ZwillGen Presents at National Law Journal Regulatory Summit on 2013 Privacy Regulation
Yesterday, ZwillGen lawyers Marc Zwillinger and Jon Frankel, along with Anne Toth, Founder and CEO of Privacyworks and Josh Galper, Chief Policy Officer and General Counsel for Personal spoke at the National Law Journal 2013 Regulatory Summit concerning some of the legal, regulatory and business privacy issues facing companies today.
The panelists engaged in a lively discussion about a variety of the privacy regulatory topics that ZwillGen attorneys regularly advise on and blog about, including the amendment to the Children’s Online Privacy Protection Rule (COPPA) and new privacy laws in California, including the amendment to California’s data breach notification law and the Do-Not-Track law.
While the panelists discussed some of the specific changes to these new laws and how they influence company’s privacy and data security practices, one common theme raised by Zwillinger emerged during the panel – the absence of federal privacy legislative action in contrast to the significant uptick in new state privacy and data security laws, FTC enforcement proceedings and class action privacy lawsuits.
The panelists all observed that these developments have created a patchwork of laws, regulations, and guidance, as well as litigation risks that are extremely challenging to navigate. Toth specifically noted that many of her clients, including technology start-ups, entrepreneurs and mobile application developers, are nervous about breaking these laws or otherwise finding themselves in the cross-hairs of a regulatory investigation or class action lawsuit. Hence, Toth noted, an “ounce of prevention is worth a pound of cure” when it comes to complying with laws like COPPA and the new privacy laws in California.
Galper echoed those sentiments and his experiences at Personal, a company that allows consumers to take control of and manage their valuable personal data in a virtual data vault, demonstrate how to use pro-consumer privacy and security practices as a differentiator in the market and unlock the value of personal data for the individual. Looking down the road, Galper sounded an optimistic note that a race to the top is starting to take shape where companies will compete on the amount of value, convenience and innovation they can deliver by engaging their customers in new, permission-based data models. To be credible and win the trust of consumers, privacy- and security-by-design principles will have to be built into the technology, products and business practices of such companies, Galper said.
Frankel noted, however, that companies face significant challenges when faced with a data security breach due to the all of the different state data breach notification laws, the lack of a single federal breach notification law and various state data security laws such as those in Massachusetts and Nevada. In response to such concern, Galper advised that companies collecting, using, storing and sharing consumer data should, as a starting point, have a written information security plan; train their employees; and be nimble enough to revise their practices as security threats change and new technologies emerge. Galper further added that the definition of personally identifiable information is consistently changing and broadening, and companies must be cognizant of these changes and the expectations of their customers, whether such definitions are legally recognized or not. For example, Galper explained how Personal encrypts the data field for users to store alarm codes in their digital vault because such information is quite sensitive, even though no existing laws deem an alarm code to be personal information.
The panelists also considered whether privacy laws really are protecting consumers. Both Toth and Frankel noted that most companies focus on how to avoid the burden of laws like COPPA because of compliance expenses, as well as ambiguous language and guidance. Indeed, Frankel explained that mobile app developers building games and other services that may appeal to children under 13 among other audiences are getting conflicting signals from the FTC and the application platforms on how to provide the required alternative experience, commonly referred to as a sandbox, for those users who self-identify as being under 13. The ambiguity with some privacy laws, however, can be helpful to companies who are willing tolerate more potential risk, Frankel noted. When the law is not clear or there is no law, but only guidance from a regulator, a company has the opportunity, if desired, to operate in a legal gray area that can make it more competitive in the market and increase profits. However, Frankel noted, a company facing a FTC investigation runs the risk that the regulator will find their practices unreasonable, notwithstanding the ambiguous legal regime.
The panelists all agreed that the privacy legal and regulatory environment is filled with many compliance hurdles for companies big and small. Marc Zwillinger provided important overall context to these challenges noting the importance of not only complying with all of the applicable privacy and data security laws, which often include providing notice of company privacy practices, but also ensuring that any promises made in privacy policies and elsewhere are accurate. If a company makes a privacy promise that is not true, it opens the door to a potential FTC investigation and/or enforcement action for a deceptive trade practice, Zwillinger advised – a predicament that all companies would be wise to avoid.