Acronis Reports Ransomware Damages Will Exceed $30B by 2023

In its Mid-Year Cyberthreat Report published on August 24, 2022, cybersecurity firm Acronis reports that ransomware continues to plague businesses and governmental agencies, primarily through phishing campaigns.

According to the report over 600 malicious email campaigns were launched in the first half of 2022, with the goal of stealing credentials to launch ransomware attacks. Other attack vectors included vulnerabilities to cloud-based networks, targeting unpatched or software vulnerabilities, and cryptocurrency and decentralized finance systems.

According to Acronis, “ransomware is worsening, even more so than we predicted.” It estimates that global damages related to ransomware attacks will top $30 billion by 2023.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Judge Approves $92 Million TikTok Settlement

On July 28, 2022, a federal judge approved TikTok’s $92 million class action settlement of various privacy claims made under state and federal law. The agreement will resolve litigation that began in 2019 and involved claims that TikTok, owned by the Chinese company ByteDance, violated the Illinois Biometric Information Privacy Act (“BIPA”) and the federal Video Privacy Protection Act (“VPPA”) by improperly harvesting users’ personal data. U.S. District Court Judge John Lee of the Northern District of Illinois also awarded approximately $29 million in fees to class counsel.

The class action claimants alleged that TikTok violated BIPA by collecting users’ faceprints without their consent and violated the VPPA by disclosing personally identifiable information about the videos people watched. The settlement agreement also provides for several forms of injunctive relief, including:

  • Refraining from collecting and storing biometric information, collecting geolocation data and collecting information from users’ clipboards, unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • Not transmitting or storing U.S. user data outside of the U.S., unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • No longer pre-uploading U.S. user generated content, unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • Deleting all pre-uploaded user generated content from users who did not save or post the content; and
  • Training all employees and contractors on compliance with data privacy laws and company procedures.
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Are You Ready for 2023? New Privacy Laws To Take Effect Next Year

Five new state omnibus privacy laws have been passed and will go into effect in 2023. Organizations should review their privacy practices and prepare for compliance with these new privacy laws.

What’s Happening?

While the US currently does not have a federal omnibus privacy law, states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Read below to find out if the respective new laws will apply to your organization.

Which Organizations Must Comply?

The respective privacy laws will apply to organizations that meet particular thresholds. Notably, while most of the laws apply to for-profit businesses, we note that the Colorado Privacy Act also applies to non-profits. There are additional scope and exemptions to consider, but we provide a list of the applicable thresholds below.

The California Privacy Rights Act (CPRA) – Effective January 1, 2023

The CPRA applies to for-profit businesses that do business in California and meet any of the following:

  1. Have a gross annual revenue of over $25 million;
  2. Buy, receive, or sell the personal data of 100,000 or more California residents or households; or
  3. Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.

Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023

The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that:

  1. During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or
  2. Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.

Colorado Privacy Act (CPA) – Effective July 1, 2023

The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds:

  1. Control or process the personal data of 100,000 Colorado residents or more during a calendar year, or
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023

The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or
  2. Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.

Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023

The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25,000,000 or more, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Utah residents, or
  2. Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.

The Takeaway 

Organizations that fall under the scope of these respective new privacy laws should review and prepare their privacy programs. The list of updates may involve:

  • Making updates to privacy policies,
  • Implementing data subject request procedures,
  • How your business is handling AdTech, marketing, and cookies,
  • Reviewing and updating data processing agreements,
  • Reviewing data security standards, and
  • Providing training for employees.
© 2022 ArentFox Schiff LLP

Federal Bill Would Broaden FTC’s Role in Cybersecurity and Data Breach Disclosures

Last week, the House Energy and Commerce Committee advanced H.R. 4551, the “Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act” (“RANSOMWARE Act”).  H.R. 4551 was introduced by Consumer Protection and Commerce Ranking Member Gus Bilirakis (R-FL).

If it becomes law, H.R. 4551 would amend Section 14 of the U.S. SAFE WEB Act of 2006 to require not later than one year after its enactment, and every two years thereafter, the Federal Trade Commission (“FTC”) to transmit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report (the “FTC Report”).  The FTC Report would be focused on cross-border complaints received that involve ransomware or other cyber-related attacks committed by (i) Russia, China, North Korea, or Iran; or (ii) individuals or companies that are located in or have ties (direct or indirect) to those countries (collectively, the “Specified Entities”).

Among other matters, the FTC Report would include:

  • The number and details of cross-border complaints received by the FTC (including which such complaints were acted upon and which such complaints were not acted upon) that involve ransomware or other cyber-related attacks that were committed by the Specified Entities;
  • A description of trends in the number of cross-border complaints received by the FTC that relate to incidents that were committed by the Specified Entities;
  • Identification and details of foreign agencies, including foreign law enforcement agencies, located in Russia, China, North Korea, or Iran with which the FTC has cooperated and the results of such cooperation, including any foreign agency enforcement action or lack thereof;
  • A description of FTC litigation, in relation to cross-border complaints, brought in foreign courts and the results of such litigation;
  • Any recommendations for legislation that may advance the security of the United States and United States companies against ransomware and other cyber-related attacks; and
  • Any recommendations for United States citizens and United States businesses to implement best practices on mitigating ransomware and other cyber-related attacks

Cybersecurity is an area of recent federal government focus, with other measures recently taken by President Bidenthe Securities and Exchange Commissionthe Food and Drug Administration, and other stakeholders.

Additionally, H.R. 4551 is also consistent with the FTC’s focus on data privacy and cybersecurity.  The FTC has increasingly taken enforcement action against entities that failed to timely notify consumers and other relevant parties after data breaches and warned that it would continue to apply heightened scrutiny to unfair data security practices.

In May 2022, in a blog post titled “Security Beyond Prevention: The Importance of Effective Breach Disclosures,” the FTC’s Division of Privacy and Identity Protection had cautioned that “[t]he FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, and that, “[i]n some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.”

As readers of CPW know, state breach notification laws and sector-specific federal breach notification laws may require disclosure of some breaches.  However, as of May 2022 it is now expressly the position of the FTC that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”  This is a significant development, as notwithstanding the absence of a uniform federal data breach statute, the FTC is anticipated to continue exercise its enforcement discretion under Section 5 concerning unfair and deceptive practices in the cybersecurity context.

© Copyright 2022 Squire Patton Boggs (US) LLP

Three Ways to Use LinkedIn’s Notifications Tab to Build Your Network and Business

Here’s an easy and effective way to leverage LinkedIn for business development and networking – use information and updates about your connections from the Notifications tab to build stronger relationships.

LinkedIn gives you many reasons to reach out to people in your professional network through the Notifications tab

These reasons range from new business, networking, jobs, referrals and branding opportunities.

Prompts from the LinkedIn Notifications tab about your connections’ birthdays, work anniversaries and new jobs can serve as powerful catalysts to get back in touch with your connections.

I have seen these prompts lead to new business and reignited relationships many times.

I call these notifications “low hanging fruit” because they require very little effort on your part and they’re easy to do, and can yield major benefits.

Marketing strategies don’t have to be complicated to be successful. We often overlook them when it’s so basic.

So how do you leverage them?

  1. For a work anniversary notification, you could say, “Hey Jim, I can’t believe it’s been X years since you joined your company! Time sure flies. How are you?” Then take it a step further, suggest an off-line conversation either in person, over the phone or via zoom.

  2. For a new job announcement try, “Congratulations on the new role – how is it going so far?” again offer to take the conversation off-line and have a separate conversation either in-person or virtually.  (Many people don’t send an email when they get a new job anymore – it’s up to us to do the due diligence to find out where they landed and then take the initiative to congratulate them on their job move).

  3. Wish your connections a happy birthday.  Just saying a simple “Happy birthday – I hope you’re having a great day – would love to take you for lunch or a drink to celebrate” is a great way to make someone’s day. Adding your birthday into LinkedIn works – I had about 200 LinkedIn birthday well wishes and one of them actually led to a new client.

Sometimes the basic actions that take just minutes are the most impactful.

Having reasons to reach out to your connections is powerful versus the dreaded “just checking in” email.

LinkedIn has made it even easier now to stay updated on others’ notifications by enabling us to follow certain individuals by clicking the bell on their profile.

No one knows who you are following, so use it strategically and follow your clients, referrals, VIP connections and even your competitors. You should also follow content creators whose information you find useful.

I’d love to hear how the Notifications section has worked for you.

Copyright © 2022, Stefanie M. Marrone. All Rights Reserved.

Wegmans Settles With NYAG for $400,000 Over Data Incident

The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.

Of concern for the AG, among other things, were that the passwords were salted and hashed using SHA-1 hashing, rather than PBKDF2. Similarly, the AG found concerning the fact that the company did not have an asset inventory of what it maintained in the cloud. As a result, no security assessments were conducted of its cloud-based databases. The NYAG also took issue with the company’s lack of long-term logging: logs for its Azure assets were kept for only 30 days. Finally, the company kept checksums derived from customer driver’s license information, something for which the NYAG did not feel the company had a “reasonable business purpose” to collect or maintain.

The NYAG argued that these practices were both deceptive and unlawful in light of the promises Wegman’s made in its privacy policy. It also felt that the practices were a violation of the state’s data security law. As part of the settlement, Wegmans agreed to pay $400,000. It also agreed to implement a written information security program that addresses, among other things:

  1. asset management that covers cloud assets and identifies several items about the asset, including its owner, version, location, and criticality;
  1. access controls for all cloud assets;
  1. penetration testing that takes into account cloud assets, and includes at least one annual test of the cloud environment;
  1. central logging and monitoring for cloud assets, including keeping cloud logs readily accessible for 90 days (and further stored for a year from logged activity);
  1. customer password management that includes hashing algorithms and a salting policy that is at least commensurate with NIST standards and “reasonably anticipated security risks;” and
  1. policies and procedures around data collection and deletion.

Wegmans agreed to have the program assessed within a year of the settlement, with a written report by the third-party assessor provided to the NYAG. It will also conduct at-least-annual reviews of the program. As part of that review it will determine if any changes are needed to better protect and secure personal data.

Putting It Into Practice: This case is a reminder for companies to think not only about assets on its network, but its cloud assets, when designing a security program. Part of these efforts include clearly identifying locations that house personal information (as defined under security and breach laws) and evaluating the security practices and controls in place to protect that information. The security program elements the NYAG has asked for in this settlement signal its expectations of what constitutes a reasonable information security program.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Are You Being Served? Court Authorizes Service of Process Via Airdrop

In what may be the first of its kind, a New York state court has authorized service via token airdrop in a case regarding allegedly stolen cryptocurrency assets. This form of alternative service is novel but could become a more routine practice in an industry where the identities of potential parties to litigation may be difficult to ascertain using blockchain data alone.

Background on the Dispute

According to the Complaint in the case, the plaintiff LCX AG (“LCX”) is a Liechtenstein based virtual currency exchange. As alleged in the Complaint, on or about January 8, 2022, the unknown defendants (named in the Complaint as John Does 1-25) illegitimately gained access to LCX’s cryptocurrency wallet and transferred $7.94 million worth of digital assets out of LCX’s control. Cryptocurrency wallets are similar in many ways to bank accounts, in that they can be used to hold and transfer assets. In the same way a thief can transfer funds from a bank account if they gain access to that account, thieves can also transfer cryptocurrency assets if they gain access to the keys to the wallet holding digital assets.

Following the alleged theft, LCX and its third-party consulting firm determined that the suspected thieves used “Tornado Cash,” which is a “mixing” service designed to hide transactions on an otherwise publicly available blockchain ledger by using complicated transfers between unrelated wallets. While Tornado Cash and other mixing services have legal purposes such as preserving the anonymity of parties to legitimate transactions, they are also utilized by criminals to launder digital funds in an illicit manner.

Even the use of these mixing services, however, can often also be unwound. This is especially true in transactions of large amounts of cryptocurrency, similar to how transactions utilizing complex money laundering schemes in the international banking system can be unwound. According to the blockchain data platform Chainalysis, although Illicit crypto transactions reached an all-time high of $14 billion in 2021, these suspected nefarious transactions accounted for 0.15% of crypto volume last year, down from 0.62% in 2020.

While the Complaint alleges the suspected thieves used Tornado Cash, LCX believes its hired consultants were able to unwind those mixing services to identify a wallet which is alleged to still hold $1.274 million of the allegedly stolen assets.

Unlike bank accounts which have associated identifying information, there are often no registered addresses or other identifying information connected to digital wallets. This makes it difficult to provide the actual proof of service required to institute an action or obtain a judgement against an individual where the only known information is their digital wallet addresses. Service via token airdrop into those wallet addresses solves that issue.

Service Via Airdrop

Service of lawsuits is traditionally made on the defendant personally at a home or business address via special process servers. In cases where service on the individual is not possible for some reason, many states authorize alternative means of service if the plaintiff can show that the alternative means of service likely to provide actual notice of the litigation to the defendant. For example, courts have historically allowed notice via newspaper publication as an alternative means of service where the defendant cannot be serviced personally.

Here, the Court permitted service via “airdrop” in which a digital token is placed in a specific cryptocurrency wallet, similar to how a direct deposit can place funds in a traditional bank account. This particular token contained a hyperlink to the associated court filings in the case, and a mechanism which allowed the data of any individual who clicked on the hyperlink to be tracked. While this is a novel way to serve notice of a lawsuit, similar airdrops have been used to communicate with the owners of otherwise anonymous cryptocurrency wallet owners. Such was the case recently when actor Seth Green had his Bored Ape non-fungible token (“NFT”) stolen and the unknowing buyer of the stolen NFT was otherwise difficult to locate.

While this type of digital service is new, it could be implemented in many disputes in the future regarding digital assets. Similar to the authorization of service that was seen recently in the Facebook Biometric Information Privacy Act litigation (where notice was served on potential class members via email and directly on the Facebook platform), service via airdrop may be the most efficient way to inform potential lawsuit participants of the pending dispute and how they can protect their rights in that dispute.

This type of airdropped service is not without issues, though. First, transactions on the blockchain are largely publicly available, meaning any individual with the wallet address would also be able to see service of the lawsuit notice. Additionally, many users are hesitant to click on unknown links (such as the one in the airdropped LCX) due to legitimate cybersecurity concerns.

While service via airdropped token is unlikely to replace traditional methods of service, it may be a useful means of serving process on unknown persons where there is a digital wallet linked to the acts which the applicable lawsuit relates.

© Polsinelli PC, Polsinelli LLP in California

Italian Garante Bans Google Analytics

On June 23, 2022, Italy’s data protection authority (the “Garante”) determined that a website’s use of the audience measurement tool Google Analytics is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States, which does not offer an adequate level of data protection. In making this determination, the Garante joins other EU data protection authorities, including the French and Austrian regulators, that also have found use of the tool to be unlawful.

The Garante determined that websites using Google Analytics collected via cookies personal data including user interactions with the website, pages visited, browser information, operating system, screen resolution, selected language, date and time of page views and user device IP address. This information was transferred to the United States without the additional safeguards for personal data required under the GDPR following the Schrems II determination, and therefore faced the possibility of governmental access. In the Garante’s ruling, website operator Caffeina Media S.r.l. was ordered to bring its processing into compliance with the GDPR within 90 days, but the ruling has wider implications as the Garante commented that it had received many “alerts and queries” relating to Google Analytics. It also stated that it called upon “all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law; this applies in particular to Google Analytics and similar services.”

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

3 Benefits of Cloud-Based Law Firms

Any law firm that’s evaluating practice management software has seen “cloud-based” options. Cloud technology has been around for a while, but some law firms are hesitant to switch to the cloud due to security concerns, lack of control, or downtime. The cloud has numerous benefits for a law firm, however. Instead of relying on filing cabinets and in-office servers, law firms can embrace the cloud and maximize their time and profits.

Why Should My Firm Use Cloud-Based Software?

Traditionally, law firms have relied on in-office software that is installed on a local computer or server within the office space. These servers are only accessible from computers in the same space but limit any remote access or capability. This setup quickly became an issue for law firms looking to sustain business continuity during the pandemic.

A cloud-based solution isn’t installed locally on the office server but is fully hosted on the internet. It uses a remote server maintained by the software provider, and access occurs through the internet. More recently, cloud-based legal practice management software has become the gold standard for law firms to manage and operate their business from anywhere. LPMs have slowly started to replace traditional servers and become the backbone for law firms to handle client management, calendaring, tasks, billing, and document storage.

Even post-pandemic, law firms are still learning to embrace legal technology and leverage the advantages of shifting their practice to the cloud. When done correctly and with the right resources, cloud-based law firms can improve aspects of their business from accessibility, security, client support, and even hiring and retention.

If you’re still on the fence about moving your firm to the cloud, here are 5 benefits that may change your mind:

Person checking phone for security code

1. Improved Security

Legal technology has come a long way in recent years with a strong emphasis on compliance and security. Law firms may be concerned about security, but some are realizing the cloud is more secure and cost-efficient than an on-premise solution. This is mostly because on-premise solutions typically require specialized support staff to perform lucrative updates to the system. These updates can cause severe downtime and even cost money calling in support.

With a cloud-based legal practice management software like PracticePanther, the all-in-one platform automatically updates and comes with the security and support your firm needs. The platform comes equipped with ABA and IOLTA compliant features and 256-bit military-grade encryption to ensure confidential information is safeguarded. It also offers two-factor authentication and customized security settings, which allow law firms to limit access to certain aspects of the software for some staff members.

Person communicating via video call

2. Supports Remote and Hybrid Work

Though many law firms are still working out the kinks — remote and hybrid working environments are a mainstay in the legal industry. Many lawyers are enjoying the productivity benefits and work-life balance of remote or hybrid schedules, allowing them to put in the hours they need for casework while also balancing their responsibilities at home.

On-premise legal software limits lawyers with remote work in many ways. Cloud-based legal software enables law firms to work securely within a centralized platform from anywhere. This allows staff to continue their responsibilities without risking accessibility or tasks falling through the cracks when staff are in different locations. For example, PracticePanther can create workflows with triggered tasks for staff to complete a new client onboarding, send documents for electronic signature, and even process payments. This process can be done from anywhere and lives in one system where the appropriate staff can easily access the case or client matter.

3. Streamlined Billing and Online Payments

Clients’ expectations have shifted and they want more convenient processes, especially with legal billing and how they conduct business with law firms. These clients are already using online services for virtually everything, from grocery shopping to accessing medical bills, and they want the same digital experience from their lawyers.

Cloud-based software makes this simple, especially when billing and online payments are built natively. This means firms can track time, create invoices, and send them for payment with easy-to-use payment links embedded. Platforms like PracticePanther also include exclusive reporting functions so firms can gain better insight into where and how their cash flow is generated to make more informed business decisions.

Outlook on Cloud-Based Firms

Cloud-based software offers law firms a unique opportunity to manage their practice and staff while growing their business from virtually anywhere. This structure has proved sustainable for many law firms and will continue to be the standard in the legal industry for firms that want to remain competitive and most importantly, profitable.

© Copyright 2022 PracticePanther

Throwing Out the Privacy Policy is a Bad Idea

The public internet has been around for about thirty years and consumers’ browser-based graphic-heavy experience has existed for about twenty-five years. In the early days, commercial websites operated without privacy policies.

Eventually, people started to realize that they were leaving trails of information online, and in the early ‘aughts the methods for business capturing and profiting from these trails became clear, although the actual uses of the data on individual sites was not clear. People asked for greater transparency from the sites they visited online, and in response received the privacy policy.

A deeply-flawed instrument, the website privacy policy purports to explain how information is gathered and used by a website owner, but most such policies are strangely both imprecise and too long, losing the average reader in a fog of legalese language and marginally relevant facts. Some privacy policies are intentionally obtuse because it doesn’t profit the website operator to make its methods obvious. Many are overly general, in part because the website company doesn’t want to change its policy every time it shifts business practices or vendor alliances. Many are just messy and poorly written.

Part of the reason that privacy policies are confusing is that data privacy is not a precise concept. The definition of data is context dependent. Data can mean the information about a transaction, information gathered from your browser visit (include where you were before and after the visit), information about you or your equipment, or even information derived by analysis of the other information. And we know that de-identified data can be re-identified in many cases, and that even a collection a generic data can lead to one of many ways to identify a person.

The definition of data is context dependent.

The definition of privacy is also untidy. An ecommerce company must capture certain information to fulfill an online order. In this era of connected objects, the company may continue to take information from the item while the consumer is using it. This is true for equipment from televisions to dishwashers to sex toys. The company likely uses this information internally to develop its products. It may use the data to market more goods or services to the consumer. It may transfer the information to other companies so they can market their products more effectively. The company may provide the information to the government. This week’s New Yorker devotes several pages to how the word “privacy” conflates major concepts in US law, including secrecy and autonomy,1 and is thus confusing to courts and public alike.

All of this is difficult to reflect in a privacy policy, even if the company has incentive to provide useful information to its customers.

Last month the Washington Post ran an article by Geoffrey Fowler that was subtitled “Let’s abolish reading privacy policies.” The article notes a 2019 Pew survey claiming that only 9 percent of Americans say they always read privacy policies. I would suggest that more than half of those Americans are lying. Almost no one always reads privacy policies upon first entering a website or downloading an app. That’s not even really what privacy policies are for.

Fowler shows why people do not read these policies. He writes, “As an experiment, I tallied up all of the privacy policies just for the apps on my phone. It totaled nearly 1 million words. “War and Peace” is about half as long. And that’s just my phone. Back in 2008, Lorrie Cranor, a professor of engineering and public policy at Carnegie Mellon University, and a colleague estimated that reading and consenting to all the privacy policies on websites Americans visit would take 244 hours per year.”

The length, complexity and opacity of online privacy policies are concerning. The best alleviation for this concern would not be to eliminate privacy policies, but to make them less instrumental in the most important decisions about descriptive data.

Limit companies’ use of data and we won’t need to fight through their privacy options.

Website owners should not be expected to write out privacy policies that are both sufficiently detailed and succinctly readable so that consumers can make meaningful choices about use of the data that describes them. This type of system forces a person to be responsible for her own data protection and takes the onus off of the company to limit its use of the data. It is like our current system of waste recycling – both ineffective and supported by polluters, because rather than forcing manufacturers to use more environmentally friendly packaging, it pushes consumers to deal with the problem at home, shifting the burden from industry to us.  Similarly, if the legislatures provided a set of simple rules for website operators – here is what you are allowed to do with personal data, and here is what you are not allowed to do with it – then no one would read privacy policies to make sure data about our transactions was spared the worst treatment. The worst treatment would be illegal.

State laws are moving in this direction, providing simpler rules restricting certain uses and transfers of personal data and sensitive data. We are early in the process, but if the trend continues regarding omnibus state privacy laws in the same manner that all states eventually passed data breach disclosure laws, then we can be optimistic and expect full coverage of online privacy rules for all Americans within a decade or so. But we shouldn’t need to wait for all states to comply.

Unlike the data breach disclosure laws which encourage companies to comply only with the laws relevant to their particular loss of data, omnibus privacy laws affect the way companies conduct the normal course of everyday business, so it will only take requirements in a few states before big companies start building their privacy rights recognition functions around the lowest common denominator. It will simply make economic sense for businesses to give every US customer the same rights as most protective state provides its residents. Why build 50 sets of rules when you don’t need to do so? The cost savings of maintaining only one privacy rights-recognition system will offset the cost of providing privacy rights to people in states who haven’t passed omnibus laws yet.

This won’t make privacy policies any easier to read, but it will become less important to read them. Then privacy policies can return to their core function, providing a record of how a company treats data. In other words, a reference document, rather than a set of choices inset into a pillow of legal terms.

We shouldn’t eliminate the privacy policy. We should reduce the importance of such polices, and limit their functions, reducing customer frustration with the privacy policy’s role in our current process. Limit companies’ use of data and we won’t need to fight through their privacy options.


ENDNOTES

1 Privacy law also conflates these meanings with obscurity in a crowd or in public.


Article By Theodore F. Claypoole of Womble Bond Dickinson (US) LLP

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.