Virtually every company collects data about its customers. This ensures that almost every company is subject to some privacy law or another. Most likely, a company's activities fall under a combination of state and federal laws and regulations, which can make keeping track of legal requirements - and any changes to those requirements that may occur - a difficult job for the company's legal department.
To help alleviate this dilemma for in house counsel, Matthew Savare, Mary J. Hildebrand and Robert D. Chesler have written an article in The Metropolitan Corporate Counsel outlining the various privacy concerns most commonly faced by companies. While the article doesn't go into every privacy law and regulation, it does give a good introductory outline of the types of things companies should watch out for. Specifically, the authors point to the following concepts that confront almost every company:
Nearly every state has some form of a data breach law that requires
companies to notify consumers if data is lost or someone gains access
to the company's databases.
Protection of Social Security Numbers. Some states have passed laws requiring companies to protect the social security numbers of their customers and employees.
Adherence to Privacy Policies.
its terms. Otherwise the Federal Trade Commission could come after you
for committing an unfair or deceptive act or practice, just like it did
to Toysmart.com when that company tried to sell off its user data in
Many companies attempt to tailor ads to their website users based on
their past browsing history. So far, the FTC allows the advertising
industry to self-regulate the practice. The real danger might be in
customer anger at the practice and not the threat of any kind of legal
action, although at least one class action has arisen because of a
company's behavioral advertising practices.
also discusses various ways that companies can protect themselves from
potential liability as a result of a privacy violation. The authors
suggest that legal departments consider the following principles when
creating their overall privacy strategy:
Companies should minimize the amount of data they collect.
Security - both physical and electronic - should be a priority.
Old records should be destroyed completely.
Companies should put strict policies into place concerning data breaches and follow them.
vendors' privacy and security policies must meet the company's
standards, and the company should clearly state and monitor the
Companies should take out a cyber-insurance policy to help offset any possible identity theft and/or data privacy claims.
See Also: National Archives Missing a Terabyte of Sensitive Information (FindLaw's Technologist) FTC Online Behavioral Advertising Privacy Principles Unplugged (FindLaw) Privacy: You Don't Know What You Got Until It's Gone (FindLaw)