The biggest privacy challenges affecting businesses today are regulatory scrutiny from government agencies, media coverage with unintended consequences, and privacy risks that are discovered during corporate transactions.
Rapidly growing eCommerce and technology companies typically focus on creating viable products and services, adapting business models and responding to challenges, and using data in new ways to glean valuable insights and advantages. They often achieve success by disrupting existing industry norms and flouting convention in an attempt to do things better, faster and more cost-effectively. In the tech world, this strategy is often a blueprint for success. At the same time, this strategy also often raises privacy concerns from regulators and investors. In fact, three of the biggest privacy challenges affecting businesses today are regulatory scrutiny from government agencies (and potentially, personal liability arising from such scrutiny), media coverage with unintended consequences, and privacy risks that are discovered during corporate transactions.
Regulatory Scrutiny Of Privacy Practices
Government regulators, led by the Federal Trade Commission (“FTC”), have taken an activist role in enforcing privacy protections. The FTC often does so by utilizing its powers under the FTC Act, which enables the FTC to investigate and prosecute companies and individuals for “unfair or deceptive acts and practices.” Some of the activities which the FTC considers to fall under the “unfair or deceptive” umbrella are: a company’s failure to enforce privacy promises; violations of consumers’ privacy rights; and failing to maintain reasonably adequate security for sensitive consumer information.
Though most of the FTC’s investigations are settled privately and non-publicly, those that do become public (usually, as a result of a company refusing to cooperate voluntarily or disagreeing with the FTC on the proper resolution) are often instructive. For example, the FTC recently settled charges against Snapchat, the developer of a popular mobile messaging app. The FTC accused Snapchat of deceiving consumers with promises about the disappearing nature of messages sent through the service, the amount of personal data Snapchat collected, and the security measures taken to protect that data from misuse and unauthorized disclosure. Similarly, when Facebook acquired WhatsApp, another cross-platform mobile messaging app, the FTC explicitly warned both Facebook and WhatsApp that WhatsApp had made clear privacy promises to consumers, and that WhatsApp would be obligated to continue its current privacy practices ― even if such policies differ from those of Facebook ― or face FTC charges. The takeaway from the FTC’s recent investigations and enforcement actions are clear: (1) businesses should be very careful about the privacy representations that they make to consumers; (2) businesses should comply with the representations they make; and (3) businesses should take adequate measures to ensure the privacy and security of the personal information and other sensitive data that they obtain from consumers.
Sometimes officers and directors of businesses are named in a FTC action along with, or apart from, the company itself. In such cases, the interests of the individuals and those of the companies often diverge as the various parties try to apportion blame internally. In certain cases, companies and their officers are held jointly and severally liable for violations. For example, the FTC sued Innovative Marketing Inc. and three of its owners/officers. A federal court found the business and the owners/officers to be jointly and severally liable for unfair and deceptive actions, and entered a verdict for $163 million against them all. The evolving world of regulatory enforcement actions reveals that traditional liability protections (i.e., acting through a corporate entity) do not necessarily shield owners, officers, and/or directors from personal liability when privacy violations are at issue. Officers and directors should keep in mind that knowledge of, or indifference to, an unfair or deceptive practice can put them squarely in the FTC’s crosshairs ― and that the “ostrich defense” of ignoring and avoiding such issues is unlikely to produce positive results.
Unintended Consequences of Publicity
Most businesses crave publicity as a means of building credibility and awareness for their products or services. However, businesses should keep in mind that being in the spotlight can also put the company on regulators’ radar screens, potentially resulting in additional scrutiny where none previously existed. One of our clients, for example, came out with an innovative service that allows consumers to utilize their personal information in unique ways, and received significant positive publicity as a result. Unfortunately, that publicity also caught the interest of a regulatory entity. It turns out that some of our client’s statements about their service were misunderstood by the government. Ultimately, we were able to clarify the service offered by our client for the government in an efficient and cost-effective manner, demonstrating that no wrongdoing had occurred, and the inquiry was resolved to our client’s (and the government’s) satisfaction. Nonetheless, the process itself resulted in substantial aggravation for our client, who was forced to focus on an investigation rather than on its business activities. Ultimately, the misunderstanding could have been avoided if the client had checked with us first, before speaking with reporters, to ensure the client’s talking points were appropriate.
Another more public example occurred at Uber’s launch party in Chicago. Uber, the car service company which allows users to hail a cab using a mobile app, allegedly demonstrated a “God View” function for its guests which allowed the partygoers (including several journalists) to see, among other information, the name and real-time location of some of its customers (including some well-known individuals) in New York City – information which those customers did not know was being projected onto a large screen at a private party. The resulting publicity backlash was overwhelming. Senator Al Franken wrote Uber a letter demanding an explanation of Uber’s data collection practices and policies and Uber was forced to retain a major law firm to independently audit its privacy practices, and implement changes to its policies, including limiting the availability and use of the “God View.”
Experience has shown us that contrary to the old mantra, all publicity is not necessarily good publicity when it comes to the world of privacy. Before moving forward with publicity or marketing for your business, consider incorporating a legal review into the planning to avoid any potentially adverse impact of such publicity.
Privacy Concerns Arising During A Corporate Transaction
Perhaps most importantly to company owners, the failure to proactively address privacy issues in connection with corporate transactions can cause significant repercussions, potentially destroying an entire deal. Most major corporate transactions involve some degree of due diligence. That due diligence, if properly performed by knowledgeable attorneys and businesspeople, will uncover any existing privacy risks (i.e., violations of privacy-related laws, insufficient privacy security measures or compliance issues which become financially overwhelming). If these issues were not already factored into the financial terms of the transaction or affirmatively addressed from the outset, the entire landscape of the transaction can change overnight once the issues are uncovered – with the worst case scenario being the collapse of the entire deal. Therefore, it is critical that businesses contemplating a corporate transaction be prepared to address all relevant privacy issues upfront. Such preparation should include an internal analysis of the business from a privacy-law perspective (i.e., determining which regulatory schemes apply, and whether the business is currently in compliance) and being prepared to provide quick responses to relevant inquiries, such historical policies and procedures related to privacy and data security, diagrams of network/data flow, lists of third-parties with whom data has been shared, representations and warranties made to data subjects, and descriptions of complaints, investigations, and litigation pertaining to privacy issues.
Privacy and data security issues can be particularly tricky depending on the nature of the data that is maintained by the company and the representations that the company has made with respect to such data. Businesses are well-advised to prepare a due diligence checklist in preparation for any corporate transaction which should include an assessment of the business’ compliance with applicable information privacy and data security laws as well as any potential liabilities from deficiencies that are discovered. Addressing these issues in a proactive manner will allow the business to be more prepared for the corporate transaction and mitigate any harm which otherwise might flow from any problems which arise.