Privacy News Round-Up: Lessons Learned
Several important privacy issues were in the news in the first half of this week. Here's our take on these stories, which covered online data collection, employee privacy and legislative and regulatory debates about the future of online privacy.
On November 6, 2011, the Wall Street Journal reported that major websites are taking steps to control and limit tracking of their visitors by third parties. The sites' goal is to both mitigate the privacy risks associated with such third party tracking and to capture the revenue that could be derived from their users' data. A study cited in the article estimated that a sample of 50 popular U.S. websites is losing at least $850 million in revenue to third parties that collect and sell users' data without the sites' knowledge. The study also found that nearly a third of the tracking tools operating on the 50 sites are unauthorized. As the recent Facebook controversies demonstrate, clandestine or unauthorized use and collection of users' data may cause reputational harm to the sites, and not every company is able to withstand revelations of inappropriate data use as well as Facebook can.
There are more than a few examples of Internet ventures that were torpedoed by privacy blunders. In addition to the potential for reputational harm, Internet sites may face legal risks arising from representations they make in their online privacy policies. The Federal Trade Commission (FTC) has brought enforcement actions for privacy violations under Section 5 (which deems unfair or deceptive acts or practices unlawful), including in connection with statements in privacy policies that were inaccurate. In addition, many jurisdictions outside the U.S. impose myriad requirements with respect to privacy disclosures to consumers. Our takeaway from the story is to emphasize the importance for businesses of understanding and controlling how their websites collect, use and share personal data, and ensuring that the sites' consumer-facing privacy policies accurately reflect the company’s practices.
Our next story takes on the issue of employee privacy in the digital age. On November 8, 2010, the New York Times reported that the National Labor Relations Board (NLRB) filed an administrative complaint against an employer, alleging that the company violated an employee's federal rights by firing her for criticizing her manager on her Facebook page. The NRLB argues in the complaint that employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in this protected activity. While the terminated employee was a union member, the NLRB asserts that this right to criticize is equally applicable to nonunion employees because it is an extension of the federal right to discuss unionization and form unions. The NRLB's complaint is set to go before an administrative judge in January of next year, but any result can be contested before an appellate board and in federal courts. Still, while this proceeding is pending, the complaint itself may serve as a rude awakening to many employers who have been implementing increasingly stringent policies regarding employees' use of social media and behavior outside of the workplace. In this case, the employer's policy was rather extreme; it barred employees from depicting the company "in any way" on Facebook or other social media sites where the employees posted their pictures or from making disparaging or discriminatory comments when discussing the employer or management. Of course the right to talk about employers on the web or outside of work is not absolute. For example, if an employee lashes out against a supervisor, but is not communicating with employees in doing so, the activity may not be protected (in this case, other employees participated in the Facebook discussion of the former employee's manager). In addition, making false, defamatory statements about the employer or disparaging remarks unrelated to work (for example, about a supervisor's family or personal life) is likely not protected by federal law. The lesson from this story is that the NRLB appears to be taking a more active role in protecting employee privacy, and employers are well-advised to carefully review and consider revising their social media and employee conduct policies to ensure consistency with federal law and NRLB guidance.
The final story is coming from the New York Times and Politico today on legislative and regulatory developments (and disagreements) regarding regulation of online privacy. The New York Times is predicting a battle among the industry, privacy advocates, legislators and the administration on how to regulate online privacy. Industry representatives are not necessarily opposed to all regulation, but argue that targeted ads and competition among advertisers is good for the economy. They do not believe that a “do not track” list that would allow Internet users a single point for opting out of being tracked online for advertising purposes is necessary for protecting web users' privacy. On the regulatory front, the FTC and the Commerce Department are set to release their independent reports on online privacy. Commerce will likely favor self-regulation, while the FTC is likely to argue for a "do not track" option. The White House has set up its own panel that will look into balancing consumer protection with making U.S. companies more competitive overseas. Not to be outdone, as Politico reports, Congress is planning to convene a hearing on online privacy in early December. The discussion will address the idea of a "do not track" list and other options for regulating online privacy. Finally, privacy advocates are concerned that the regulatory and legislative battles will produce rules that do not fully protect the interests of the consumers. We realize that business can't wait for these debates to be resolved. Our recommendation is that businesses build privacy and information security into their products and services and follow industry best practices. Privacy is good for business, and being proactive about privacy and information security helps a business control the story of how it is portrayed in the media and by regulators. There is no reason to be afraid of privacy. Privacy does not mean not using personal information; it means using the information in a fair and transparent manner.
If you would like to read our take on other privacy news, don't hesitate to let us know by posting a comment on the blog, emailing firstname.lastname@example.org or on Twitter @InfoLawGroup.