How Difficult Is It For a Business To Comply With Its Own Privacy Policy?
If a business’ privacy policy says it will protect its customers’ sensitive private digital information in certain ways, then it probably is a good idea for the business to keep that promise. The Federal Trade Commission has sued businesses for allegedly making promises in their privacy policies that they did not keep.
How difficult is it for a company to comply with its own data security, or privacy, policy? Evidently, it is difficult, labor intensive and time-consuming; mostly because of the problems translating the words of the policy into detailed computer instructions or code, and the vast amount of code that needs to be checked to ensure it complies with the policy.
Is there a way for a business to protect itself by ensuring that its privacy policy is properly, and consistently, carried out? There might be, and it involves something called Legalease, which actually clears things up rather than makes them more confusing.
The highest profile recent case in which the FTC has alleged that a company deceived the public by failing to live up to the promises made within its own privacy policy, is the FTC v Wyndham Worldwide Corp., et al. We previously wrote about the April 7, 2014 decision of Esther Salas, U.S.D.J., which denied the motion of one of the defendants, Wyndham Hotels and Resorts, LLC (“Hotels and Resorts”), to dismiss the complaint against it. In that decision the court describes the FTC’s deception claim this way, beginning on p.33:
Hotels and Resorts also challenges the FTC’s deception claim (HR’s Mov. Br. At 23). In this claim, the FTC cites the Defendants’ privacy policy disseminated on Hotels and Resorts’ website and alleges that, “in connection with the advertising, marketing, promotion, offering for sale, or sale of hotel services, Defendants have represented, directly or indirectly, expressly or by implication, that they had implemented reasonable and appropriate measures to protect personal information against unauthorized access” but that “Defendants did not implement reasonable and appropriate measures to protect personal information against unauthorized access.” (Compl.paragraph 21, 44-45). Accordingly, the FTC alleges that Defendants’ representations “are false or misleading and constitute deceptive acts or practices” under Section 5(a) of the FTC Act. (Id. Paragraph 46).
Hotels and Resorts’ privacy policy seems innocuous, though it does sound suspiciously like the FTC’s “Reasonable Precautions” cybersecurity standard that Wyndham complained so loudly about in the same case. The privacy policy says the company will comply with certain amorphous standards without defining what those standards specifically require. According to the court, beginning on p. 37 of its decision:
Continue reading