Two related recent developments emphasize the need to carefully draft and frequently review data privacy policies. The first arises from a term in the privacy policy of a national mortgage corporation, a subsidiary of a national bank, which is posted on its website and states that while it may share information with unaffiliated companies to offer products or services, it provides "the minimum amount of information necessary for that company to offer its product or service." Based on that phrase, the Minnesota Attorney General sued the corporation in federal court alleging that a company telemarketing program violates various state and federal statutes, including the Minnesota False Statements in Advertising Act, Consumer Fraud Act, Deceptive Trade Practices Act, and the federal Telemarketing and Consumer Fraud and Abuse Prevention Act.
On June 19, 2001, a U.S. district judge denied the company's Motion to Dismiss, permitting the suit to proceed to discovery and at least tacitly suggesting that the company's data privacy creates a contractual obligation to its customers. At the same time, speakers at the American Bar Association's annual convention warned this week about just such dangers, especially as more businesses are required to adopt privacy notices under the Gramm-Leach-Bliley Act. Pointing to data privacy policies stating that information will only be shared "as required by law" or that "we adhere to the highest standards of privacy protection," the speakers expressed concern that many courts might treat such policies as implied contracts. To avoid such an outcome these speakers recommend ensuring that privacy policies contain disclaimer language to make clear that privacy notices are not contracts, or scrupulously limiting privacy commitments to those the company can realistically satisfy.
"Traditional brick-and-mortar businesses, such as banks, are continually seeking to improve the ways they use the Internet as a consumer point of contact," notes André Brunel, a partner in Hughes & Luce's Outsourcing & Technology Section. "What often gets very difficult very quickly is complying with self-imposed or mandated consumer privacy policies. These two recent developments once again remind us that real care needs to be exercised in establishing consumer data privacy standards while continually trying to create new revenue streams from the mountains of consumer data being generated. The privacy side, the operational side, and the new revenue side need to be in constant communication. PR and legal problems develop if they are not. "
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.