A continuing legal education program on the privacy issues in transactions including credit applications and issuance, asset purchases, mergers and acquisitions, marketing and advertising and bankruptcy, given on May 21, 2013 by Jonathan I. Ezor at Olshan Frome Wolosky in New York City.
2. Privacy and Data Protection
in Business: Laws and
Practices (LexisNexis 2012)
http://ezor.org/privacybook
3. Privacy Has Dual Meaning
In Business World
• Freedom from having behavior monitored
– In person
– Over the Internet
• Protection of “Personally Identifiable Information”
– Any fact(s) that can identify a unique individual
– Issues of use, misuse and disclosure
• PII more often subject of laws, policies
• Digital age added significant weight to privacy
issues
jezor@olshanlaw.com
4. Legal Issues Relating to
Privacy
• Constitutional/statutory/regulatory protections
• Gov’t practices
• Business collection/use of data
• Sensitive info (financial, health)
• Reputational damage
• International concerns
• Others
jezor@olshanlaw.com
5. Consumer Privacy:
Value Versus Value
• Consumers may benefit from information use
– Regular customers’ preferences known
– Sales linked to previous purchases
• Businesses benefit from collecting, using
information
– PII
– Behavior (purchases, etc.)
• Issue is balancing value to consumer against
value of consumer
jezor@olshanlaw.com
6. 2012 White House Consumer
Privacy Bill of Rights
• Individual control over what personal data organizations collect
from them and how they use it
• Transparency that allows consumers to easily understand
information about privacy and security practices
• Respect for the context in which consumers provide data
• Security and responsibility in the way companies handle personal
data
• Access to personal data in usable format and an ability to correct
errors
• Reasonable limits on the personal data that companies collect and
retain
• Accountability as to how companies handle personal data
jezor@olshanlaw.com
7. Privacy Policy:
Primary Self-Regulatory
Method
• Consumers must be informed to make proper
decisions regarding use of their information
• As with securities, information provided through
disclosure, via privacy policy
• Accuracy a requirement
• FTC, others may penalize inaccurate privacy
policies
jezor@olshanlaw.com
8. Example Transactions
Raising Privacy Concerns
• Credit checks and issuance
• Asset purchases, mergers and
acquisitions
• Advertising and marketing deals
• Bankruptcy
jezor@olshanlaw.com
9. Credit: Privacy Concerns
Before and After
• Lenders & merchants may seek to
check credit
– FCRA applies
– Adverse Action notice
– Also for employment
• Companies maintaining accounts must
comply with Red Flags Rule
jezor@olshanlaw.com
10. FTC Red Flags Rule
• Covers all businesses that maintain ongoing
billing accounts
• Requires ongoing audits of potential “red
flags”
• Enforcement repeatedly delayed, now active
• http://ezor.org/redflagsrule
jezor@olshanlaw.com
11. Asset Purchases &
Mergers/Acquisitions:
Buying Customer Data
• Customer data have significant value
• Privacy policy must have disclosed possibilitiy prior
to collection
• Consequence could be fine, loss of asset value
• Must be part of due diligence
• In M&A, employee data also a factor
• International law concerns
jezor@olshanlaw.com
15. Advertising & Marketing
• Joint ventures, list rentals, other uses
of collected personal information
• Can be difficult to verify permission for
sharing
• Good faith reliance on representations
not enough
jezor@olshanlaw.com
18. Bankruptcy
and Customer Data
• Customer information often part of
bankruptcy
– Reorganization
– Asset sale
• Privacy policy provisions remain binding
• Toysmart early FTC case
• 11 USC §§ 332 , 363 (b) and privacy
ombudsman
jezor@olshanlaw.com
19. Key Points to Consider
• Disclosure (privacy policy) binding and
enforceable
• Privacy falls under broad consumer
protection jurisdiction
• Different laws in different countries
• Reputation damage also a factor
jezor@olshanlaw.com