INFOTECH AND THE LAW

When Federal Trade Commission Chairman Timothy Muris was asked during his confirmation hearings whether he believed additional legislation was needed to protect privacy in consumer business and financial transactions, he gave the routine, cautious answer: The question needed more study. He answered the question recently in a speech on privacy: No new legislation is needed at this time.Muris voiced three objections to new congressional activity in this area. First, privacy notices are a wasteful and ineffective way to obtain better privacy protection. This was an acknowledgment of the accuracy of criticism leveled at financial information privacy disclosures contained in earlier legislative efforts.Second, the focus on privacy has to extend beyond Internet transactions because offline information collection is potentially as harmful as online data collection.And, third, imposing additional costs on a slowing Internet economy is unwise.Rather, Chairman Muris argued, the FTC will be more effective if it emphasizes use of its current statutory authorities. He promised more aggressive privacy enforcement under existing laws.So a revitalized FTC privacy enforcement program comprises an agenda that includes the following measures:? Amending telemarketing sales rules to establish a one-stop, national "do not call" list. All marketers would be required to sanitize their call lists to conform.? Protections against misuse of pre-acquired credit card account information. Procedures to insure against unauthorized charges against pre-acquired account numbers will have to be implemented by telephone and Internet marketers.? Taking steps to act on e-mail spam distributors based upon the FTC's spam database that already receives over 10,000 pieces of spam daily.? Expanding Fair Credit Reporting Act enforcement, but the specifics of this expansion are as yet undisclosed.? Expanded enforcement, including an increase in the number of cases brought of violations of privacy policies on Internet Web sites. This will include increased attention to the transfer of consumer information when companies or their assets are acquired by another entity.? Close attention to the validity of claims made about the effectiveness of privacy and security features of software products, with aggressive enforcement actions under deceptive trade practices laws when the software fails to provide the promised privacy in actual use.? Additional civil actions to protect privacy of children under the Children's Online Privacy Protection Act of 1998. The FTC acknowledges that failure to seek and support additional privacy legislation may encourage states to take their own legislative measures, thereby adding to a patchwork of privacy laws nationwide. The FTC's approach may also encourage state consumer law enforcement officers to enforce more aggressive steps in their own deceptive trade practice statues over online transactions in their jurisdictions. From the perspective of companies that collect or manage personal information, this laundry list of new enforcement priorities means extra care is needed in a various areas. Companies will need to ensure the accuracy and clarity of statements about their privacy policies, the uses to which personal data may be put, the identities and circumstances under which the data may be shared, and the limitations on the protections to which it may be subjected.All companies that collect or retain personal information for business purposes must be alert to the consequences of privacy enforcement efforts. Government contractors that collect and manage personal information obtained online or offline, or that track users to their Web sites in an effort to capture customer information, are just as vulnerable to enhanced enforcement of existing privacy rules as are companies that deal solely in the commercial marketplace.There is no material difference between collecting and maintaining information about an individual government buyer and an individual commercial buyer of a company's goods or services from an FTC enforcement perspective. Be particularly careful about the accuracy of statements made with respect to cookies and other passive tracking technologies. The increased availability of tools to detect such techniques also heightens the likelihood of complaints by users that could stimulate an enforcement investigation. Privacy and data security product claims will be scrutinized and, particularly in the mass market consumer product field, should be conservative. If statements about uses of data are not absolutely true, they should not be made. Pay particular attention to statements about the conditions under which data may be released to law enforcement authorities. If anything should be clear from recent congressional debate, it is that law enforcement will have and intends to exercise wider powers of data surveillance.Consider whether any statement at all should be made about data privacy. In cases where no statement is required by law or regulation, it simply creates another risk of future liability that may or may not be worth its value to customer relations.