the privacy of its customers and to secure and protect the confidentiality of its customers’ nonpublic personal information.
To implement the provisions of this Act, regulatory agencies have developed standards:
(1) to insure the security and confidentiality of customer information;
(2) to protect against anticipated threats or hazards to the security and integrity of this information; and
(3) to protect against unauthorized access to and use of this information which could result in substantial harm or inconvenience to the customer.
A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless it has provided to its customer a notice complying with § 6803 of Title 15. The notice must describe:
(1) the policies and practices of the institution with respect to disclosing nonpublic personal information to nonaffiliated third parties and its policies and practices with respect to disclosing personal information of former customers;
(2) the categories of nonpublic personal information collected;
(3) the policies maintained to protect the confidentiality and security of that personal information; and
(4) the disclosures required.
Additionally, a customer may opt out of that disclosure. There are also limits on sharing of information for marketing purposes.
Impact on Smaller Businesses
While larger non-financial companies are accustomed to dealing with privacy compliance, many smaller companies are not. But they still face requirements under privacy law. Those companies that are growing accumulate and use more private information than ever before.
For example, many small tech companies base their entire business model on collecting user information for marketing purposes. Just like larger companies, these smaller companies enter into privacy agreements with their customers. While there is no generally applicable requirement of the FTC to require companies to post a privacy policy, the FTC takes the position that the provisions of the FTC Act that prohibit deceptive or unfair acts or practices in trade or commerce give it broad authority to redress discrepancies between business practice and policy. The Federal Trade Commission has taken action against companies that have failed to safeguard customer privacy and provide sufficient data security in the day-to-day operations of their business. See Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (“FTC Framework”), 3-4 (Dec. 2010) (available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.)
An APPlicable Example
As an example, let’s be hip and look at “app” developers. What can smaller tech companies do to ensure compliance? To start, help is available. See Federal Trade Commission BCP Business Center. “Marketing Your Mobile App: Get It Right from the Start.” at http://Business.ftc.gov/documents/bus81-marketing-your-mobile-app. (Accessed 7/11/13).
In a nutshell, a small tech company with an idea for an app can build in privacy considerations from the get go: incorporating privacy protections into their practices and software, limiting the information they collect, securely storing information they hold on to, and safely disposing of information no longer needed, can save a ton of hassle down the road. Tech companies should also be transparent about their data practices. Prior to posting a privacy policy, clearly and accurately describe in it the ways in which a mobile app collects and uses information. They should collect sensitive information only with user consent and keep it secure. Failure to do so could lead to legal exposure.
With the ability to collect personal information so easily through technology, staying in compliance with privacy law takes planning, diligence, and honesty. Drafting and presenting an accurate and effective privacy policy requires careful evaluation of business goals and legal requirements. Unfortunately, when it comes to drafting good privacy policies, there’s no “app for that.”
Chris Hampton also contributed to this article.
