Paying Lip Service to Privacy
Attorney Details Steps for Organizations to Fill Privacy GapsNews of Google's $22.5 million settlement with the Federal Trade Commission has come and gone, yet privacy issues reflected in the case remain a concern. Where are the gaps and how can companies fill them? Attorney Francoise Gilbert offers details.
See Also: Data Privacy Compliance and Third-Party Management: A Unified Approach
"Many companies just pay lip service to privacy," says Gilbert of the IT Law Group in an interview with Information Security Media Group's Tom Field [transcript below]. "They have a privacy policy on their website because that's what's expected from them, but they don't go beyond that."
Two aspects of the Google case that fascinate Gilbert are that Google misrepresented its practices in its privacy policy, and the company misrepresented its compliance with the Self-Regulatory Code of Conduct of the Network Advertising Initiative.
"Companies have to look not only at whether they comply with their privacy policy as published on their website, but they also have to make sure that they comply with other promises they make otherwise," Gilbert says.
A privacy policy is just the first step, she emphasizes, and, as the Google case shows, companies need to place more effort into their privacy programs. Instead of cutting and pasting a policy and posting it to their website, companies need to take the initiative, "determining what [they're] doing and having a privacy statement that reflects what the actual practices of the company are."
In an interview about the legal ramifications of the Google case, Gilbert discusses:
- The FTC's message in cracking down on Google;
- How organizations need to respond to this case;
- The important takeaways for privacy professionals.
Gilbert has extensive experience with data privacy and security issues as well as Internet, e-business and information technology law. Her clients include Fortune 500 and other global corporations, as well as emerging technology start-ups. She advises companies on how to strategically manage their privacy, security, electronic workplace and e-business risks; develop and implement information privacy and security strategies and compliance programs; and integrate privacy and security in mergers and acquisitions, outsourcing, marketing and other relations.
She regularly addresses a wide range of privacy and security issues, including compliance with HIPAA, COPPA, CAN SPAM and security breach disclosure laws; implementation of FTC or HIPAA security safeguards; U.S. Department of Commerce Safe Harbor self-certification; compliance with foreign data protection laws (Western Europe, North America and Asia Pacific); and cross-border data flow issues.
FTC Google Action
TOM FIELD: I would like to hear your immediate reaction to the news of this assessment, and I know you've got a particularly unique angle that you're concerned about.
FRANCOISE GILBERT: Not really concerned about, but I think it opens new ways for us to think about compliance with privacy. Very frequently, we look at privacy as something that's expressed in the official privacy statement that's published on a website. And with this case, one of the aspects of the FTC complaint touches on something else, another aspect of privacy, and I think that this is something very interesting to look at. Beyond the hype of the fine and the fact that Google was fined for repeated violations - which is more or less a Google matter - I think that we as lawyers need to read beyond that and see the aspects of this case that apply directly to our clients. Beyond the fact that if you're a repeat offender you may be facing a huge fine, what should you be doing for not being in trouble?
In the complaint that the FTC filed in connection with this second case, there were two aspects. One had to do with the fact that Google misrepresented its practices in its privacy policy, which is what many commentators are focusing on. But the other aspect was that the FTC also looked at the representations that Google made about its compliance with the Self-Regulatory Code of Conduct of the Network Advertising Initiative, which is known as the NAI. In its website, or publications, Google had indicated that it was a member of the NAI and that it would comply with the Self-Regulatory Code of Conduct of the NAI. Actually, according to the Federal Trade Commission, it didn't do that. That failure to comply with the code of conduct of the NAI became one of the counts in the complaint that the FTC filed in this Google case.
So what does it mean in practice? That means that companies have to look not only at whether they comply with their privacy policy as published on their website, but they also have to make sure that they comply with other promises they make otherwise. So in Google-one, we had the notion that Google was not complying with its representation of it's compliance with the Safe Harbor principle, and now in Google-two we have the same notion again but this time focusing on the fact that Google did not comply with the regulatory code of conduct of the NAI. That's a very important angle. Look at a company's privacy representation beyond the actual privacy policy, in other things that the company is doing and other representations that the company is making.
Why Google?
FIELD: That's a great point. I would like to talk with you about it some more. Let's take a step back for a moment. Help put this in context for us. The FTC has made significant news that this is the biggest assessment ever against an organization. Why this case?
GILBERT: Because Google is a very important company. Whatever Google's doing is something that represents ... the voice of America, if you want. So if the FTC wants to show to the world that it's serious about privacy, if the U.S. government wants to show to the world that it's serious about privacy, it has to have important cases. It has to penalize the well-known companies and definitely Google is one of the flashy companies throughout the world. If you go in the middle of Zimbabwe, I'm sure that they've heard of Google. And so, Google represents America. America has to show that if something happens, there's going to be a stick and that companies who don't comply with the rulings will be prosecuted. So I think it's a message to the world.
Now, beyond that, it's also another message of if you have gone through one consent decree with the FTC, you better behave. In Google's case, it did not obviously according to the observation and the investigation, and so that's also important because it gives teeth to the original enforcement order. How good is it to go through an enforcement action and to have companies make promises if as soon as you turn around the company just disregards this requirement and does what it pleases?
Legal Ramifications
FIELD: As an attorney, what do you see as potential legal ramifications for guarding privacy by the FTC putting a stake in the ground here?
GILBERT: I think companies should be taking privacy even more seriously than before because the FTC is showing the lead. If a company makes promises about its privacy practices, if it makes representations, it has to abide by them. Many companies just pay lip service to privacy. They have a privacy policy on their website because that's what's expected from them, but they don't go beyond that. They don't look internally at what their practices are and this is a reminder that a privacy policy has value and has meaning only if it reflects the actual practices of a company. I see too many times companies posting a privacy policy on their website and when you dig into it and you ask them what they do, there's nothing behind that, those representations. It's important for all of us that the government prosecutes companies who disregard and don't comply with their promises.
Message to Privacy Professionals
FIELD: That's the message to organizations. What's the message to privacy professionals? What should they be taking away from this and thinking about as they go forward professionally?
GILBERT: For us that confirms what we've been saying to our clients all the way. We've told them - again and again and again - that a privacy policy is just the first step and that what is important are the actual practices. We're going back to step one. Very often companies - in particular the smaller ones but even bigger ones - cut and paste a privacy policy and put that on their website and then move on without paying attention to what it is, and this is not the way it should be. It should be the other way around, determining what the company is doing and having a privacy statement that reflects what the actual practices of the company are.
So for us as professionals, we applaud the verdict here because it shows that we were right when we were telling our clients that privacy's important and that they should compare the representations they've made with their actual practices. As we say in our business, "Say what you do and do what you say you do."