Practical Tips: Compliance with Privacy Laws: Creation and Use of Privacy Policies and Procedures

Francoise Gilbert

© 2003 IT Law Group – All Rights Reserved

Failure to comply with the applicable privacy laws may expose a company and its managers, directors and officers to serious penalties, and in some case imprisonment in addition to fines. Most privacy laws contain civil and/or criminal penalties. Some include a private right of action, while others require an action by a federal agency or the state attorney general. A company must implement and use policies and procedures that ensure compliance with the applicable privacy laws in order to reduce the risk of exposure to litigation and resulting in costs and damages.

Risks of Non-Compliance

US Privacy Laws

Since the United States uses a sectoral approach to the protection of privacy, hundreds of privacy laws, federal, state or local may affect a company. It is impossible to summarize the penalties that each of them includes.

HIPAA, one of the leading and most advanced pieces of legislation addressing privacy laws, provides a good benchmark against which to evaluate a company's exposure. HIPAA sets forth serious civil or criminal penalties for failure to comply with the requirements and for wrongful disclosure of confidential information and/or violation of a patient's privacy rights.

The civil penalties under HIPAA, are up to $100 for each violation, with a cap of $25,000 for all violations of an identical requirement or within a calendar year. There may be lower penalties if the covered entity can provide that it did not know of any violation; or had reasonable cause, and did not willfully neglect to comply with the requirements; or if the failure is corrected within 30 days. Criminal penalties may be assessed if the covered entity knowingly obtained and disclosed protected information. Fines may be up to $50,000; and may be combined with a prison term up to one year. If information was obtained under false pretenses, there may be fines up to $100,000 and/or prison up to 5 years. If protected information was obtained with intent to sell, transfer, use information for commercial advantage, personal gain, or malicious harm, then higher fines and prison terms may be assessed against the violators, up to $250,000; prison up to 10 years.

Deceptive or Unfair Practices

In addition to the penalties provided for by the applicable statute, there may be additional damages assessed for deceptive or unfair practices under Section 5 of the FTC Act and the state law equivalent. In recent years, there has been increased attention to the protection of PII, domestically and abroad. Privacy-related complaints have been filed. Numerous government actions (e.g. FTC, State agencies) and private actions (individual or class action) against well-known companies targeting violations of privacy have taken place. Foreign Data Protection Agencies have investigated subsidiaries of US companies. In addition to the embarrassment of being the target of investigations, complaints or lawsuits reported in the press, these actions generally have resulted in the assessment of damages and penalties, the obligation to pay plaintiff's attorneys' fees, and the requirement to implement strict privacy and security procedures. In other instances, government action has prohibited a contemplated transaction.

For example, to end a 30-month privacy investigation by the FTC and ten states, Double-Click agreed to pay $1.8 million in plaintiff's cost in a class action suit, pay $450,000 in fines, and agreed to adhere to specific practices and policies, which included the following requirements: display 300 million consumer privacy banner ads that invite consumers to learn more about how to protect their online privacy; provide easy to read explanation of its ad-serving services; provide opt-in before it can combine PII and clickstream; ensure that Internet user's online data will not be used in a manner inconsistent with the privacy policy under which it was collected; develop internal policies to ensure protection and routine purging of data collected online; limit the life of new ad serving cookies to five years. In addition, Double Click must submit to two annual reviews for the next 2 years, by an independent accounting firm, to verify compliance with the settlement.

Obstacles to the Transfer of Assets

Problems could occur, as well, when a company tries to transfer certain databases in connection with the sale of the company's assets in a manner inconsistent with its published privacy policy. For example, one of the early cases in this area related to the bankruptcy of the Toysmart company. In re Toysmart.com, LLC, No. 00-13995-CJK (U.S. Bankr. Ct. Mass.) filed in May 2000 and FTC v Toysmart.com, LLC, No. 00-11341-RGS (U.S.D.C., D.Mass) filed July 10, 2000. Toysmart's online privacy policy stated that the company would "never share" its information with a third party. Toysmart ultimately sought bankruptcy protection and offered to sell its database of customer information. The FTC objected, and in a first settlement, Toysmart agreed that any buyer would have to be in the same business as Toysmart and agree to follow all of the requirements of Toysmart's privacy policy. Ultimately, after many months of additional transactions with the FTC and the bankruptcy court, a shareholder of the company purchased the customer list and agreed to destroy it promptly thereafter. Altogether, something that could have been a "simple" sale of assets, delayed the database owner by more than one year.

Best Management Practices: Organizational Structures, Processes, and Tools for Compliance

To reduce the risk of exposure to investigation, suits, damages, penalties and other problems briefly discussed above, companies must ensure that they comply with applicable privacy laws and regulations, and that they abide by the Privacy Policies that they have published on their websites or distributed to their employees and other third parties. In addition, when contemplating activities with non-related entities, they should carefully address privacy concerns at all times when working with a third party in a distribution or strategic alliance, and before entering into a sales, purchase or divestiture. Prudence, careful evaluation, and consultation with competent legal counsel are strongly recommended.

On a day-to-day basis, companies need to be aware of the privacy laws' restrictions and ensure compliance:

• Which privacy laws and restrictions govern the company's activities?
• Are there limitations or restrictions to the proposed activities of the companies or to the contemplated sale of its assets?
• Is there any potential threat of suits or complaints relating to privacy violations by the company?
• What needs to be done to ensure compliance?

In addition, privacy laws also affect many relationships a company may have with other businesses, such as distributors, suppliers, joint-venturers, or acquirers. Before completing an acquisition, forming a strategic alliance, entering into a contract with a third party (acquisition, strategic alliance, distribution), and before entering into a corporate transaction (sale, acquisition, divestiture), companies should as well thoroughly analyze and evaluate potential privacy issues to avoid unexpected hurdles or liability. One, or more of the participants in the proposed transaction may be subject to privacy law restrictions, or may have published or self certified its privacy policies.

• Review these laws, policies, and other related contracts.
• Conduct an audit of the existing or proposed practices to determine what PII exists, is used, and may be transferred or sold.
• Determine what restrictions apply to the proposed transaction.
• Assess whether privacy issues may hamper or preclude the process.
• Address how to liability allocation, representation, warranty, indemnification provisions with respect to the data and the scope of use of the data.

At all times, to reduce exposure to damages, fines, penalties, and public embarrassment, there should be:

• Periodic privacy compliance audits to evaluate the company's needs and the legal regulatory landscape.
• Implementation of privacy policies and procedures.
• Contracts with third parties, with respect to the use and disclosure of private data.
• Training Programs for the personnel to ensure awareness of the issues and compliance with the restrictions and rules.

Privacy law also affects many relationships a company may have with other businesses, such as distributors, suppliers, joint-venturers, or acquirers. Each participant in a sale or alliance may be subject to privacy law restrictions, and it must determine that its proposed involvement will be permitted or whether privacy issues may hamper the process. Before entering into an acquisition, a strategic alliance, or other agreement with a third party, a company should thoroughly analyze and evaluate potential privacy issues to avoid unexpected hurdles or liability.

• Identify which laws apply to the company and to the proposed counterpart.
• Conduct an audit of the existing or proposed practices to determine what personally identifiable information is collected from third parties.
• If due diligence has identified databases of private information (a likely event), ensure that transferring or sharing the databases is permitted.

Failure to do so would cause the target, the divesting company, or the distributor or affiliate to be in violation of the applicable privacy laws.

Compliance with the myriad of privacy laws requires a concerted effort from within the company. Policies and procedures should be developed with the assistance of counsel knowledgeable on these laws and the methods, policies and procedures to address privacy protection. There is no off the shelf solution. Each company's needs and requirements are different. Failure to address these concerns timely, and to use appropriate structures tailored to the specific needs of the business, could expose the company and its directors and officers to litigation, government investigation and the resulting disruption and costs.