Most companies have a privacy policy in place for the protection of consumer data (or should), but merely adopting a reasonable privacy policy is by itself not enough. Rather, a company must also actively ensure compliance with the policy it adopts. Though there can be hesitation in expending resources in adopting, implementing, maintaining and supporting a privacy policy governing a company's consumer protection practices, such expense pales in comparison to the amounts that may be paid to resolve a levied Federal Trade Commission (FTC) fine.
Consider the case of VTech, a Hong Kong based company which sells tablets, other electronics and software as educational tools for children. In November, 2015, VTech learned that its Learning Lodge Navigator online platform had been compromised. The Learning Lodge Navigator platform contained names, gender, and birthdates of children. In total, as of the time of the breach, about 2.25 million parents registered and created accounts with Learning Lodge for approximately 3 million children. The issue was that in collecting such consumer data, VTech failed to link parents to VTech's privacy policy when personal information was collected, and therefore, VTech violated the Children's Online Privacy Protection Act of 1998 (COPPA), which prohibits online services from knowingly collecting data from children under the age of 13 without obtaining informed parental consent. Such protected child data includes names, addresses, email addresses, telephone numbers, and photo, video or audio recordings. After an investigation of the data breach, the FTC filed a complaint against VTech, alleging that VTech did not obtain verifiable informed parental consent as required under COPPA. A significant area of concern for the FTC was that VTech falsely claimed in its privacy policy that personal information submitted by users through the Learning Lodge Navigator platform would be encrypted, despite never actually encrypting such data.
VTech settled with the FTC in January of this year, and agreed to pay $650,000 to take reasonable steps to secure the data collected. Moreover, the final order required VTech to refrain from misrepresenting its security and privacy practices and to implement a comprehensive data security program, which is subject to independent audits for the next 20 years. VTech is far from the first company which has misrepresented its consumer data protection practices by way of a privacy policy. That said, companies of all sizes which collect consumer data must not just implement a reasonable data security plan, but must actually ensure that nothing contained in such adopted privacy plans is inaccurate. Moreover, as the FTC stresses, data security is a "living" process, and companies should revisit their data security practices periodically as the business and cybersecurity landscapes continue to evolve.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.