Preparing Your Company If Consumers Demand Stronger Privacy Protection

By David F. Katz, Esq.

Mr. Katz is a partner in Nelson Mullins Riley & Scarborough’s Atlanta office where he leads the Privacy and Information Security Practice Group. He counsels clients on the development, management, and oversight of privacy and compliance programs. He also assists them in developing policies and procedures, education strategies, implementation of auditing and monitoring controls, reviews of disciplinary and enforcement activities, and risk assessments. He speaks and writes on matters relating to technology, privacy and data security. His tweets can be followed on twitter @KatzFDavid. He can be contacted at david.katz@nelsonmullins.com.

The explosion of news about the top secret PRISM program, reported by the Guardian and the Washington Post, has raised privacy and national security matters to the forefront of the national consciousness. The revelation about the existence of a massive NSA surveillance spy grid that collects data on the communications of millions of Americans has placed privacy, big data and nation security on the front pages of every major publication and news website in the world. It is forcing the acceleration of a long standing tension, in a free society, over intelligence gathering, national security, freedom of speech, secrecy, the role of journalists, proper oversight and the right to be secure in one’s person and papers.

In light of the recent scandals involving the Department of Justice seeking warrants for journalists, the IRS scandal involving the targeting of political groups and now the revelations regarding the PRISM program, many American citizens may be unwilling to trust the government’s response which is essentially saying, “Trust us.”

As the details are revealed, there appears to be some confusion and lack of clarity about the truth of what level of participation, if any, some Fortune 500 companies may have had as part of this program. The companies alleged to have been participating, like Facebook, Apple, Yahoo and others, have disclaimed any knowledge of the program. As the news continues to break on these matters and more details emerge about the scope and nature of these programs, one wonders if the public will become more vigilant about the sharing of personally identifiable information with corporations.

The question presented is what effect these events will have on consumer attitudes regarding privacy and disclosure of personally identifiable information? Could the behavior of the government create a backlash among consumers and cause a deeper examination by the American people of their willingness to unknowingly or indifferently turn over their personal information to corporations? Do these events present an opportunity for clever marketing executives to suggest that consumer privacy should be a central focus for consumer engagement for the future? Is there a benefit to corporations differentiating their brand in marketplace as a transparent “protector” of consumer data?

If ever there were a time for corporations to embrace transparency with respect to how consumer data is shared, collected and processed — it is now. Recent events may help fuel a cultural shift, which causes the American consumer to begin to read corporate privacy policies. This may be the event that begins to align American consumer attitudes about personal information, more closely with the attitudes of the population in Europe. European attitudes on personal privacy tend to be more conservative, primarily because they saw the terrible abuses by a tyrannical government that used the data gathered for political purposes. This may be the cultural shift that causes the American consumer to begin to question whether it is better to receive a free coupon for an extra cup of coffee, or to not have their shopping habits data mined and stored forever by companies in order to learn more about their buying habits. Whatever the outcome, there may be a new consumer market emerging which will demand greater transparency and disclosure for the ways in which personal information is shared, collected and stored by corporations. This market may arise rapidly as a direct result of disclosures concerning the government’s massive efforts to surreptitiously collect data.

Even if no ground swell materializes, how should companies be thinking about consumer privacy? Should they be planning for consumers to demand more accountability from corporations? Should they be ahead of the curve and begin to market sensitivity to consumer privacy as a value add? Is there an ethical component to responsible data collection and use?

To date, the regulatory environment and enforcement has primarily driven corporations to think carefully about the representations they make with respect to privacy and the handling of consumer data. The real question is whether the market and consumer demand for these protections will develop to force corporations to be even more thoughtful about how they approach consumer privacy and the handling of consumer data. For corporations to assume that the recent news won’t create some demand for more accountability could be short sighted and potentially catastrophic in cases where there is no transparency and no accountability for the handling of consumer’s personal information. Should companies begin to actively sell transparency and accountability in the consumer privacy space, since there could be large rewards in store, to the extent that consumers can come to terms with the implications raised by the disclosures involving massive government surveillance? It is a reasonably safe conclusion that the most recent scandals will impact attitudes toward the sharing of personal information. Those businesses wanting to get ahead of the curve should make preparations to be seen as a company who engages in the collection and use of consumer data responsibly.

Here are the top ten things corporations should consider in light of the massive attention being placed on privacy and collection of big data:

1. Corporations should consider a careful review of their existing privacy policies with an emphasis on transparency and full disclosure. To the extent the changes to a privacy policy are material, corporations will want to contact a qualified counsel to assist in determining a notification strategy to their consumers.

2. Corporations should consider, if they have not already done so, establishing a Chief Privacy Officer, whose full-time job will be to provide assurances to consumers that privacy and protection of consumer data is a priority.

3. Corporations should carefully scrutinize any corporate initiatives that involve the use of consumer data and carefully think through any privacy issues that may be implicated by the use.

4. Corporations should consider adopting a long-term strategy to differentiate themselves in the market from a privacy perspective and be willing to embrace a culture where a consumer’s data is respected.

5. Corporations should work to build privacy governance programs that have the support of the senior leadership and the board of directors to embrace a culture where consumer privacy is respected, transparent and a corporate value.

6. Corporations should train employees to respect, protect, secure and carefully manage consumer data under their care, custody and control.

7. Corporations should develop audit and information management teams to continuously evaluate the effectiveness of information governance programs in order to ensure best practices are maintained and consumer data is appropriately managed from an information governance perspective.

8. Corporations should emphasize a commitment to consumer privacy protection as a brand differentiator.

9. Corporations should zealously guard customer data and only share it with the proper assurances that third parties share the corporation’s “privacy values.”

10. Finally, corporations should consider adopting the Generally Accepted Privacy Principles (GAPP). These principles were established by American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). These principles were established primarily to help corporations establish good governance and accountability around privacy practices. GAPP provides a framework to initiate the institutionalization of good privacy practices.

GAPP consists of 10 components:

1. Management. The corporation defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

2. Notice. The corporation provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

3. Choice and Consent. The corporation describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4. Collection. The corporation collects personal information only for the purposes identified in the notice.

5. Use, Retention and Disposal. The corporation limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The corporation retains personal information for only as long as necessary to fulfill the stated purposes, or as required by law or regulations and thereafter appropriately disposes of such information.

6. Access. The corporation provides individuals with access to their personal information for review and update.

7. Disclosure to Third Parties. The corporation discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

8. Security for Privacy. The corporation protects personal information against unauthorized access (both physical and logical).

9. Quality. The corporation maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

10. Monitoring and Enforcement. The corporation monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

Corporations that differentiate themselves with respect to consumer privacy will be viewed as transparent, honest, accountable, trustworthy and decent. Corporations that commit themselves to the fundamental outline of the Generally Accepted Privacy Principles will be well positioned to establish the kind of trust that will translate to long-term customer loyalty.