The Commerce Department's privacy paper setting forth a consumer privacy "bill of rights" reads like a typical policy report, but may be potent ammunition for plaintiffs attorneys. Any company doing business on the Internet—especially companies marketing and advertising to consumers—could find itself in court over privacy issues. Adweek spoke with privacy attorney Paul Bond, a partner in the data privacy, security and management practice of Reed Smith, to find out what companies can expect and what they should do to guard against a potential onslaught of class-action suits based on the Commerce Department's report.
Adweek: You're expecting that the report will increase privacy-related litigation. Why?
Bond: Prior to this report, the central organizing principle of policy was fair information principles, but now those have been converted into a privacy bill of rights. This is a proposal, but it represents a growing impatience by regulators. There's no end to this that doesn't end up in a courtroom for many, many businesses. These suits will be more dangerous and more difficult to get rid of.
How does the Commerce Department's report form the basis for a lawsuit?
Whenever there is a high-profile privacy issue because of a congressional investigation, academic papers, or a report like this, plaintiffs pick it up, forcing companies to defend something that hasn't become law or regulation. We've been seeing class-action lawsuits on a rolling basis for the past several years. These lawsuits almost never say the company violated a statute. Large portions of the report will be pasted into lawsuits. Plaintiffs will form complaints around it.
Which companies are most at risk for this expected wave of litigation?
Any company doing business or marketing on the Internet. While the report is phrased in general terms, there are areas of emphasis. It's clear that marketing and advertising is an intense interest, especially with the collection of data and with especially minors.
What should companies do to fend off privacy-related lawsuits?
Companies should comply with the report. The other problem is companies' contractual obligation[s] with third-party vendors that are performing information processing and storing information. The company may be required to do certain things with respect to data, like responding to consumers about the information the company has about them, or how the information is shared. If the information is under the custody of a third party, the contract needs to give the principal company the flexibility it needs.