So you want to be the next Google… Really?
 
Every business owner dreams of being the next Google or Facebook. Yet, when it comes to handling of privacy, these two giants have attracted their fair share of bad publicity and lawsuits. Respect of privacy (or lack thereof) is a serious matter and can lead to major legal headaches.
 

• Don’t be evil overseas.Earlier this year, three executives at Google were found guilty of criminal charges in an Italian courtroom, in a well-publicized case stemming from video made by Italian students who were bullying a classmate with Down Syndrome. The video was posted to Google Video in 2006, online for two months and removed by Google within 24 hours of complaint. The Milan court ruled that the Google execs (including, notably, its global privacy counsel) were guilty of criminal invasion of privacy, and sentenced them to six months in jail.
   
• Don’t be evil here, either.Google recently dodged a huge bullet in the US when the FTC decided to slap them on the wrist for past privacy violations, including the use of roving vehicles for its Street View mapping project, not only photographing streets and residential houses, but also to collecting data from private, unsecured wi-fi networks. The FTC concluded its privacy probe after Google apologized, promising not to use the data and pledging to improve their privacy safeguards.
   
• That Social Network.Facebook’s CEO and co-founder Mark Zuckerberg famously said that the era of social networking has ushered in a new “social norm” which essentially renders many conventional notions of privacy obsolete. Unsurprisingly, the website has been the subject of much litigation related to privacy, yet continues to grow in mass appeal, at 500 million members and counting, despite repeated allegations that it breaches its own published privacy policies.

Every business is bound to handle some sort of personal data, whether that of its employees or its users. For Web 2.0 companies, this means they must respect current federal and state regulations by posting the right privacy policy and terms of use (TOU) on their website. This issue of POINTERS deals with the privacy notices required of most US businesses and generally found on their websites. The next issue will address Terms of Use for websites more specifically.
 
What is PII, exactly?
Personally Identifiable Information (“PII”) typically includes any information about a person which is collected by a company and which can be used to identify, contact or locate that person. PII includes a person’s name, address, phone or fax number, e‐mail address, social security or driver’s license number, credit card or financial account number, age, etc. PII can also encompass computer- or device-specific information, such as IP addresses or browsing history. This information would not normally be considered “personally identifiable,” but since it can be used (often in conjunction with other PII) for data profiling, it should be treated as PII for purposes of a privacy policy.
 
Privacy Policies – what are they, and what do they cover?
In general terms, a privacy policy is a company’s comprehensive promise to safeguard PII.  In the US, the Federal Trade Commission (“FTC”) has issued "self-regulatory guidelines” for companies that collect and share information, emphasizing requirements for notice, disclosure and consent. “Self-regulatory” should not be misinterpreted as “optional.” The FTC is federally authorized to sanction unfair or deceptive marketing practices by bringing enforcement proceedings against violators, as further discussed below.
 
What laws and regulations apply to privacy policies?
Although it may come as a surprise, the US has no explicit, constitutional right to privacy aside from the general guarantees provided by the First and Fourth Amendments against privacy invasions by governments and state actors. Individuals are not otherwise protected from collection and use of personal information by private businesses, and tort remedies are often inadequate where monetary damages are difficult to prove. In response to these concerns, the FTC enacted regulations to protect PII, including:
 

• The FTC Act: prohibits unfair or deceptive acts and practices in the marketplace by enforcing companies' own privacy promises about how they collect, use and secure consumers' personal information.
• The Gramm-Leach-Bliley Act: governs privacy policies for financial institutions, and mandates industry-specific privacy notices and safeguards for PII. The FTC works with the Securities and Exchange Commission, the U.S. Treasury Department and other federal agencies to protect and enforce consumer privacy in the financial sector.
• The Health Insurance Portability & Accountability Act (HIPAA): governs privacy policies for medical practices, and regulates the security and confidentiality of patient information.
• The Children’s Online Privacy Protection Act (COPPA): provides special consumer privacy protections for transactions involving or affecting children.

Some states have also implemented their own –sometimes- more stringent regulations for privacy policies. For instance, The California Online Privacy Protection Act of 2003 requires "any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site."  And of course, international rules and regulations protecting consumer privacy vary widely and often impact tech companies, as illustrated in the Google-Italy case above. For instance, Canada passed in 2000 the Personal Information Protection and Electronic Documents Act (abbreviated PIPEDA or PIPED Act) to govern how private-sector organizations collect, use and disclose personal information in the course of commercial business.
 
What should my company’s privacy policy contain, and why? 
The requirements for privacy policy content are complex, but the nuts and bolts of a compliant privacy policy include the following:
 

• Notice:  What information am I collecting, and what am I doing with it? The privacy policy should specify the various types and categories of PII collected, and explain the reason for its collection and use. This includes not only specific personal data (names, addresses, etc.), but also information collected by cookies and other web technologies. Common reasons for collecting and storing PII include customizing advertisements to suit consumers’ specific interests, fulfilling orders, contacting customers for promotions and gathering statistics for marketing strategies, surveys, etc.
• Sharing:  Who am I sharing information with? The privacy policy should disclose whether PII will be sold or otherwise shared with third parties, and identify those parties (e.g. advertisers, merchants, etc.).
• Consent:  What choices do my users have?The privacy policy should provide users with mechanisms to “opt-out” of information gathering (i.e., cookies), information sharing with third-parties, direct marketing, etc. If there are consequences for refusing to provide such information (i.e., access to all or part of the website is conditioned upon disclosure of PII), then the privacy policy should state that fact.
• Access:  How can my users view and correct their personal information?Companies should allow users to access and review PII concerning them upon request, and should establish a quick, easy and inexpensive process by which consumers can correct factual inaccuracies.
• Security:  How am I keeping my users’ information secure?The privacy policy should explain what security mechanisms your company will put in place to ensure that PII is safe from unauthorized access – for example, SSL encryption to protect data transmission, and company policies governing PII protection by employees, agents, contractors and others.
• Contact:  What if my users have questions or concerns about my privacy policy?Your privacy policy should include your contact information, and open communication should be encouraged.

 What other best practices should I follow?
 

• Can my users find and understand my policy?Avoid “legalese” and “fine print.” The privacy policy should be clearly written, easily understood by a layman, and easy to find on a website. Buried or cryptic disclosures about controversial practices like behavioral advertising can trigger FTC involvement.
• How will I notify my users of changes to the policy? If you make material changes to your privacy practices, you should ensure your users are aware of the changes – for example, requiring acceptance of the updated policy, sending an email notification, or posting a conspicuous website announcement. The FTC has flagged the retroactive application of new privacy policies, or unannounced policy changes, as potentially deceptive or unfair as a business practice.
• What practical steps am I taking to protect my users’ PII?Obviously, physically safeguarding your users’ sensitive data in your files and on your computers is the first step in preventing fraud or identity theft, and should be fundamental to your overall privacy policy. Take an inventory of all PII that you possess, reduce your liability by keeping only information that you need, responsibly purge what you don’t, and guard it under (virtual or not) lock and key. Develop a plan in case you do experience a security breach. In short, uphold your privacy policy promises with real action.

What remedies might I face for privacy violations?
The FTC and State AGs are empowered to impose fines, restitution damages and other sanctions if a law or regulation has been breached. They can increase notice and disclosure requirements and require affirmative consent for certain practices such as online data collection. Just this year, the FTC has brought high-publicity cases against Rite-Aid for HIPAA violations, Twitter for failure to establish an adequate information security program, Dave & Buster's for compromising customers' credit and debit cards, and ControlScan for misleading its customers about certification of online retailers as private and secure. As we saw in the Google-Italy case, repercussions can include criminal prosecution and imprisonment in rare cases. In countries were laws and religious culture are intertwined, seemingly innocuous business practices or offerings might result in criminal liability. 
 
What about “safe harbor”?
Companies in the technology sector are exposed to foreign liability for privacy violations under a myriad of international laws and regulations. International laws related to sales taxes are a common problem area, as are contests, sweepstakes and other promotions, which may violate foreign consumer protection laws. US companies transacting business in Europe can opt-in to the Safe Harbor program, designed to streamline compliance with the EU Data Protection Directive. Participation in the Safe Harbor program mitigates risk by certifying that the US company took good faith measures to follow the Directive, thus limiting or eliminating liability for legitimate mistakes or excusable violations.
 
Why can’t I just copy and paste another company’s privacy policy on my website?  
Duplicating another company’s privacy policy is a risky practice. Privacy policies should not be viewed as mere forms. Boilerplate language not specifically tailored to a company’s industry, geographical location (either the company or of those accessing the site), or business model can subject a company to significant exposure. Plus, many policies online are simply outdated. As we’ve seen, privacy mandates vary widely from industry to industry, and certain states have enacted additional statutory requirements. Even within the same industry and location, privacy practices are impacted by countless variables such as the nature of the data, the purpose of use and retention, and customer preferences. No two companies or websites are identical; a one-size-fits-all policy is impossible. In the inevitable event that some small yet significant difference exists, the privacy policy will fall short. The FTC regularly investigates whether companies’ actual practices with respect to data collection, use and disclosure conform to their stated privacy policies, and enforces sanctions against companies who are not in compliance with their own policies. Plagiarism is rarely a good line of defense!  In other words, that language that you snag from your partner’s or competitor’s site is likely to be out of date or otherwise insufficient for your unique needs and circumstances.
 
Call to action.
It’s imperative that your privacy policy be custom tailored, up-to-date, and compliant with your state’s laws and regulations, and those affecting your users. New companies should have a privacy policy created by competent counsel with expertise in internet law. Established businesses should have their current policy reviewed regularly to ensure its adequacy.  It is relatively inexpensive to do so. Privacy is a current “hot topic” – the FCC is committed to taking aggressive action against violators, and regulatory reform is in demand and overdue. All companies, from startups to giants, must safeguard their most valuable assets – their customers – and simultaneously shield themselves from unnecessary litigation expenses and needless negative publicity. Creating a solid privacy protection program is a part of basic due diligence for your company, and it’s an area where you shouldn't cut corners. You want to reach Goggle like fame; just not for the wrong reasons!

RELATED:

 U.K.: Google Breached Data Laws.  UK says Google engaged in serious breaches of data security laws. November 4, 2010, Wall Street Journal
Facebook defends privacy practices to Congress. Letter from Facebook executive says reports of a privacy breach are "false" and due in part to a misunderstanding of how Web technology works. November 3, 2010, CNET News
EU Seeks Stronger Online Privacy Laws. The European Commission wants to strengthen rules governing the collecting and use of personal data online. November 4, 2010 eWEEK
FTC Forgives Google Street View WiFi Privacy Gaffe. Satisfied with Google's new privacy policies, the Federal Trade Commission forgave Google for its Street View WiFi-sniffing incident, concluding its inquiry. October 27, 2010, eWEEK
Google settles Buzz privacy lawsuit for $8.5 million. Google settled a class action lawsuit brought against the company in response to privacy violations surrounding Buzz, its latest attempt at a social product, the company just announced. November 2, 2010, San Francisco Chronicle
Amazon wins fight to keep customer records private.  Federal judge slaps down demand from North Carolina tax collectors but hints that a narrower approach may comply with the First Amendment. October 25, 2010, CNET News 
 

Disclaimer: Please note that this newsletter is for educative purposes only and does not constitute legal advice. It should not be relied on to make business or legal decisions, since each state has different laws, each situation is fact specific, and it is impossible to evaluate a legal problem without a comprehensive consultation and review of all the facts and/or documents at issue. 

 
Attorney-client privilege with in-house counsel? Better do your homework. In Gucci America, Inc. v. Guess?, Inc., 2010 WL 2720079 (S.D.N.Y.), the United States District Court for the Southern District of New York held that a corporate employee who was an inactive member of the California bar was not considered an attorney for attorney-client privilege purposes. October 18, 2010, Baird Holm Corporate Counsel Litigation Update
Google Sues U.S. Interior Department over Microsoft Contract Bid. Google has filed a lawsuit against the federal government, alleging the Department of Interior is unfairly restricting competition for a cloud-hosting contract. November 1, 2010, eWEEK
Study finds support for presidential Net 'kill switch'. Majority of participants in Unisys survey favor giving president authority to control or "kill" portions of the Internet in the event of a malicious cyberattack. October 27, 2010, CNET News
Expedia, Rivals Urge DOJ to Halt Google's ITA Purchase. Google's $700 million bid to buy travel software company ITA was formally protested by Expedia, Kayak.com and others with the formation of FairSearch.org  October 26, 2010 , eWEEK
FCC crunches numbers on spectrum crisis.  The wireless industry is working to make devices and network gear more efficient, but that simply won't be enough to keep up with growth, says FCC Chairman Julius Genachowski. October 25, 2010, CNET News  

 

 Tools for rooting out Web plagiarism, copyright violations. How to determine the originality of material posted on a Web site and find sites using your copyrighted material without permission. CNET News, November 5, 2010
Microsoft Unveils Small Business Server Pricing, Release Dates. Microsoft has unveiled final names and pricing for its next generation of Small Business Servers, which seek to combine on-premises computing with cloud features. November 4, 2010, eWEEK
Andreessen Horowitz raises $650 million to invest in tech startups. The Silicon Valley venture capital firm said it will use the money to make investments of $50000 to $50 million in technology startups. November 3, 2010, San Jose Mercury News
Special tax benefits could help founders and investors. A little noticed provision of a recently enacted federal tax law may lead to a significant increase in the formation of new startups and angel investing before the end of this year. If you have been thinking about founding or investing in a technology startup, there is no better time to jump in and take advantage of a recently enacted federal income tax benefit. October 26, 2010, TechFlash
10 Startup Ideas That Never Work. Why do startups fail? There's a number of reasons. Sometimes its the wrong person at the wrong time. Sometimes though, the problem is just too big too tackle. Sometimes there's a reason nobody has been able to solve the problem a startup is tackling. October 11, 2010, San Francisco Chronicle
Microsoft Security Essentials to Target Small Businesses. Microsoft is updating its Security Essentials licensing agreement to make the software more broadly available to small business owners. September 23, 2010, eWEEK