Not a Member?  Become One Today!

‘Failure to Match’: The Next Wave of Data Privacy Litigation?
 

By Al Saikali  11/27/2013
 
 

A client recently asked me to identify the next wave of data privacy litigation. I said that with so much attention on lawsuits arising from data breaches, particularly in light of some recent successes for the plaintiffs in those lawsuits, the way in which companies collect information and disclose what they are collecting is flying under the radar. This “failure to match” what is actually being collected with what companies are saying they’re collecting and doing with that information could lead to the next wave of data privacy class-action litigation.

For Example

A privacy policy in a mobile app might state that the app collects the user’s name, mailing address and purchasing behavior. In fact, and often unbeknownst to the person who drafted the privacy policy, the app is also collecting information like the user’s geolocation and mobile device identification number, but that collection is not disclosed to the user in the privacy policy. The collection of the additional information isn’t what gets the company into trouble. It’s the failure to fully and accurately disclose the collection practice and how that information is used and disclosed to others that creates the legal risk.

What is the source of this problem? In an effort to minimize costs, small companies often slap together a privacy policy by cutting-and-pasting from a form provided by a website designer or found on the Internet. Little care is given to the accuracy and depth of the policy because there is little aware­ness of the potential risk. Larger companies face a different problem: the left hand sometimes doesn’t know what the right hand is doing. Legal, privacy and compliance departments often do not ask the right questions of IT, web/app developers, and marketing, and the latter may not do a sufficiently good job of volunteering more than what is asked of them. This problem can be further exacerbated when the app/website development and maintenance is outsourced. This failure to communicate can, unintentionally, result in a failure to match a company’s words with its actions when it comes to information collection.

Regulators Are Active

The Federal Trade Commission has brought a significant number of enforcement actions against organizations seeking to make sure that companies live up to the promises they make to consumers about how they collect and use their information. Similarly, the California Attorney General’s Office recently brought a lawsuit against Delta Air Lines alleging a violation of California’s Online Privacy Protection Act for failure to provide a reasonably accessible privacy policy in its mobile app. Additionally, the California attorney general issued a guidance on how mobile apps can better protect consumer privacy, which includes the conspicuous placement and fulsome disclosure of information collection, sharing and disclosure practices. As the use of mobile apps and collection of electronic information about consumers increases, we can expect to see a ramping up of these enforcement actions.

What sort of civil class-action liability could companies face for failure to match?

Based on what we’ve seen in privacy and security litigation thus far, if the failure to match a policy with a practice is intentional or reckless, compa­nies could face exposure under theories of fraud or deceptive trade practice statutes that provide a private right of action. Even if the failure to disclose is unintentional, the company could still face a lawsuit alleging negligent misrepresentation, breach of contract and statutory viola­tions that include violations of Gramm Leach Bliley, the Health Insurance Portability and Accountability Act privacy rule, or California’s Online Privacy Protection Act. Without weighing in on the merits of these lawsuits, I would venture to guess that the class actions that will have the greatest chances of success will be those where the plaintiffs can show some financial harm (e.g., they paid for the apps in which the deficient privacy policy was contained) or there is a statute that provides set monetary relief as damages (e.g., $1,000 per violation/download).

How Can Companies Minimize this Risk?

To minimize the risks, companies should begin by evaluating whether their privacy policies match their collection, use and sharing practices. This process starts with the formation of a task force under the direction of counsel that is comprised of representatives from legal, compliance, IT and marketing and that is dedi­cated to identifying:

  • All company statements about what information is collected (on company websites, in mobile apps, in written documents, etc.).
  • What information is actually being collected by the company’s website, mobile app and other information collection processes.
  • How the infor­mation is being used and shared.

This requires a really deep dive, perhaps even an independent forensic analysis, to ensure that the company’s statements about what information is being collected are correct. It’s impor­tant that the “tech guys” responsible for developing the app/ website understand the significance of full disclosure. Companies should also ask, “Do we really need everything we’re collecting?” If not, why are you taking on the additional risk? Also remember that this is not a static process. Companies should regularly evaluate their privacy policies and monitor the information they collect. A system must be in place to quickly identify when these collection, use, and sharing practices change, so the policies can be updated promptly where necessary.

Al Saikali is a partner and co-chair of Shook Hardy & Bacon’s Data Security and Data Privacy Practice Group, based in Miami.

Republished with permission. © 2013 Shook Hardy & Bacon. All rights reserved

Quick Links:

SHRM Online Safety & Security page

Keep up with the latest Safety & Security HR news


Sections