Published by Al Saikali

November 2012

It can be easy in the data privacy and security sphere to focus significantly on best practices, changing statutes, new administrative investigations, and evolving industry standards.  It is important, however, not to lose the forest for the trees by ignoring larger issues like “what criteria should we use to determine whether information is in fact ‘private’ information?”  The issue was recently addressed by Brad Smith, General Counsel of Microsoft, in a recent InsideCounsel article .

When many of us think of what it means for information to be “private”, we assume the information must be kept secret.  Instinctively, it would seem to make sense that publicly known information cannot also be “private” information.  But can information be private if the owner of the information purposefully provides it to certain individuals and not others?  That issue was recently addressed by the U.S. Supreme Court and discussed in Smith’s article.

Smith’s article argues that legal change may be coming to the definition of privacy, and he cites by way of example Justice Sotomayor’s concurring opinion in the recent U.S. Supreme Court decision in U.S. v. Jones.  In Jones, the court held that the government was required to obtain a warrant where it installed a tracking device on a suspect’s vehicle, as this conduct was a search under the Fourth Amendment.

In her concurring opinion, Justice Sotomayor began with the general principle that “a Fourth Amendment search occurs when the government violates a subjective expectation of privacy that society recognizes as reasonable.”  Does this expectation of privacy extend to information shared with some individuals and not others?  Justice Sotomayor posited that:

it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.  This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.  People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medication they purchase to online retailers. . . . I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year.  But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy.  I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.

Justice Sotomayor also quoted Justice Marshall’s dissent in the 1979 case of Smith v. Maryland – “Privacy is not a discrete commodity, possessed absolutely or not at all.  Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes.”

Ultimately, the Jones Court did not decide whether a reasonable expectation of privacy exists in information voluntarily disclosed to third parties, but as Mr. Smith observes, “the Fourth Amendment will likely evolve and influence the future of privacy rules and practices with implications for inside counsel across the country.”

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Regulators increasingly want to know what companies are telling consumers about how the companies are using information about their consumers.  Companies that do not properly explain how they collect, store, and use their customers’ information are facing increased scrutiny.  Nowhere is this increased scrutiny move evident than in the $22.5 million civil penalty that the FTC levied against Google, or the FTC’s complaint and decision against Facebook.

Now, the Office of the Attorney General for the State of California has weighed in by cracking down on companies that do not include privacy policies in their mobile apps.  In a recent press release, California Attorney General Kamala Harris announced that her office has begun formally notifying up to 100 mobile application developers and companies that they are not in compliance with California privacy law.  According to Bloomberg, some of these companies receiving letters include United-Continental, Delta Air Lines, and Open Table.

The law that the Attorney General is referring to is the California Online Privacy Protection Act, which requires commercial operators of online services who collect personally identifiable information from California residents to conspicuously post a privacy policy.  Companies that violate this law face fines of up to $2,500 each time the non-compliant app is downloaded.

Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion, as platforms for mobile applications, all agreed to privacy principles earlier this year that allow consumers to review an app’s privacy policy before they download the app rather than after.  The companies also agreed to offer consumers a consistent location for an app’s privacy policy on the application-download screen in the platform store.

So what is the takeaway?  If you collect information about individuals, make sure you have a clear privacy policy.  Make sure the policy is placed in a location that makes it easy to find.  If you offer a mobile app, try to work with your mobile app platform to provide the privacy policy to consumers before they download the app.  It’s also a good idea to update your privacy policy periodically to ensure it remains current with your company’s information collection practices.

When was the last time your company took a fresh look at its privacy policy?

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.