Privacy Policies and Consumer Protection: Are You Keeping Your Promise(s)?

Companies that promise to protect the personal information of their customers but then fail to do so should take particular note of two recent lawsuits. Law firm Loeb & Loeb:

“In Szpyrka v. LinkedIn Corporation, in the Northern District of California, hackers allegedly compromised the company’s security system, accessing the passwords of approximately 6.5 million users, and uploading them to a hacking forum. Adding potential liability to reputational injury, the California plaintiff filed a federal class action lawsuit against the company in June seeking damages in excess of $5 million. Among other things, the complaint alleges that LinkedIn ‘deceived consumers by providing in its Privacy Policy that its users would be “protected with industry standards protocols and technology.”’ …

Similarly, in Federal Trade Commission v. Wyndham Hotels, the FTC filed a civil enforcement action in Arizona federal court, charging that the hotelier violated Section 5 of the FTC Act by failing to comply with the terms of its privacy policy. The FTC’s complaint asserts that the company failed to meet its promise to ‘safeguard our Customers’ personally identifiable information using standard industry practices’ and to ‘take commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards’ to protect consumer information.”

In a similar case, the FTC recently reached a settlement with Myspace over charges that the social networking site provided advertisers with access to the personal information of its users. From law firm Sheppard Mullin:

“The FTC alleged that Myspace allowed advertisers to access personally identifiable information despite previous assurances to its users that it would keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, and calls for regular, independent privacy assessments for the next 20 years.”

State governments, too, are getting into the action. The new president of the National Association of State Attorneys General is spearheading an initiative focused on consumer privacy in the digital age. From law firm BuckleySandler:

“The Initiative will explore the best ways to manage consumer privacy risks in light of ‘emerging technologies and business models’ that are challenging consumers’ ability to control their personal information.”

The moral of the story? Loeb & Loeb again:

“To avoid such claims, companies should periodically review their internal and external privacy and security policies for at least two distinct purposes: first, to confirm that public-facing privacy policies accurately reflect their use, sharing and protection of data; and second, to evaluate whether internal security policies and measures comply with applicable laws and current industry standards in the event of a cyberattack.

Otherwise, privacy policies intended to describe measures taken to protect consumers may be used as weapons against the company by plaintiffs and regulators.”

Read the updates:

See also:

Find related legal updates on JD Supra>>