Companies That Disregard Their Own Privacy Policies

Examples of FTC Cases: Companies that Violated Their Own Privacy Policy

Companies That Disregard Their Own Privacy Policies

Image courtesy of [stockimages] / FreeDigitalPhotos.net

Here are some examples of cases in which the FTC has taken action against businesses that violated their own privacy policy (in addition to other violations in some instances):News Release: 06/24/2010 – Twitter Settles Charges that it Failed to Protect Consumers’ Personal Information; Company Will Establish Independently Audited Information Security Program (Source: FTC website: http://www.ftc.gov/opa/2010/06/twitter.shtm)

News Release: March 4, 2008 – Student Lender Settles FTC Charges That It Failed to Safeguard Sensitive Consumer Information and Misrepresented Its Security Practices (Source: FTC website: http://www.ftc.gov/opa/2008/03/studlend.shtm)

News Release: January 17, 2008 – Online Apparel Retailer Settles FTC Charges That It Failed to Safeguard Consumers’ Sensitive Information, in Violation of Federal Law. Credit Card Numbers, Expiration Dates and Security Codes of Thousands of Consumers Compromised (Source: FTC website: http://www.ftc.gov/opa/2008/01/lig.shtm)

Other Federal Laws Regarding Information Privacy

As previously mentioned, under federal law, online businesses that collect personal information from children under the age of 13 are required to have a privacy policy. The federal law at work here is the Children’s Online Privacy Protection Act or COPPA (for details on COPPA go to the FTC website at http://www.ftc.gov/privacy/privacyinitiatives/childrens.html). The purpose is to give parents control over information collected from their children online and how that information is used.

While the Federal Trade Act and the Children’s Online Privacy Act are the two key federal laws that deal with online privacy policies, there are other federal laws that also deal with consumer personal information and privacy protection:

  • The Gramm-Leach-Bliley Act protects consumers’ personal financial information held by financial institutions.
  • The Fair Credit Reporting Act protects the privacy and accuracy of consumer credit history reporting handled by credit bureaus.
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of individually identifiable health information.

The type of privacy policy focused on in this series of articles deals specifically with personally-identifiable information (PII) collected online by website operators.

Website operators based in the United States that also do business outside the country have a heightened responsibility for maintaining compliance with online privacy laws. That’s because there are significant differences between U.S. privacy laws and those of some other countries. While the topic of international agreements is outside the scope of this article, multinational companies and domestic website operators do have at least one thing in common when it comes to information privacy – they are challenged with complying with more than one authority. At a minimum, domestic website operators must comply with federal law as well as multiple state privacy laws. And depending on the type of consumer information collected, they may also be bound by industry standards such as PCI DSS (Payment Card Industry Data Security Standards).

Due to the ever-increasing problem of identity theft and the explosive growth of internet fraud and mishandled sensitive information in recent years, many states are enacting their own laws for how website operators must handle the personal information of their residents. Some states have established requirements that go far beyond federal mandates. From a website operator’s perspective, that’s a problem.

State Laws and Online Privacy Policies

This is where things can get messy for the average website owner. As legal requirements evolve, website operators that collect personally-identifiable information may need to make changes to their internal procedures as well as their online privacy statement. Hence, website operators need to stay on top of privacy regulations and periodically review their own privacy policies to ensure compliance. For busy entrepreneurs, this can be a real challenge. Just imagine trying to keep up with legislation in this area for all 50 states.

While sound data privacy and security practices should be in place to begin with, one solution for online entrepreneurs is to develop a policy that meets the requirements of the states with the toughest standards. This will ensure compliance nation wide.

The following list is intended to provide a basic understanding of the evolving nature of privacy laws at the state level (as of September 2010) as they relate to website operators across America. States are listed based on effective dates of legislation – oldest to most recent. Excerpts came from each state’s official website as indicated by source links.

Keep in mind that these laws apply to commercial entities and individuals doing business in the respective state. This includes website and blog operators that collect personally-identifiable information regardless of where the website or blog is based.

Pennsylvania – (Effective 2004) Pennsylvania law makes it an offense if, in the course of business, a person:

…knowingly makes a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (Source: PA General Assembly website, http://www.legis.state.pa.us/WU01/LI/LI/CT/HTM/18/

Utah – (Effective January 1, 2004) Utah has very specific requirements for commercial entities that collect personal information about Utah residents with intent to sell it. The Notice of Intent to Sell Nonpublic Personal Information Act stipulates that notice shall be sufficiently conspicuous so that a reasonable person would perceive the notice before providing the nonpublic personal information. (Source: http://www.le.state.ut.us/~2003/bills/hbillenr/hb0040.pdf and http://le.utah.gov/~code/TITLE13/13_37.htm)

Enacted in 2006, Utah’s Protection of Personal Information Act applies to “any person who conducts business in the state and maintains personal information”. The law prohibits unlawful use of personal information and specifies that personal information not retained must be properly destroyed or erased. (Source: Utah Code, Title 13: Commerce and Trade, Chapter 44: Protection of Personal Information Act, Section 201: Protection of Personal Information. Enacted by Chapter 343, 2006 General Session; http://le.utah.gov/~code/TITLE13/htm/13_44_020100.htm)

California – (Effective July 1, 2004) Online Privacy Protection Act of 2003 – Business and Professions Code sections 22575-22579. This law requires operators of commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site and to comply with its policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information. An operator is in violation for failure to post a policy within 30 days of being notified of noncompliance, or if the operator either knowingly and willfully or negligently and materially fails to comply with the provisions of its policy. (Source: ca.gov, http://www.privacyprotection.ca.gov/privacy_laws.htm#six)

Connecticut – (Effective October 1, 2008) Connecticut’s privacy policy requirements apply when Social Security numbers are involved. Hence, the name: An Act Concerning the Confidentiality of  Social Security Numbers. The law requires all personal information to be safeguarded by individuals and businesses but the need for a published privacy policy exists only when Social Security numbers are collected. An excerpt:

Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. (Source: ct.gov, http://www.cga.ct.gov/2008/ACT/PA/2008PA-00167-R00HB-05658-PA.htm)

Nevada – (Effective January 1, 2010) Nevada has established some of the toughest requirements regarding online information privacy and security. Like California and Massachusetts, Nevada goes significantly beyond federal law in this area. For example, if a website operator collects payment card information from a Nevada resident, the state of Nevada requires the operator to comply with the Payment Card Industry Data Security Standard (PCI DSS) in its entirety except for the type of encryption. For encryption, Nevada goes beyond PCI DSS. It requires compliance with the encryption technology standards established by the National Institute of Standards and Technology (NIST). (Source: http://www.leg.state.nv.us/nrs/nrs-603a.html)

Website operators that do not collect payment card data but do collect other personal information from Nevada residents must also use encryption when transmitting the data across public networks. Here is an excerpt. “Subsection 1” refers to the payment card data requirements.

A data collector doing business in this State to whom subsection 1 does not apply shall not:

(a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or

(b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.

Massachusetts – (Effective March 1, 2010) Massachusetts’ law applies when ANY personal information is collected from its residents:

Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…. (Source: mass.gov website, http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf)

Massachusetts then goes beyond most other states with its requirements for administrative, technical, and physical safeguards. From ongoing employee training and data access controls to encryption, malware protection and taking responsibility for third party service providers, it looks to me like Massachusetts, like Nevada, is emulating the standard used by the Payment Card Industry (PCI DSS). And if information security is the goal, that makes sense. Why reinvent the wheel? The Payment Card Industry Data Security Standard has been evolving over many years through the efforts of card issuers like Visa, MasterCard, Amex, and Discover.

The bottom line is, as of this writing, Massachusetts, California, and Nevada have some of the toughest requirements when it comes to online privacy policies.

Nebraska (Effective July 15, 2010) Similar to Pennsylvania and federal law, Nebraska does not specifically require website operators to maintain an information privacy policy. However, under their Deceptive Trade Practices statute, Nebraska made it illegal if a person:

… knowingly makes a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (Source: Nebraska revised statute 87-302, http://nebraskalegislature.gov/laws/statutes.php?statute=87-302

So, in effect, Nebraska, like Pennsylvania, enacted a state law that mirrors the federal law that governs online privacy policies, The Federal Trade Commission Act. The common theme is website operators must keep promises made in their online privacy policy. This gives victims of personal information abuse more legal avenues for remedies and relief.

Breach Laws Regarding Personal Information Security

Until recent years, state laws focused primarily on requirements for handling data security breaches. The regulatory structure seemed to be one of split responsibilities. Federal laws were focused on handling up-front data privacy protection requirements and preventive recommendations, and most state laws were focused on after-the-fact measures such as disclosure procedures and victim notification if breaches occurred. As you can see from the above list, in recent years more and more states are getting involved with the “up front” requirements in an effort to avoid data security breaches in the first place.

As an example of a state with laws dealing with after-the-fact measures, Washington State’s “breach law” applies to any person or business that collects personal information from residents of Washington. This law includes definitions, rights and remedies and requires collectors of personal information to notify the owners of the personal information immediately after discovery that personal information of WA residents has been acquired by an unauthorized party.

The Washington breach law also addresses liability and allows financial institutions to recoup data breach costs (i.e. cost of reissuing credit cards and debit cards) from businesses and card processors who are negligent in securely managing or transmitting personal information. (Source: WA State government website, http://apps.leg.wa.gov/rcw/default.aspx?cite=19.255&full=true)

The internet is still a relatively new phenomenon when compared to the age of the legal system in this country. Moreover, internet related technologies have been advancing at an extremely rapid pace. That has placed privacy laws and the regulators that enforce them at a distinct disadvantage. Some people believe that the best way to protect personal information online is to do so with more legal requirements centralized at the federal level.

Efforts to Standardize Internet Privacy Laws

The expectation that website operators across this country know about and comply with the growing assortment of regulations of a random and growing number of states, is probably not realistic. Given the world wide reach of the internet, standardizing personal information privacy laws across the 50 states (if not the world) seems to make the most sense. According to Wikipedia:

…the U.S. congress has, at times, considered comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act and the Online Privacy Protection Act of 2001 but none have been enacted. In 2001, the FTC stated an express preference for “more law enforcement, not more laws” and promoted continued focus on industry self regulation. (Source: http://en.wikipedia.org/wiki/Privacy_policy)

Read More