This article is the last in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues that corporate counsel need to consider in these areas. Read parts one and two.
The first two articles in this series focused on the need for companies to think about and incorporate privacy into their corporate culture. With almost daily news reports of data breaches, hacking intrusions and companies collecting and using information contrary to their stated policies, privacy has become a front-burner issue for C-suite executives, which means it becomes an issue for in-house counsel. Therefore, counsel are well-advised to review their company’s existing policy, or, if one does not exist, to develop one, as well as corporate data security practices. This applies to apps as much as websites.
The policy should also indicate any and what security measures the company uses to protect the data. On that point, a company should accurately describe, and not overstate, its data security policies and procedures. Unfortunately, unless the IT department or those responsible for hosting the website or app are involved, lawyers have virtually no idea how data is maintained and protected. Therefore, it is absolutely necessary to engage these groups in this process.
Once the above issues have been addressed, the policy should include provisions that may not be so obvious. It is incumbent upon counsel to anticipate events that may impact how the company may possibly use data in the future. For example, in the event the company is sold or goes into bankruptcy, the policy needs to make clear that data collected on the website or through the app is an asset of the company and, as such, will be subject to transfer in a sale to another entity.
Two lessons came out of the Toysmart case. First, be careful not to make a promise in a policy that may limit your ability to use and share user information in the future. While you and your business clients may feel compelled to promise consumers that their information will not be used or shared for any purpose other than for the specific purpose for which the information may have been collected, your ability to change that position in the future will be severely, if not absolutely, hampered, and any such change will apply only to information collected going forward.
Second, be sure to include a provision that specifically identifies user data (both volunteered by consumers and passively collected about them) as a corporate asset, which may be subject to transfer in the event of a sale or liquidation. Without such a provision, your or your successor’s ability to transfer a customer database may be challenged and, if so, the value of the assets intended to be transferred may be significantly impacted.
The “Toysmart” provision is but one example of a unique privacy issue that arose from a company’s initial good intentions, but which later stymied its ability to enter into a business transaction. Many similar situations have occurred since then that have given rise to other provisions that are now commonplace in today’s privacy policies. It is therefore incumbent upon in-house counsel to closely follow privacy developments in order to competently advise clients in this area.