The Summer of Privacy: With the Government Under Fire, Retailers May Overlook New Rules and Risks

This may one day be known as the Summer of Privacy. From claims that the NSA surreptitiously obtains cellphone (and GPS) information from at least 100,000,000 Americans to the Supreme Court blessing routine collection of DNA evidence from arrestees, it is impossible to avoid almost daily stories on governmental privacy issues. But, don’t be fooled by the focus on governmental activity. From advances on the “do not track” front to a vastly expanded federal children’s privacy rule going into effect on July 1, 2013, the privacy temperature is rising not just for the government, but for online and multichannel retailers as well.

For someone who has worked in the field of privacy for many years, this summer has involved a much welcome return of focus to the substantial harm that can result from a governmental violations of privacy rights, as opposed to the alleged harms caused by retailers. Unlike the recent privacy case against Michaels Stores in Massachusetts, where the alleged “harm” was the mere receipt of unwanted catalogs, government collection and misuse of private information can lead to dire consequences, ranging from Internal Revenue Service audits to profiling and criminal charges.  Moreover, the privacy issue as it relates to the government is one of constitutional dimensions.  As Justice Brandeis famously (and presciently) said in his dissenting opinion in Olmstead v. U.S., 277 U.S. 438, 478 (1928), the very first wiretapping case heard by the Court, each citizen has “the right to be let alone — the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.” Olmstead was ultimately overturned, and Justice Brandeis’ famous standard adopted, in Katz v. U.S., 389 U.S. 347 (1967), where the Court found a constitutional “right to be let alone” where a “reasonable expectation of privacy” existed.

Don’t Be Fooled.  Even though the media is dominated by stories involving governmental intrusions into our private lives, the government itself remains fixated on pushing “do not track” requirements, with even a Republican FTC Commissioner giving industry what may amount to one last chance to come up with meaningful self-regulation rather than face the “static legislative solution” championed by Democratic FTC Chairwoman Edith Ramirez.  Ramirez recently vowed “to more aggressively regulate Internet companies like Facebook and Google and has called on Congress to pass privacy legislation.” Ironically, the most publicized “do not track” bills of the last few years impacted mostly on smaller online companies, and included gaping loopholes for the likes of Google, Facebook, and Apple.  As a result, every online seller needs to look closely at proposed “do not track” schemes — whether legislative or under voluntary industry standards — and decide whether proactive measures are appropriate, including involvement in industry groups and lobbying.  In all of their various iterations, “do no track” rules could have a considerable negative impact on online and multichannel retailers.

New Children’s Privacy Rules.  There are also the new children’s privacy rules that go into effect on July 1, 2013, and which are creating significant compliance issues for many companies. Among other things, the new rule expands the definition of “personal information” to include “persistent identifiers” which can include online user names, cookies, and IP addresses, and the number of web sites that could fall under its requirements may be far larger than under prior law.

Privacy Litigation In Full Bloom.  Finally, litigation over privacy issues continues apace, not only including the now infamous zip code collection class actions, but also actions brought by privacy rights groups against companies like Snapchat.  Snapchat is accused of misleading users by claiming that its messages self-destruct after a fixed period of time.  However, according the Electronic Privacy Information Center, they do not.  This kind of litigation underscores the risks that can result if a company does not accurately describe its privacy-related practices, and reinforces the need to keep a close watch on your business activities to make sure that your privacy policy and other statements to consumers remain accurate.

We will continue to follow developments in privacy as it relates to both merchants and consumers and continue to update our readers in this space.

UPDATE:  The National Journal published a thoughtful and detailed article on June 13, 2013 about what Americans think about privacy, and which institutions they trust most. As the author, Ronald Brownstein explains: “Asked what would do the most to protect people’s personal information on the Internet, just 8 percent picked more government oversight. The biggest group (48 percent) said the key was ‘more commitment by companies to not share users’ information with other businesses or government.'”

Posted by David Bertoni