Regulatory: In-house counsel must become actively involved in privacy matters—Part 2

A privacy report from the FTC outlines how companies should incorporate privacy into their regular business practices

This article is the second in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues that corporate counsel need to consider in these areas. Click here to read the first article in the series.

The first article in this series emphasized the importance of in-house counsel being involved with and taking a lead in corporate information and data security matters. This suggestion is not rooted in finding extra work for in-house counsel or toward job security. Rather, it follows Federal Trade Commission (FTC) guidance for companies to incorporate privacy and security into their cultures. Commonly referred to as “privacy by design,” the FTC’s guidance encourages companies to build privacy and data security into all aspects of corporate decision making so that such issues are “baked” into companywide initiatives and marketing plans and remain front of mind.

Second, the FTC encourages companies to collect only the types and amount of data necessary to accomplish a specific purpose, and no more. By limiting its data collection practices in this way, a company will only possess the information it needs to perform or deliver a requested service or product, and thus limit its exposure in the event of a breach. Obviously, companies should disclose these data collection practices, as well as intended uses of such information, in a privacy policy. If a company desires to collect more information than necessary to perform the intended purpose, or use the collected information in a manner that is inconsistent with the originally intended use, the FTC recommends that companies inform consumers of such other practices at the time they intend to collect the additional information, or implement such other use, commonly known as “just in time” disclosure.

Third, the FTC calls upon companies to implement reasonable data retention and disposal policies. Similar to the collection and use limitations above, the FTC suggests that companies only keep data for as long as it is useful for its intended purpose and thereafter dispose of such data in a manner that renders the information inaccessible. Again recognizing that there is no one set approach for all information, the FTC recommends that these restrictions “be tailored to the nature of the company’s business and the data at issue,” and that a company “should develop clear standards and train its employees to follow them.”

Contributing Author

author image

Marc Roth

Marc Roth is a partner in the Advertising, Marketing and Media division of Manatt, Phelps & Phillips, LLP, in New York, where he advises clients...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.