Privacy has become an issue that 21st century business leaders and GCs cannot ignore or leave to the engineers. In the information age, personal data is a key asset for many businesses and a centerpiece of business opportunities.
If mismanaged, the personal data a company stores may present a significant risk. Data breaches, class action lawsuits and US FTC, state attorney general and international regulatory enforcements are all painful events that can harm a company’s brand, lead to significant legal costs and fines and wither employee morale. At worst, failure to properly plan for a major privacy obstacle can stop a business in its tracks.
The information age has made privacy issues more pressing and more complicated. The amount of data tied to an individual or a personal device is growing exponentially and can be stored ever more cheaply. Cloud and other networked technologies zip data across continents to achieve efficiencies and reduce expenses. This opens enormous opportunities to personalize services and increase the value of advertising. Exciting innovations such as smart grid technologies and “the Internet of Things” will allow more information to be gathered about how people live.
However, this information explosion has significantly increased policy-maker, media and class action lawyer focus on uses of such data. In July, the California AG’s office announced a special privacy unit to enforce California privacy laws. A proposal moving through the European Parliament would dramatically increase both regulation of profiling and privacy fines across the EU. The information explosion also animates recent US White House and FTC proposals to regulate information tied only to a device or IP address and not to a name. Dozens of companies have been embarrassed on the front page of the Wall Street Journal in its “What They Know” series tying them to surprising information collection tactics.
Privacy class actions have spiked in recent years. For example, plaintiff class action lawyers are filing suits against more than 60 companies in Missouri state court alleging that “flash cookies” (which re-install even if a web browser is set to reject cookies) were downloaded through the companies’ websites with inadequate notice. The core of the plaintiffs’ allegations is not that the defendants knew of the activity, but that they did not adequately police third-party vendors.
For multinationals, privacy requirements are even more elaborate. Much of the developed world regulates privacy heavily. In the past year alone, South Korea, Hong Kong, Columbia and Peru have enacted new restrictive laws. In early July, European privacy regulators announced extensive requirements for Cloud computing arrangements and warned EU companies that they must obtain concessions from Cloud vendors meeting these requirements.
In Europe, control over one’s personal data is a fundamental right treated as seriously as free speech rights in the US. The EU is likely to increase restrictions on data-intensive businesses, record-keeping obligations on all companies that use personal data and fines for violations. Policy makers there, angered by reports that Cloud vendors do not conform to EU requirements, hope to transform how businesses treat personal data. They also hope to promote Europe’s domestic IT industry through tough requirements discouraging businesses there from providing data to companies that do not meet EU standards.
As the temperature rises on privacy and requirements become more complicated, what should businesses do?
1. Designate and empower a privacy officer. Empower someone in the company to “own” privacy compliance and data management and mandate all business units to cooperate with that officer. Businesses in riskier sectors should establish an internal data council to address legal changes before they take effect.
2. Do risk assessments. Take stock of your marketing practices, the personal data your business holds, how you use the information and whether you operate in high-risk jurisdictions. US class action risk areas include text marketing, telemarketing, data collection through mobile apps and allowing ads to place cookies or otherwise track users. Payment card data, medical data, government ID numbers, financial or tax data and communications data create special risks. In Europe, data collection regarding criminal convictions, union membership or sexual life also bears risks.
3. Map data flows. Track where your company obtains personal data and to whom it discloses it. If you operate in countries restricting international transfers of personal data, understand how that data moves and whether your transfers comply.
4. Review and update your vendor and marketing partner agreements. Your vendors and marketing partners are a source of significant potential privacy risks. Many countries require that contracts with third parties receiving personal data from a company contain specific language. (Many Cloud agreements require this language.) If vendors or partners suffer a data breach, engage in undisclosed user tracking, or market or handle personal data in violation of legal requirements, your business can be liable and its reputation can be harmed. Develop template agreements meeting legal requirements and negotiate over indemnification.
5. Keep up with new developments. Rapidly evolving laws mean you should routinely adjust your compliance program to keep up.
DLA Piper’s global privacy practice is deeply involved in this changing landscape, helping clients to develop compliant solutions meeting business needs and managing and avoiding risks. We also regularly defend clients in class actions and regulatory enforcement actions. Please let us know how we may help you and your business.
For more information, please contact Jim Halpert.