Inside 1to1:Privacy

Experts Share Tips on Avoiding Becoming Enforcement Targets

October 19, 2011

By Jennifer L. Saunders, CIPP

Week in and week out, media stories call attention to the latest and greatest data breaches-and with seemingly increasing frequency, those headlines are followed by announcements of U.S. Federal Trade Commission (FTC) investigations or enforcements as well as class-action lawsuits.

In what privacy professionals are describing as a growing tide of such actions, businesses, organizations and marketers are being cautioned to take preemptive steps to avoid becoming targets.

That was the message shared by D. Reed Freeman Jr., CIPP, of Morrison & Foerster, and Jim Halpert of DLA Piper in a session they led at the IAPP Privacy Academy in Dallas, TX, in September.

In what he described as the "second great tidal wave of class-action lawsuits," Freeman highlighted recent actions and FTC investigations spurred by privacy concerns about forms of online tracking more sophisticated than the earlier uses of cookies and Web beacons that prompted suits in the past. History sniffing, persistent online tracking, location tracking, deep packet inspection and changing privacy policies and practices--essentially, employing any technical option to "undermine user choice"--can put the spotlight on companies, he noted.

"Class actions are a high-profile privacy risk," Halpert added, and can not only be costly to defend but also hurt your brand. When doing risk management, he stressed, it is important to pay close attention to the details.

And, Freeman added, many companies caught up in recent headline-making privacy lawsuits "had no idea at all of the technology being used by the vendors, but that didn't matter at all when it came to these class actions."

Freeman and Halpert offered businesses particular insight into the emerging trend where "bad press" appears to lead to FTC investigations and class actions, using the example of the ongoing installments of the "What They Know" series in The Wall Street Journal and investigations that emerge on the heels of widely publicized breaches, tracking or targeting activities.

What can a company or marketer do to avoid that negative publicity, those costly legal bills or an FTC action? First, the experts pointed to what not to do, including failing to honor privacy representations, providing inadequate security or engaging in targeted advertising or tracking practices that fall outside the mainstream.

To help avoid lawsuits and enforcement actions, the presenters recommended key considerations--including choosing your partners wisely; creating effective contracts and monitoring them; being wary about new online features to avoid "first-mover risk;" providing notice and affirmative consent opportunities before changed policies take effect; evaluating all major changes against your privacy policy; staying current on legal and businesses changes, and building privacy into products from the start.

Without such use of privacy by design, Halpert noted, businesses run the risk of those "nasty surprises" that can lead to FTC and court actions.

"If a consumer makes a choice about their data, respect it," Halpert said, adding that, for any uses that would be material to privacy-sensitive consumers, it is important to be clear and upfront about what data you collect and why.

Freeman added that after 15 years of FTC involvement, the touchstone on privacy remains consumer surprise or the "creepy" factor.

Another presenter at the Privacy Academy shared a similar perspective.

As Anne Toth, head of privacy at Yahoo, noted, "When a consumer expects one thing and you give them something different, that's when trust is eroded."