There is a vast amount of personal data collected through websites, whether the users are visitors, customers, clients, or patients. The kinds of data collected range from direct personal identifiers (such as a name, email address, phone number, and banking or credit card information) to indirect personal identifiers (such as an IP address, geolocation, device type, and device ID). To help build trust with online users and to comply with applicable data protection laws, many websites post privacy policies describing how data is collected, why it’s collected, if it’s shared, any user options, and how they protect the data. Additional representations may be included depending on what data protection laws apply and their legal requirements. This means the form and content of privacy policies can be comprehensive or limited.
The Potential Issue
One potential issue associated to a website privacy policy is a company’s representations made about its data privacy and security measures. Specifically, if a company’s privacy representations fail to align with its actual data handling practices and a data breach occurs, the company is exposed to significant legal and other consequences. To illustrate this point, a recent federal action involving this exact issue serves as a prime example.
Prime Example of Legal Implications of Representations in Website Privacy Policies
In a recent federal action, the Federal Trade Commission (FTC) pursued legal action against a company for violating Section 5(a) of the Federal Trade Commission Act (FTC Act). This section makes it unlawful for companies to engage in unfair and/or deceptive acts or practices in or affecting commerce that cause or may likely cause substantial harm to consumers. Making false or misleading material representations in a website privacy policy is one form of deception prohibited by Section 5(a) of the FTC Act. In that case, the FTC filed a Complaint against a software company that suffered a data breach resulting in millions of its customers’ sensitive, personal data being exposed. From those, the attacker reportedly exfiltrated thousands of customer data. The types of data included customer names, home addresses, email addresses, phone numbers, date of birth, bank account information, medical and health information, and account login credentials, among others.
With respect to the company’s website privacy policy, the FTC presented that policy as evidence to show the company had deceived its customers about its data handling practices. In its policy, the company represented it had implemented data security measures to safeguard its customers’ personal data from unauthorized access or use, such as restricting access to only authorized employees, protecting its databases with “various physical, technical and procedural measures,” advising employees about their data protection duties, and storing data in “password-controlled servers with limited access.” Complaint at ¶18.
However, the FTC’s investigation revealed the company's representations were false and misleading. In actuality, the company failed to implement “well known, readily available, and relatively low-cost security measures” that could have prevented or mitigated the data breach. The company’s actual data practices showed it failed to implement adequate password controls and firewall controls, failed to timely patch outdated software, failed to log and monitor its systems to identify data security incidents, and failed to conduct regular risk assessments and vulnerability scans of its networks and databases (among others). Compliant at ¶19. Based on these and other discoveries, the company’s privacy representations were found deceptive and caused, or are likely to cause, substantial harm to its customers in violation of Section 5(a) of the FTC Act.
As a result, the company was ordered to implement a list of comprehensive privacy and data security measures, update its website privacy policy so as to accurately describe its data protection measures, obtain third-party assessments of its data handling practices, and to report its compliance by certain timelines set forth in the Decision and Order.
Takeaway
The essential point to understand is that representations made in website privacy policies have legal implications. They can serve as a safeguard, or conversely, as a potential source of legal liability.
The information provided here is for general informational purposes only and not intended as legal advice or opinion for any individual matter. Changes in laws or regulations may occur in the future and this content may not be the most up-to-date legal or other information. You should consult your own attorney for any legal advice you may require.
If you do not have an attorney and would like to explore how Venus Caruso can assist you, you can contact Venus by using the website’s contact form or by emailing her at venus@carusolawoffice.com.