This article is the first in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues corporate counsel need to consider in these areas.

Long gone are the days when privacy and data security issues were the responsibility of an organization’s information technology department. In fact, many companies now have internal working groups and task forces to tackle these issues. These groups include representatives from IT, human resources, finance, marketing, sales and, of course, legal. While all participants play an important role in these initiatives, it is often the lawyer’s role to keep abreast of, and counsel clients on, the laws and developments affecting these areas. Even seasoned privacy lawyers that have mastered the laws applicable to their specific industries need to follow developments in these areas, as technology continues to change and data collection, use and storage capabilities, such as the cloud, evolve.

Privacy is not a unidimensional discipline. In fact, it is quite multidimensional, nuanced, highly regulated, and at times difficult to master. While there are several state and federal laws that govern the collection, use and protection of consumer and employee information, some areas remain unregulated, such as lead generation and data brokers. Further, as technology continues to develop at a breakneck pace, laws quickly become outdated and fall behind, leaving an unwelcome void for employers, consumers, legislators and regulators. The only group that appears to benefit from these unintended consequences is the class action bar, which seeks to exploit ambiguities in how decades-old laws might apply to today’s technology in hopes of exacting high-dollar settlements.

In-house counsel responsible for particular areas of law, such as labor and employment, or that work in regulated industries, such as the financial and health sectors, are well versed in the particular laws governing their business. However, they must keep abreast of privacy developments beyond their defined walls in order to best serve their clients’ needs. Most privacy developments are not occurring within existing regulatory regimes but, rather, in the vacuum that is created by developing technologies and consumer behavior, most notably in the social media arena.

At the forefront of privacy regulation in these areas is the Federal Trade Commission (FTC). While the FTC has limited statutory jurisdiction over particular areas of privacy, such as the recently revised Children’s Online Privacy Protection Act, it uses its more general authority under Section 5 of the FTC Act to pursue investigations of deceptive and unfair acts and practices. The FTC has primarily used this authority to investigate companies that have engaged in activity contrary to their stated privacy policy (a deceptive act), but has also pursued companies for failing to establish appropriate and meaningful safeguards for consumer information. Further, as social media sites search for new ways to monetize the massive amounts of information and images so willingly shared by consumers, the challenges faced by in-house counsel in balancing aggressive client business needs with legal risks becomes somewhat daunting.

In addition to the FTC, state regulators have begun to enter the fray. Most notably, California Attorney General Kamala Harris made news in early 2012 when she announced that her office had reached agreements with the major mobile platforms to force app developers to create and make privacy policies accessible to consumers prior to download, in order to comply with the state’s Online Privacy Protection Act. Later in the year, her office sued Delta Airlines for failing to comply with this law, announcing the establishment of a Privacy Enforcement and Protection Unit, and issuing a report on mobile privacy titled “Privacy On the Go: Recommendations for the Mobile Ecosystem.”

Earlier this year, Maryland Attorney General (and NAAG President) Douglas Gansler also announced the formation of an Internet Privacy Unit. Interestingly, and somewhat concerning, was a statement in the press release introducing this unit, noting that one of its goals will be to “examine weaknesses in online privacy policies.” No additional information was provided, and since virtually all privacy cases brought by regulators to date have involved some type of misrepresentation, privacy practitioners will anxiously await the meaning of a “privacy policy weakness.”