Look Out for Privacy Traps!
Businesses are benefitting from all sorts of new media tools, like enhanced websites, social networking and mobile applications. New functionality can drive users to online offerings, as well as raise the profile of a company's brick-and-mortar presence. Also, online advertising provides an important new revenue stream, and as targeted advertising grows more sophisticated, businesses can demand higher premiums for advertising space.
Yet with these opportunities, care must be taken to keep privacy-related risks in check. A good operating assumption is that new media tools will collect some information about individuals. Such information does not necessarily need to identify an individual by name in order to carry concerning privacy implications. Wrong steps could lead to reputational injuries at best, and data breaches, enforcement actions, or civil penalties at worst.
Each company's use of new media raises different privacy risks. But privacy hot spots tend to appear consistently in the following areas:
- Does your content attract children? Online offerings might foreseeably be attractive to kids 12 years old and younger. Or a business could be aware that it actually has collected children's personal information online. For example, a website with fun interactive features might ostensibly target an older teen/young adult demographic, but still have considerable "tween" appeal. Such situations are rife with legal risk under Children's Online Privacy Protection Act (COPPA), which is actively-and publicly-enforced by the FTC, sometimes with seven-figure settlement penalties.
- Have you covered the information security basics? If your website or mobile app engages in any type of e-commerce, do you encrypt the transaction, especially any credit card numbers? In the "back office" supporting your online offerings, are default usernames or passwords avoided? Are wireless connections secured? Where basic security precautions were not taken, the FTC has publicly shamed companies that suffered security breaches. Notably, a company need not necessarily make a public representation concerning information security in order to be caught in the FTC's net.
- Do you know which marketing laws apply to your campaigns? Do you plan to market your offerings or those of your partners by text message? Email? Phone call? Fax? If so, federal or state law could limit whom you may contact, or may require you to provide certain opt-out choices. Violations of such laws could lead to enforcement actions, and in some cases, give rise to private rights of action.
- Do your mobile applications use location information? Companies offering mobile applications-either independently or with partners-could be using location information to enhance the service. Yet, location information is sensitive, and certain legal limitations apply.
- Do you use online advertising best practices? Congress, the FTC and state authorities-spurred on by privacy advocates-are ready to regulate online targeted advertising, unless industry self-regulation is found to work. Businesses have an interest in maintaining a self-regulatory regime, where innovative technology and new types of online partnerships can be quickly put in use. Furthermore, unintended consequences of regulation could choke off the important revenue streams that ultimately fund free online services. Accordingly, companies should understand the types of technology that their ad networks use, and avoid especially intrusive or aggressive mechanisms. They should consider adhering to voluntary guidelines concerning online ads that industry groups have developed. They may also wish to participate in ongoing policy debates.
Every company should periodically review its privacy and security practices to make sure that it is avoiding common pitfalls.