Lawsuits Are A Bigger Concern Than Fines

James Chiodo, Certified Information Privacy Professional CIPP/US

The argument goes like this: A potential customer thinks spending $29.95 on an attorney-drafted privacy policy is not worth it. They usually say something like: “the chances of me getting fined because my privacy policy is not up-to-date are very unlikely.”

For now, this is probably true, especially if you are not a big company. Although being in violation of the law could subject you to a $2,500 fine per incident. It is likely (for now) you will receive a warning notice to comply within 30 days before being fined.

However, one state, California, has formed a Privacy Enforcement and Protection Unit. And it begs the question how long they will send out warnings for noncompliance before taking the easier and more profitable road and just fine you.  BTW – California’s new privacy policy law essentially affects website and blog owners in all states.

Ok, for the sake of argument, let’s forget there are any laws that could subject you to a fine because of your privacy policy.

The far more serious problem with a poorly drafted privacy policy is the potential for lawsuits from customers, users and the FTC.

The Federal Trade Commission takes action legal action against online operators who do not live up to the promises in their privacy policies. They also take enforcement action against businesses that make sweeping declarations in their privacy statement, but then do not reveal the extent to which they collect and share information with other parties. Of course, you are always open to lawsuits from users and customers if you violate the provisions in your online privacy policy.

Your website privacy policy will either help protect you, or get you into legal trouble depending on how well it is written.

Here is just one example of a typical provision you see in privacy policies that could cause serious legal problems:

We use correct data-gathering  measures, storage and very strict security procedures to protect your personal information against unauthorized access, change, disclosure or destruction of including your username, password, transaction information and data stored on our website.

Under the law, you have to take reasonable steps to keep important information secure.  At the minimum, you have to comply with the privacy assurances you make to your visitors or customers.  However, making statements or implying that a visitor or customer’s information will be secure significantly increases your risk for a lawsuit should someone hack your site.

As of the writing of this blog post, LinkedIn is facing a class-action lawsuit for making a statement in their privacy policy that their customer’s information “will be protected with industry-standard  protocols and technology. “After their customer’s data was breached by hackers who stole customer’s passwords, usernames, etc., LinkedIn is now in the position of trying to defend that promise.

This type of lawsuit has become more common because of so many websites being hacked who previously made some type of statement in their privacy policy that their customer’s information would remain secure, or claimed they were using security measures which in fact; they were not using.

What many online operators forget is that your privacy policy and terms and conditions are contracts with your users, and you can be held accountable for the statements and promises contained within them.

If you are not going to use an attorney-drafted privacy policy for your website or blog, you are probably better-off not using one at all rather than using a poorly drafted and outdated one.

See our other blog post on free privacy policies


New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More