Words Matter, Even in Privacy Policies.

Words matter; but what you actually do matters more. When the words and actions don’t line up – trouble is brewing. This post is about Privacy Policies and why, just like other contracts, copying and pasting one from the Internet may not be the best idea. Read on for more information.

Privacy Policies are notoriously copied; everyone knows it. Fortune 500 companies with an army of in-house lawyers copy them from each other, so you can imagine how many small\medium\”regular” sized companies are out there rolling with “hot” Policies….

On the one hand, I understand a little copying. As a firm that works with startups (and as a startup ourselves) we totally get bootstrapping and cost control – why re-create the wheel? On the other hand, wholesale copying is never a good idea…especially if the actual business processes don’t line up with what the Privacy Policy says. More specifically, if my Policy says I’m doing something better than the way that I’m actually doing it in reality, that’s a wide avenue for increased risk and liability.

How about an example? Sure, the Federal Trade Commission’s (FTC) civil suit against Wyndham Hotels provides a good one. (Remember, the FTC is the government agency that regulates “unfair” and “deceptive” trade practices.)

Privacy Policies, just like Wyndham’s, will often say something like:

We safeguard our Customers’ personally identifiable information by using industry standard practices. Although “guaranteed security” does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such [i]nformation consistent with all applicable laws and regulations. Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company, including the use of 128-bit encryption….We take commercially reasonable efforts to create and maintain “fire walls”and other appropriate safeguards .

Seems innocuous, right? I think if we Google “Privacy Policy Template” most, if not all, will have similar language somewhere. But, what if the company isn’t using “industry standard practices” or “commercially reasonable efforts” or “firewalls and other appropriate safeguards?” Is it open to more risk? Spoiler: Yes.

In 2008 and 2009 Wyndham fell “victim” to three data breaches that exposed customer credit card numbers and other personal information. After the third breach, the FTC brought a civil enforcement suit against Wyndham based on unfair and deceptive trade practices. In their complaint the FTC specifically cited Wyndham’s overstating of its security practices in the Privacy Policy as “deceptive” (it was not using commercially reasonable efforts or firewalls) and its overall treatment of customer personal data in an insecure way as “unfair” conduct (financial information must be kept secure). The outcome? An embarrassing ordeal for Wyndham, fines, and ongoing government oversight of its actual security policies.

So, what are the takeaways? 1) The FTC regulates data security in the U.S. and if your company is housing large amounts of customer data (esp. financial) you should be aware; 2) What your Privacy Policy says matters. If you’re overstating what you actually do in the Policy, it can be the basis of a deception claim; 3) What your company actually does with customer data matters. If your treat it without due care, that conduct can be the basis for an “unfairness” claim, regardless of what your Privacy Policy says; and 4) Actions will trump words. Most likely in this scenario, after 3 data breaches in less than 3 years, the FTC was coming for Wyndham regardless of what their Privacy Policy said. But, since it was sloppily drafted, it provided the easy “low hanging fruit” the government often looks for.