A client recently asked me to identify the next wave of data privacy litigation. I said that with so much attention on lawsuits arising from data breaches, particularly in light of some recent successes for the plaintiffs in those lawsuits, the way in which companies collect information and disclose what they are collecting is flying under the radar. This “failure to match” what is actually being collected with what companies are saying they’re collecting and doing with that information could lead to the next wave of data privacy class action litigation.
What can companies do to minimize this risk? To minimize the risks, companies should begin by evaluating whether their privacy policies match their collection, use, and sharing practices. This process starts with the formation of a task force under the direction of counsel that is comprised of representatives from legal, compliance, IT, and marketing and that is dedicated to identifying: (1) all company statements about what information is collected (on company websites, in mobile apps, in written documents, etc.); (2) what information is actually being collected by the company’s website, mobile app, and other information collection processes; and (3) how the information is being used and shared. The second part requires a really deep dive, perhaps even an independent forensic analysis, to ensure that the company’s statements about what information is being collected are correct. It’s important that the “tech guys” (the individuals responsible for developing the app/ website) understand the significance of full disclosure. Companies should also ask, “do we really need everything we’re collecting?” If not, why are you taking on the additional risk? Also remember that this is not a static process. Companies should regularly evaluate their privacy policies and monitor the information they collect. A system must be in place to quickly identify when these collection, use, and sharing practices change, so the policies can be updated promptly where necessary.