Consistent with the growing public awareness of online privacy issues, the Federal Trade Commission (FTC), the Better Business Bureau and the Mobile Marketing Association have issued guidelines for companies that are drafting privacy policies. Collectively, these guidelines suggest that privacy policies be written in easy-to-understand English (not “legalese”) and address, at a minimum, these five topics:
- What information does the company collect and how does it do so?
- How does the company protect the information it collects?
- How does the company use the information it collects?
- Does the company share the information it collects with others, and if so, what is shared and with whom is the information shared?
- Do customers have control over their personal data, and if so, what control do they have?
Even companies that are taking steps to protect customer information are potentially subject to claims arising from employee mistakes or intrusions by hackers. For example, in Resnick v. AvMed, Inc., the class action complaint alleged that the plaintiffs had provided private information to AvMed, a health-care services provider that had promised in its service contract “to ensure the confidentiality of information about members’ medical health condition being maintained by the Plan and the right to approve or refuse the release of member specific information including medical records, by AvMed, except when the release is required by law.” The plaintiffs further alleged that, despite AvMed’s assurances of confidentiality, unsecured laptop computers containing unencrypted, sensitive information of approximately 1.2 million current and former AvMed members were stolen from an AvMed office—thereby subjecting the class to a risk of identity theft, and allegedly resulting in unauthorized financial accounts being opened in both of the plaintiffs’ names, among other alleged wrongdoing. The 11th Circuit reversed the district court’s dismissal of the action, holding that the plaintiffs’ allegations were sufficient to state a claim for breach of contract, among other claims.