Advancing technologies, evolving business models, and shifting customer expectations have made the personal information of individual consumers extremely valuable commercial assets. In this environment, many different organizations collect, analyze, and share a significant volume of personal customer information. Responding to this situation, governments in the United States and other countries are placing more constraints on the collection and use of personal information. In particular, they are moving in the direction of requiring greater transparency and more forthright disclosure to end users of the collection and use of private information. The constraints now affect many organizations, including those that are not specifically participating in the commercial data aggregation or processing industries. Under the emerging framework of information privacy regulation, it is likely that your organization already faces privacy compliance obligations and should consider the following critical issues.
Government authorities recognize that the widespread use of software applications (apps) raises important information privacy issues. Apps are routinely designed to collect a range of information regarding their users and may sometimes to do in a way that is not clearly disclosed to or authorized by end users. Given the large amount of personal information that users routinely store on smartphones, and that is generated by their use, as well as the close interaction between apps and operating systems, apps have access to and are able to collect substantially more data about the users than the typical Internet browser. Thus, the state of California now requires that all apps that are made available to California residents include clear notices describing all information collected by the apps and identifying the users and uses of that information.
Following California's lead, the Federal Trade Commission (FTC) issued guidelines providing recommendations that are similar to the California apps privacy requirements. The FTC actions to date have involved guidelines instead of formal rules; however, it is likely that the guidelines may form the basis for future FTC regulations.
The privacy requirements directed toward apps are not limited solely to the software developers who create the apps but broadly include the "app ecosystem." Thus, the requirements are also applicable to the distributors and other parties associated with the apps. For example, some of the first enforcement actions initiated by California under the apps privacy rules were directed against the companies who commissioned development of the apps and distributed the apps to their customers, despite the fact that they did not actually create the apps.
Similarly, the FTC guidelines are directed toward all parties involved in the development, distribution, and use of apps. In addition to the software developers who create apps and the parties who commission them and make them available to their customers, the FTC is also interested in the actions of enterprises that offer software or services to the apps developers and distributors. For example, a variety of companies offer information collecting and processing software that can be embedded into apps. Others operate data collection, storage, and analytical services which can be used in conjunction with the apps. The FTC considers all of these different participants involved in the process of collection, analysis, and sharing of information obtained from apps to be subject to its guidelines.
The FTC also demonstrated its intention to apply its privacy requirements expansively in the context of personal information collected from children. For many years, the FTC applied special protection to personal information collected from children through websites. Recently however, it expressly indicated that those rules are also applicable to information collected through social media, mobile communications systems, and online advertising networks.
This expanded application of privacy requirements and expectations has important implications for all organizations. For example, it means that businesses will increasingly be held accountable for the security and privacy of personal information collected, stored, analyzed, or shared by third parties working on their behalf. When an organization commissions development of apps or other software that collects or processes personal information, that organization will likely be held responsible for the information, even if it did not specifically request processing of the information and it does not directly use the information.
Similarly, organizations that contract with third parties to manage website operations, social media use, or digital media advertising activities are now considered to be responsible for the information privacy practices of those third parties. In this environment, all organizations must understand the information privacy policies, practices, and procedures of all of the vendors and service providers with whom they conduct business.
Many different classes of information are now subject to their own specialized privacy protection requirements. As noted above, the FTC applies specialized privacy rules to personal information collected from children. Federal law in the United States also applies specific privacy and security requirements for personal health/medical information and personal financial information.
Another important class of information that carries special privacy protection requirements is information collected regarding individual residents of nations in the European Community. Organizations that have employees, contractors, business partners, or customers in Europe must comply with the European data protection and privacy requirements.
It is important to recognize that these specialized privacy requirements are applicable to all personal information in the protected category regardless of the technology or process used to capture it. Thus no matter whether the information is gathered through websites, cookies and other online tracking systems, social media, electronic mail, document-sharing, mobile communications, data collection/sharing networks, digital media advertising networks, or any other electronic system, the appropriate privacy obligations are in effect.
All organizations, even those that are not in the business of specifically commercializing consumer information, are already subject to a range of privacy obligations and expectations enforced by many different jurisdictions. Accordingly, they should all take at least basic steps to understand and comply with those requirements. All organizations should conduct an audit to identify all of the personally identifiable information that they collect, process, store, distribute or share. The audit should also identify all parties who have access to the personal information and describe how all of the information is currently being used.
Each organization should identify all personal information it collects, processes, stores or distributes that is subject to specific privacy or security obligations. This information includes personal health/medical and financial information. It also includes information collected from children and from residents of European countries.
Organizations should develop, implement, and update information privacy and data security policies, practices, and procedures which ensure compliance with all applicable information privacy and data security obligations, including, where applicable, the disclosure to end users of the data that is being collected, the purposes for which such data may be used, and obtaining from consumers any required consents to such uses. In addition, those policies, practices, and procedures should be monitored and updated regularly to ensure continuing compliance with the rapidly evolving privacy requirements. They should be clearly communicated to all employees and contractors, and compliance should be made a mandatory condition of employment.
In addition, businesses and other organizations should identify all of the vendors and service providers that collect, store, process, or distribute personal information on their behalf. This process is sometimes challenging as those third parties may be collecting the information even though the organization involved did not specifically request that action. All service agreements, other contracts, and relevant operational practices and procedures with the vendors and service providers should be carefully assessed to determine their information privacy implications.
All organizations that use any form of data networking operations must recognize that it is likely that they are already subject to numerous international, federal, and state information privacy requirements and expectations. They must understand and comply with those obligations even if they are not directly or deliberately gathering or processing such information. It is an operational fact of life that effective information privacy and data security policies, practices, and procedures are now essential for all organizations that make use of data networking technologies and systems.