A privacy policy? Who needs a privacy policy? Privacy is a mess. You’re building an online business, and you figure you have to have a privacy policy. But why? Is “because everyone else has one” a good enough reason? Ever wonder what you really need to know about privacy law? I mean … what you have to comply with as a business operating in an online environment?
Here, then, the first of several Frequently Asked Questions about privacy policies. Or to be more precise, here now some practical answers on privacy practices:
FAQ #1: Can I simply post a privacy policy and forget about it? Short Answer: No. Longer Answer: No, because as between posted statements and actual compliance, actual compliance is what’s required.
In today’s podcast, we discuss the Federal Trade Commission’s recently issued privacy proposals. My guest is Karen Neuman, a founding partner of St. Ledger-Roty Neuman & Olson LLP, a Washington, DC law firm that focuses on regulation of information technologies and communications law, including privacy & data security, mobile communications, the Internet, media, telecommunications and related transactional matters.
At the core of the new privacy proposal is the idea that the current system of self-regulation does not provide enough consumer protection. Basically, from the FTC’s perspective, people do not pay enough attention to the data-collecting activities of websites and not enough companies are up-front about the data they do collect from visitors to their sites. The FTC says that while many companies detail their data collection through privacy policies, consumers bear too much of a burden in having to sort through such long, legalistic documents.
Among other proposals, the FTC’s new framework would require a “Do Not Track” option, much like the one we currently have to avoid telemarketers. “Do Not Track” would essentially prevent companies from tracking things like your browsing history and buying habits, making it much more difficult for them to target consumers with personalized ads. The proposal also aims to have companies incorporate more consumer protection into their business practices through simpler, more transparent options and by allowing consumers more access to the data being collected about them. The FTC issued its proposed rules just last week, and requested public comment from both businesses and the public.
Please click play on the audio player below to hear the podcast.
A Connecticut company suspended and then fired an employee for making disparaging comments on Facebook about the company and about her supervisor.
Not in dispute is that the employee’s actions violated the company’s social media and other personnel policies, which (among other things) prohibited depicting the company ‘in any way’ on Facebook or other social media sites or from “disparaging” or “discriminatory” “comments when discussing the company or the employee’s superiors” and “co-workers.”
In dispute is whether that social media policy – and the company’s actions in enforcing the policy – violated public policy, in particular Federal labor law. This came into fast relief when the National Labor Relations Board (NLRB) subsequently filed a complaint against the company, charging the company with violations of the employee’s rights under the National Labor Relations Act (NLRA).
What is the legal significance of a website’s privacy policy?
That question lingers when reviewing such policies for legal compliance and for consistency with a company’s actual practices. Problem is, lawsuits involving claims of breaches of privacy policies have failed even in cases of clear and egregious violations by the service provider, where there was an absence of a showing of actual damages.
Eric Goldman cites a number of cases in his blog, including a prominent class action in 2005 against Jet Blue Airlines for voluntarily turning over passenger names to a government contractor, in clear violation of the airline’s stated privacy policy. Policies commonly permit the service provider to disclose information in response to a government demand. Yet, Jet Blue won dismissal despite any such disclosure right in its policy.