FTC v. Myspace Part II -- The Takeaways
The FTC has again provided us with a road map to compliance through the Myspace consent order. Here are the takeaways that should concern every company with an online presence.
Keeping the FTC Out of Your Space -- The Takeaways
Much can be learned from how the FTC has evaluated the adequacy of Myspace’s privacy policy when compared to its actual day-to-day procedures. The most important thing to take away from the FTC Order and its allegations in the complaint is that companies must practice what they promise. Superficially complying with your privacy policy will not pass the FTC’s strict standards when it comes to accurate and adequate privacy policy disclosure. Companies must evaluate how their current practices may even indirectly provide customer PII to third parties and violate the company’s privacy policy. The following are a few important steps you should take to keep the FTC out of your space:
Review your privacy policy, and then review it again. When is the last time that your company undertook a review of its privacy policy and data collection activities? Two years ago? Longer? No idea? Although this seems obvious, many companies fail to continually update and review their privacy policies to ensure that they are still complying with the terms they have established. You should particularly focus on what you have promised your customers or users with regard to what PII you will disclose to third parties, and how you will disclose it. Then look at your actual practices with regard to how you manage and disclose customer PII to third parties and make sure you truly practice what you promise. If your privacy policy states that you comply with the U.S.-E.U. Safe Harbor Framework ensure that your data use and collection practices comply with all seven of the Safe Harbor Privacy Principles: Notice, Choice, Onward Transfer (transfer to third parties), Access, Security, Data Integrity, and Enforcement. You cannot pick and choose and still be Safe Harbor-compliant.
Don’t Let Default Be Your Fault. Much of the FTC’s complaint focused on Myspace’s default settings which displayed a user’s full name on their profile page. When advertisers obtained the FriendID from Myspace, they were almost certainly then given access to the user’s full name because of the default setting. You should examine your default settings to ensure that your users are not disclosing PII to third parties unless they have expressly agreed to do so, and unless it is absolutely necessary. Ensuring that you maintain a high level of privacy protection under your default settings may prevent third parties from indirectly accessing users’ PII. Default settings should be reviewed each time that new functionality is added, technical solutions or plug-ins are changed, and at least annually.
Indirect Access Can Still Mean Direct Liability. Aside from understanding the direct implications of how you share customer information with third parties, you should perform your own assessment regarding how third parties could use the limited information that you provide them as a stepping stone to greater access to customer PII. As Myspace now knows, the FTC will closely scrutinize even the indirect implications of how you handle customer PII compared to what you promise customers in your privacy policy.
Best Practices. Why wait until the FTC files a complaint against you to implement procedures and designate staff to handle privacy and PII concerns? The best way to prevent your company from falling asleep at the wheel is to implement formal privacy practices and procedures. The first step in doing so is to designate at least one person, either in-house or a friendly neighborhood Mintz Levin privacy attorney, to be in charge of all things privacy related. Going forward that person should regularly evaluate your company’s privacy policy and compliance with that policy, and prepare a report concerning his or her evaluation. This process will ensure that your privacy policy talks the talk, and your procedures walk the walk.