Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea. Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”
First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?
1. Government Enforcement. The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings. The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.
2. User Expectations Established by Actual Practice. The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy. For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent. Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS. This creates a baseline user expectation about consent for precise location targeting.” (emphasis added)
3. User Expectations Established by Widely-Adopted Self-Regulatory Standards. Again, not a government-issued mandate, so for example, the Network Advertising Initiatives (NAI) Principles provide for transparency – in disclosure – of how information is collected and to be used (including in particularly, for online behavioral advertising targeting) and for opt-in consent for collection and uses of sensitive personal information (and opt-out consent for any other type of personal information).
A challenge here is determining what constitutes a widely-adopted standard, and what “standard” is (effectively) legal guidance. While government may not provide guidelines or “safe harbors” for best practices, the marketplace will tend to migrate toward adoption of standards. This is potentially perilous for businesses because in a rapidly-changing industry dealing with constantly evolving technologies, who’s to really say what practices are “best practices” or industry standard?
And quite quickly, industry codes can take on the clothes of actual law. In its March 26, 2012 privacy report, the FTC stated that it “will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.” (emphasis added)
On the other hand, the technology industry is certainly familiar with “best practice” guidelines used to benchmark “commercially reasonable” practices for contract breach disputes. Some examples are here, here and here.
Second, even if legal requirements for obtaining consent are not uniformly applicable, it may still be a good idea to get user consent before collecting users’ personal information. Here’s are six reasons why:
1. The FTC has frequently and increasingly demonstrated its interest in pursuing privacy enforcement for activity areas well beyond egregious data security breaches. The Commission’s enforcement cases against Facebook (see above), Twitter and Google are high-profile but hardly aberrations.
2. State Attorneys General, acting under their states’ “baby FTC” versions of the FTC Act, have also become increasingly interested in using their enforcement arms to advance user expectation and information collection consent rights.
3. Congress is interested, and various user disclosure and consent legislative efforts have advanced in the House and Senate, with some sort of legislative enactment all but certain following the 2012 elections. (See for example, Justin Brookman’s analysis of the McCain-Kerry Privacy Bill here, and Arent Fox’s good discussion of Representative Boucher’s House bill here.)
4. Brand reputation, or put in plainer terms. When privacy is so prominently in the news, when companies are increasingly promoting themselves as privacy-sensitive, when for-profit businesses are sprouting everywhere promoting privacy “seal” certification services, ignoring privacy concerns is becoming bad business. Put another way, why piss people off? Good privacy practice bespeaks good business practice and risk management.
5. Class action and common law. Forget the FTC and federal and state laws, because even without these, businesses are still exposed to all sorts of common law rights of action under tort law particularly when it comes to handling of personal information. As John Heitman recently wrote, in a fine discussion of the controversy involving Groupon’s recent aggressive changes to its privacy policy:
An online marketing business using consumers’ personal information must do so carefully in order to limit its exposure to private class action litigation, Federal Trade Commission (FTC) investigations and enforcement, state attorneys general actions, and more. Groupon’s changes won’t satisfy everyone, but they certainly take the company in the right direction and much of what’s been done can serve as an example for others mindful of (or needing to be mindful of) their corporate privacy posture and the risks that come with it.
Add Comment