Hiring Privacy Vendors and 'Set It and Forget It' No Longer Works, Lawyers Say
Recent settlements show the vulnerability of companies that hire privacy vendors and think they're in compliance, Frankfurt Kurnit attorneys said during a webinar Thursday. In addition, they noted that states besides California are becoming more active in privacy litigation and enforcement.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Daniel Goldberg, a privacy attorney with the law firm, noted recent enforcement actions against Healthline (see 2507030026), Honda (see 2503120037) and Todd Snyder (see 2505060043) involved “sales, shares and targeted advertising ... and vendor solutions that did not work,” he said. A recurring trend is that "companies hire a vendor [and] kind of ‘set it and forget it’” and “don't do their due diligence.”
Goldberg added he's had experiences where companies had "privacy compliance in place, it just wasn't working,” and enforcers “are looking very closely at that.”
Frankfurt Kurnit litigator Caren Decter agreed. Trackers used on a website “have to actually work properly,” she said, adding that it's also critical “to revisit those terms of service, your class-action waiver and your mandatory arbitration provision; decide whether you want those things, and if you do, make sure that they comply with the various laws.”
Goldberg noted that while the Healthline settlement involved health data, it has implications for all sensitive information. Companies should look “very closely at this settlement” because “it really gives a good look into what the attorney general's office is thinking about.”
Data brokers are another area “we've seen a large focus on” recently, Goldberg said, and “we're going to see a lot more, because it's about transparency.” Texas’ lawsuit against Allstate (see 2501130047) is an example of this, he added.
States are also increasingly focused on minors’ data, exemplified by Utah’s Snap case (see 2507020037) and Michigan’s suit against Roku (see 2504290068). Goldberg said those lawsuits are particularly interesting because they were “brought in states that you don't traditionally think of as regulatory powerhouses.” For example, Michigan lacks a state privacy law.
Still, Goldberg noted, “We still see California as being the leader in regulatory enforcement.”
Decter agreed that while California is where the recent explosion of privacy litigation began, other states are joining in. Wiretapping laws specifically were “the first iteration of creative plaintiff lawyers taking antiquated rules and statutes meant to apply to having a phone call or listening in on a phone call to new technologies,” she said.
She added some lawyers are “trying to explore a legal theory that when you put a pixel on a website, or you record a chat conversation with a chatbot -- like a customer service agent -- that you are collecting data from consumers and transmitting it to third parties without both parties consenting.”
However, courts are starting to push back, because “much of what is being recorded is anonymized … and that's not akin to listening to someone's conversation.”
Decter said “consent is always a defense." However, "the issue is whether you're actually getting the type of consent that the plaintiffs view as necessary.” In the recent bankruptcy of biotechnology company 23andMe, many states and lawmakers argued that affirmative consumer consent would be needed for any sale of the company and its genetic data to be legal (see 2506100051 and 2506110047).
Another thing courts are considering in wiretapping cases is whether there is a protectable privacy interest in the information being disclosed to a third party. Additionally, courts are finding that trap-and-trace or pen-register claims (see 2503030050) cannot be argued, as the use of those devices would expose a user's entire search history, and not just their visit to one particular company website, Decter said.
Goldberg said paying attention to all state actions, even court decisions, is the best way for companies to be proactive on privacy. “Don't say, ‘Oh, well, California is the most active, therefore, I'm not going to pay attention to some of these other states,’” he said. “Even if they don't have privacy laws, they're using other tools to bring enforcement.”
“I actually expect to see a lot more of that," Goldberg added, "because it's a way [for] regulators with smaller departments or that have fewer resources ... to bring actions under various laws."