by Eric D. Morton
You a launch a website for ecommerce. Your web developer posts a standard (i.e. generic) privacy policy. Your customers use the site and its a success. You make changes, particularly as to how your site processes customer information, and you hire a company to help process that information. Everything is fine until you are served with a class action lawsuit that accuses you of violating a criminal anti-wiretapping statute! Your privacy policy was out of date. Your company has violated the criminal statute and a number of privacy laws.
Commercial websites need constant maintenance of their systems, graphics, background systems, and their privacy policies. Not only are new privacy laws going into effect throughout the United States and the world, but old laws are being used against owners of commercial websites.
Cyber Wiretapping
California and most other states have laws that prohibit wiretapping or electronic eavesdropping. These laws were written some time ago and were concerned with classic wiretapping of telephones lines and eavesdropping on conversations. California Penal Code Section 631 (a) of the California Invasion of Privacy Act (“CIPA”) prohibits anyone from learning the contents of a communication without the consent of all the parties. Violation of this law is a crime but the victims of a violation of the law can also pursue civil action.
These anti-wiretapping laws are now being used against companies operating ecommerce websites and do not reveal that third parties are monitoring or accessing information of website visitors. In a recent Federal case in California, a consumer visited the website of an insurance company and filled out an application. Unknown to the consumer, a third party, contracted by the insurance company, was monitoring the consumer’s interaction with the website and created a video recording of the interaction. The consumer sued under the CIPA both the insurance company and the third party monitoring the site on the grounds that the insurance company did not obtain the consumer’s consent before monitoring the consumer’s interactions on the website. A Federal appellate court held that consent must be given in advance of monitoring or recording by a third party.
Disclosure and Consent
Two guiding principles of all privacy laws are accurate disclosure and informed consent.
Websites must 1) accurately describe how visitors’ information (data) will be used and 2) obtain consent from visitors before collecting their data. Furthermore, the website must inform consumers if their data will be collected by, and/or shared with, third parties.
Too many websites have generic privacy policies that do not reflect all of what they do with their visitors’ data. If those privacy policies are incorrect, then consumers cannot give legal consent to the collection and use of their data. The companies operating those websites are violating a number of privacy laws, including potentially anti-wiretapping law mentioned above.
Companies should periodically review their online marketing practices, website operations, privacy disclosures, and visitor consent processes, and update their privacy policies accordingly. If they are uncertain of how to comply, they should consult with an attorney.
Eric D. Morton is the principal attorney of Clear Sky Law Group, P.C. He can be reached at 760-722-6582, 510-556-0367, and emorton@clearskylaw.com.