Recent complaints filed by the Federal Trade Commission against companies such as Rite Aid Corporation, Twitter, Inc. and Google Inc. highlight the importance today of companies taking appropriate measures to protect consumer data that it receives in the operation of its business. In the case of Rite Aid (FTC Matter No. 072 3121), the FTC charged Rite Aid with failing to protect sensitive financial and medical information of its customers and employees. Central to the FTC's complaint was the allegation that Rite Aid failed to abide by its disclosed privacy practices by disposing sensitive information, such as names and Social Security numbers, found in prescriptions and employment application files, in readable text in dumpsters behind its stores. Rite Aide recently entered into a settlement with the FTC, agreeing to a $1 million dollar fine and to establish a comprehensive security program to protect the information of its customers and employees. In the case of Google Inc. (FTC Matter No. 102 3136), the FTC challenged Google's practice of sharing consumer data from its Google Buzz with other vendors and its alleged failure to maintain proper privacy restrictions for its internet product in violation of its own privacy policy. Google also entered into a settlement with the FTC, imposing far-reaching and extraordinary relief of requiring Google to implement a comprehensive privacy program and conduct independent privacy audits for twenty years. In an area that is becoming increasingly subject to regulation and legal action, companies are finding their business practices in receiving, maintaining and disposing of consumer data to be under greater scrutiny today than ever before.
Companies may have a duty to implement and monitor security and privacy measures to adequately disclose the company's policies and protect the private information that they possess from disclosure or use. A failure to comply with applicable privacy requirements could lead to enforcement actions by the FTC.
- Under Section 5 of the FTC Act, the FTC has broad powers to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This provision provides a legal basis for the FTC to investigate business activities that threaten consumer privacy, to pursue complaints, to issues reports, and to enforce orders. The FTC will continue to act when it concludes that a company fails to provide "reasonable and appropriate security for the personal information it collected and maintained."1
- The FTC has also published its Safeguards Rule, which applies to financial institutions covered under the Gramm-Leach-Bliley Act. Under 16 C.F.R. 314, companies that provide financial services, advice or loans, must implement and adhere to a written safeguard program that addresses the all "administrative, technical, and physical safeguards" appropriate for the business in question.
- Consumer credit information is highly protected under the current law. The Fair Credit Reporting Act provides additional protection to the information collected by consumer reporting agencies and limits the distribution of credit reports. Credit reports are also subject to additional regulation when disposed of, as detailed below.
- Under the Children's Online Privacy Protection Act of 1998 ("COPPA"), restrictions are imposed on companies collecting information from children under the age of thirteen. The FTC recently brought action against Playdom, Inc., a subsidiary of the Walt Disney Corporation, for alleged violations of COPPA by failing to obtain verifiable parental consent before collecting children's personal information and Section 5 of the FTC Act by failing to adhere to its privacy policies. Playdom entered into a settlement with the government, agreeing to pay a $3 million fine and to provide long-term compliance monitoring.
As the FTC has made clear, having privacy or security policies alone is not enough. Steps must be undertaken by companies to ensure that the policies are adequately disclosed to consumers, that the policies are updated to comply with new legal requirements and that the polices are complied with by the company in handling consumer data.
- When collecting data it is important to properly disclose privacy practices to customers, clients and employees. Privacy notices should be clear and the practices should be reasonable and consistent with the customers' or users' expectations. Businesses should clearly describe how they plan to use and share consumer data. The implementation of safeguard programs, whether required by statute or voluntary, are instrumental in ensuring full compliance with data regulations.
- Once privacy practices are established, they must be followed. Adhering to any and all representations of confidentiality and use proscriptions is important, as the FTC's action against Google makes clear. The use of data must be proscribed by a use agreement or consistent with a user's expectations. Though ensuring that data is safe, both through proper electronic storage and security measures, it is paramount that collected data be used only for specified or expected means.
- Privacy practices should not end at the door but must include the disposal of consumer and employee data and information. Disposal of consumer report information and records is subject to explicit regulation under 16 C.F.R. 682. Under this federal directive, "[a]ny person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information." In order to avoid high-profile and potentially embarrassing investigations into destruction of consumer material, business should utilize a strict destruction policy.
- Take immediate action if a breach occurs. This may include notifying customers and law enforcement. Sony Corporation recently came under scrutiny and public criticism after a mid-April 2011 breach of its PlayStation Network may have resulted in the dissemination of 10 million customers' credit card information. This security lapse has resulted in the filing of private complaints against Sony.
As businesses expand their internet presence, the regulation of businesses will only increase. Examples of this regulatory expansion can be found today. The FTC is currently promoting a "Do Not Track" agenda that would enable consumers to choose whether or not to allow the collection of data when they utilize the internet. Changes have been proposed to COPPA. Companies with internet sales must keep current of developments in consumer protection regulation to ensure their practices comply with these ever developing regulations.
The Parker Poe Privacy and Information Security Team provides clients with representation and counseling in connection with consumer data and security practices and related proceedings. For more information, contact Eric D. Welsh or Sarah Hutchins.
1 In the matter of Ceridian Corporation, FTC File No. 102 3160, May 3, 2011. See also Analysis of Proposed Consent Order to Aid Public Comment, In the Matter of BJ's Wholesale Club, Inc. File No. 0423160.