While we often talk about data privacy at the Law Office of S.Grynwajc, PLLC, we notice that most companies and entrepreneurs in the United States are woefully unaware of the consequences of not properly handling the data they collect.
While other countries have national data privacy laws, like Europe’s General Data Protection Regulation (GDPR), such work in the United States has happened for the most part at the state level, such as in California following the entry into force of the California Consumer Privacy Act of 2018.
While there is sector-based federal privacy legislation in place in the United States, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, or the Children’s Online Privacy Protection Act of 1998 (COPPA), each of which having their assigned federal regulator for enforcement purposes, there has historically not been any federal regulator officially in charge of ensuring that not federally-regulated data privacy is regulated and enforced at the federal level. Enter the Federal Trade Commission (FTC).
What does the FTC do and why?
The Federal Trade Commission exists to protect American consumers. Section 5 of the FTC Act expressly prohibits “unfair or deceptive acts or practices in or affecting commerce.” This is the section which the FTC has used to handle a high-profile case involving Wyndham Hotels, in which hundreds of thousands of customer payment details were leaked.
Wyndham Hotels: a high-profile case
In 2008 and 2009, Wyndham Hotels suffered three separate data breaches, which left hundreds of thousands of their customers having their payment card information leaked online. While investigating how the data breach could have happened, the FTC discovered that Wyndham Hotels had a very thorough Privacy Policy listed on their website – and was not following through on any of it.
The Federal Trade Commission (FTC) established itself as the Federal regulator of Privacy
Since there is no federal agency in charge of policing data privacy in not federally-regulated sectors, the FTC has used this opportunity to establish itself as the federal regulator of privacy.
Since data breaches are harmful to consumers and failing to do the data privacy work you claim to do is a deceptive practice, the FTC claimed data privacy as its jurisdiction in America.
Every year since the Wyndham fallout, there have been data breaches that the FTC has handled and fined. So, what do American companies and entrepreneurs need to do to protect themselves when it comes to data privacy?
How companies protect themselves when it comes to data privacy?
Well, if you make promises online through your website’s Privacy Policy, Terms of Use, Terms of Sale, or the like, you need to actually follow through on it. The golden rule is to say what you do and do what you say. Most companies say they are doing more than they actually are, and even if they are doing it, they are not documenting it for preservation. If something were to happen and you could not corroborate what is in your Privacy Policy, you are in big trouble with the FTC.
Do you legally need a Privacy Policy?
So, could you get away with just not having a Privacy Policy? Unless you work in a regulated industry like healthcare or banking, there is no law or any legal obligation to have one. However, beyond making your customers and clients nervous, the FTC will question you for lack of transparency. The best practice is to tell your customers what you are doing and document that you are actually doing it.
International data protection
You also have to consider any foreign users your website may have. The Federal Trade Commission (FTC) has jurisdiction over all United States companies, and it works to protect international data, often in close cooperation with foreign data protection authorities. That means complying with international privacy laws and regulations that protect the personal information of foreign users. You have to look at your data privacy comprehensively and globally, because that is how federal prosecutors will look at it.
Many companies believe that because there is no federal privacy legislation in the United States, they do not need to care about it. However, you can still be prosecuted by the FTC at a federal level, and hundreds of companies are every year. No matter what you say you are doing, you need to do the backend work to document that you are actually doing it.
For help with data privacy of all kinds, domestic or international, contact the Law Office of S. Grynwajc, PLLC. We believe in thinking globally and acting locally.