In October 2001, the chairman of the Federal Trade Commission (FTC) announced “an ambitious, positive, pro-privacy agenda,” which included a 50 percent increase in resources devoted to protecting consumer privacy.
Considering the number of recent enforcement actions related to both online and offline privacy statements, the FTC is fulfilling the chairman’s privacy agenda. In particular, it is scrutinizing companies’ compliance with their disclosures on the information a company collects from or about consumers; how that information is used; and the security measures in place to protect collected information.
The enforcement tool most often used by the FTC is its claim that noncompliance with a privacy statement is an unfair and deceptive trade practice prohibited by the Federal Trade Commission Act. Within the last few months, the FTC twice demonstrated its ability to force companies into consent decrees based on assertions of unfair and deceptive acts caused by broken privacy promises.
Prior enforcement actions have even established that the FTC may pursue violations of privacy promises when the violations are unintentional. The FTC’s resounding message is that if a company makes a privacy claim, it must live up to and fully implement that claim.
The FTC’s follow-through on its privacy agenda underscores the need for companies to take their privacy promises seriously. More aggressive FTC action can be expected to ensure that businesses adhere to published privacy policies and do not deceive consumers about what information is collected, how it is used and how security is maintained.
Based on the expected continued increase in enforcement, it is essential that companies audit internal privacy practices and relationships with third parties who may have access to consumer information before creating a privacy policy. Further, companies must regularly audit compliance with any statements made about privacy practices and update those policies as necessary.
Companies must ensure that all privacy statements are consistent with actual practices and conform to all legal requirements and regulations related to their particular business. Thus, before any privacy policy is provided, and when reviewing current privacy promises for compliance, some basic questions must be considered.
* What information is collected?
* How, and by whom, is information being collected and stored?
* Who has access to the information?
* How is the information used?
* Are measures in place to protect the information, such as employee training, secure databases and appropriate methods of transmitting information?
The FTC is closely analyzing the answers to these questions and comparing them to any relevant privacy promises. As such, regular audits and processes must be in place to ensure future adherence to all privacy promises. Failure to follow these promises could subject a company to the FTC’s promise of increased enforcement. Benita A. Kahn and Jason J. Kelroy are attorneys with the Columbus office of Vorys, Sater, Seymour and Pease LLP. They can be reached at www.vssp.com.
