Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

After several years where telemarketing fraud and exercise/weight loss products seemed to top the FTC’s agenda, the time has come when stepped up privacy enforcement against companies that are household names means that all consumer oriented firms need to take notice. This month, the FTC announced a settlement with Google that involves a $22.5 million civil penalty for privacy violations that had been prohibited in a prior settlement just last year. Google will pay the largest fine ever for violating a prior FTC order.

At the end of 2011, the FTC settled with Facebook for secretly disclosing personal information about customers that it had promised them it would keep securely. The cases are somewhat different, but both are based on the core principle that protections promised to consumers in privacy policies or otherwise define the company’s obligations to those customers.

The cases do have in common that both companies had provisions in their settlement agreements that plainly denied all alleged facts and conclusions of legal liability. Those clauses triggered a dissent by one commissioner who wanted to reject the settlements on that ground and a strong rebuttal by the other four commissioners. As noted at the end of this piece, it is a point that will interest mostly close followers of the FTC, but the last has not been heard of this tangential issue.

The cases illustrate why we tell clients, quite seriously, that “it is safer for you not to have a privacy policy than to have one that you do not follow.” Not only should companies post a clear and accurate policy, but they should review and update them on a regular basis in case new ways to collect or use information have arisen.

The FTC alleged that Google broke a promise to consumers by placing advertising tracking “cookies” on users’ computers equipped with Apple’s Safari® search engine. The FTC believed the practice to be an attempt to send “targeted” email ad messages to the account holders, a lucrative practice for the senders of the emails. This may not be a costly fraud on consumers, unlike taking money for telemarketing proposals that are worthless or do not exist. However, public policy is now recognizing that many consumers want a “privacy zone” around them that they do not want to have invaded without consent, whether they lose money or not.

In the Facebook case, the company found a way to capture and release personal information about consumers that it had promised to protect and keep private. Breaking promises to consumers about privacy is only one of the prongs of the FTC’s growing enforcement program.

There has been a dramatic rise in data breach cases—-as many by private parties as by the government. There real damage is done, especially because data breaches may be followed by ID theft unless consumers act quickly to protect themselves. Such cases are an enormous burden on the companies themselves. And money is only one part of the aggravation, which may include public notification, setting up new accounts for consumers, helping them monitor their consumer’s credit reports for a year or more to catch evidence of ID theft. It is also a public relations nightmare.

The FTC issued “Red Flags” rules in the last few years, by which most companies with consumer accounts and information must have a formal written plan, approved at the Board level and administered by high level employees, to “prevent, detect, and ameliorate” instances of identity theft. For the most part, compliance was not difficult and most companies seemed to get the point that such a program to deter theft of information would be among business “best practices” even if it were not required by law.

More and more companies, particularly those with sensitive customer information, should be considering periodic “privacy audits,” with or without outside help, to make sure their privacy policy is current and accurate, and that their efforts at protecting the information they do have is as aggressive as needed in a technologically complex world.

As to the Google and Facebook denials, they were unprecedented in FTC agreements. Instead, documents would state that the “the signing of the agreement does not constitute an admission of fact or law by the defendant or a finding by the court that a violation occurred.” A reader might wonder, like this writer, why the FTC thinks it makes a difference one way of the other, but for arcane interpretations of the century-old FTC Act. To the parties, the idea is to avoid anything that could be used in all-too-common class actions that piggy-back on the government’s case. In any event, it is clear that we have not seen the end of this debate.

Recent FTC Civil Penalties for Privacy Violations Show Need for Companies to Ensure Compliance with their Privacy Policies