This article is the first in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues corporate counsel need to consider in these areas.
Long gone are the days when privacy and data security issues were the responsibility of an organization’s information technology department. In fact, many companies now have internal working groups and task forces to tackle these issues. These groups include representatives from IT, human resources, finance, marketing, sales and, of course, legal. While all participants play an important role in these initiatives, it is often the lawyer’s role to keep abreast of, and counsel clients on, the laws and developments affecting these areas. Even seasoned privacy lawyers that have mastered the laws applicable to their specific industries need to follow developments in these areas, as technology continues to change and data collection, use and storage capabilities, such as the cloud, evolve.
Privacy is not a unidimensional discipline. In fact, it is quite multidimensional, nuanced, highly regulated, and at times difficult to master. While there are several state and federal laws that govern the collection, use and protection of consumer and employee information, some areas remain unregulated, such as lead generation and data brokers. Further, as technology continues to develop at a breakneck pace, laws quickly become outdated and fall behind, leaving an unwelcome void for employers, consumers, legislators and regulators. The only group that appears to benefit from these unintended consequences is the class action bar, which seeks to exploit ambiguities in how decades-old laws might apply to today’s technology in hopes of exacting high-dollar settlements.
In-house counsel responsible for particular areas of law, such as labor and employment, or that work in regulated industries, such as the financial and health sectors, are well versed in the particular laws governing their business. However, they must keep abreast of privacy developments beyond their defined walls in order to best serve their clients’ needs. Most privacy developments are not occurring within existing regulatory regimes but, rather, in the vacuum that is created by developing technologies and consumer behavior, most notably in the social media arena.
In addition to the FTC, state regulators have begun to enter the fray. Most notably, California Attorney General Kamala Harris made news in early 2012 when she announced that her office had reached agreements with the major mobile platforms to force app developers to create and make privacy policies accessible to consumers prior to download, in order to comply with the state’s Online Privacy Protection Act. Later in the year, her office sued Delta Airlines for failing to comply with this law, announcing the establishment of a Privacy Enforcement and Protection Unit, and issuing a report on mobile privacy titled “Privacy On the Go: Recommendations for the Mobile Ecosystem.”