Why Have a Privacy Policy?

Privacy has been a hot legal issue for years, and the temperature is moving even higher.  Companies with websites and mobile applications are now targets for privacy compliance investigations.  Governmental enforcement actions and class action suits have become ever more common.  One common trigger is a data privacy or security breach.  Surprisingly, in 2013, another common trigger is the lack of a privacy policy.  Yes, there are some companies that create online services or Internet applications collecting personal information from consumers in 2013 and yet have no privacy policies.

California’s Online Privacy Protection Act (OPPA) of 2003 requires commercial websites or online services that obtain personally identifiable information about California consumers to post their privacy policies.  “Personally identifiable information” includes a first and last name, address, email address, telephone number, social security number, or any other identifier that permits physical or online contacting of a specific individual.  Accordingly, the definition of “personally identifiable information” is quite broad, and beyond the scope of the security breach notification laws in California and other states.  Violations of the law can occur even if the website operator or online service provider did not knowingly or willfully fail to comply.

OPPA not only says that operators of online services must have privacy policies, it also says that these privacy policies must cover certain topics.  A privacy policy must identify the categories of information collected by the operator, the categories of others with whom the operator may share the information, any means for the consumer to review and request changes to the information, the process to notify consumers of changes to the policy, and the effective date of the policy.

None of these requirements is new.   They are standard fare for privacy policies.  For instance, Federal Trade Commission has long published information about these topics in its guide to fair information practice principles.

In sum, online services that collect personally identifiable information from California consumers and have no privacy policy are violating OPPA and are risking lawsuits and governmental enforcement actions.  Even if a service has a privacy policy, if it is inaccurate, the service may be violating laws against unfair and deceptive trade practices.  Areas of greater risk include companies that collect certain kinds of information, such as geolocation information, without notifying the user first.  Also, companies that share information with third parties, but do not warn the user, are at risk.  The bottom line is that online services should review their privacy practices, write a privacy policy if they don’t already have one, update their privacy policies to match changes in law and their circumstances, and make sure their policies match their information practices.

StevenSWu3

Attorney Stephen Wu is a partner in the law firm of Cooke Kobrick & Wu LLP in
downtown Los Altos.  He can be reached at (650) 917-8045 or at swu@ckwlaw.com.

 

 

Read More

Can an Employer Ask for Your Facebook Profile?

We have all seen stories about how social media accounts are treasure troves of information.  In past years, legal experts have discussed the issue of whether employers should view social media information of prospective employees. Some employers are tempted by the amount of information available on these services to vet employees and obtain a much more candid view of what makes job applicants tick.

Some employers are taking the next step and asking job applicants to provide user name and password login information to see the most private information on applicants’ social media accounts.  Others want the applicant to log in at an interview so that they can “shoulder surf” and review what the information looks like.

I recently heard a story on National Public Radio about Robert Collins, who was reapplying for his old job as a corrections officer with the Maryland Department of Public Safety and Correctional Services.  The Department wanted his password to see his Facebook information, and he felt uncomfortable by the request.  This story and others like it are generating a significant amount of outrage in the media.  Even Facebook disapproves of the practice and is threatening to sue employers who demand Facebook passwords.

Recently, California Senator Leland Yee introduced legislation (SB 1349) that would prohibit employers from asking for social media user names or account information, or any content from social media accounts.  The bill also covers postsecondary educational institutions.

Setting aside the California legislation and bills in other states, here is the message for employers:  asking job applicants for social media login information is risky.  Doing so threatens to cause the user to violate social media services’ terms of service and may trigger a suit from the social network, at least in the case of Facebook.  Job applicants or employees may use such practices as the basis for a breach of privacy suit.  Moreover, if an employer reviews social media information in an inconsistent way, the employer may be opening itself up to claims of discrimination.  Asking for login information just doesn’t seem worth it.

StevenSWu3 Attorney Stephen Wu is a partner in the law firm of Cooke Kobrick & Wu LLP in downtown Los Altos.  He can be reached at (650) 917-8045 or via email at swu@ckwlaw.com.

Read More