Virginia Hammerle

“He doesn’t know anything except facts.”

— James Thurber, cartoon caption, The New Yorker, 1937

The well-known facts about consumer business and privacy laws are wrong.

Most privacy laws don’t apply to consumer businesses.

The Gramm-Leach-Bliley Act (GLBA) restricts the transfer of customers’ personal information, but applies only to financial institutions and companies significantly engaged in financial transactions.

That doesn’t include most consumer businesses that deal in goods and services.

The Federal Trade Commission has declared that a failure of any business to take efforts to protect the information it collects is an unfair business practice in violation of Section 5 of the FTC Act. 15. It strongly suggests that all business use the “Safeguard Rule” found in the GLBA as a guideline for reasonable steps to protect consumer information.

The FTC has gone after at least two big companies — Cardsystems and GSW Inc. — on this theory and reached consent agreements.

The second major federal privacy law — HIPAA — doesn’t apply to a consumer business that is not a health plan, a health care provider or a health care clearinghouse.

There are a few state laws out there that require some sort of privacy of consumer information. Texas requires that Social Security numbers and driver’s license numbers be protected.

Credit card associations sometimes have requirements in their contracts that customer’s information is confidential — specifically the card number.

A few courts have found an invasion of privacy when a business discloses a credit card or Social Security number.

The real legal liability to most consumer businesses comes at their own hand — their online privacy policy.

The FTC and the state attorney generals will enforce an online privacy policy against the consumer business.

What makes this quixotic is that consumer businesses aren’t required by law to post an online privacy policy, except for California customers.

Some consumers have tried to bring a private lawsuit against a consumer business based on the online policy.

These cases are usually framed as breach of contract or fraudulent inducement claims, and have had mixed results.

California aside, there is no all-encompassing federal law or consistent state law trend governing online privacy policies or their amendments.

The FTC acknowledges that it does not have the authority to require firms to adopt privacy policies or to include certain elements in their privacy policies; they may only take action when they deem a corporation’s practices to be unfair or deceptive.

Regardless of whether or not a consumer business formally posts a privacy policy, it should have internal safeguards in place to protect private information.

These include collecting only the information necessary to sell the goods or render the service, ensuring the information is password protected with limited access, and not selling or conveying any information to a third party without getting an updated report on applicable federal and state laws.

VIRGINIA HAMMERLE, an attorney with Hammerle Finley Law Firm (www.hammerle.com), is board certified in civil trial law by the Texas Board of Legal Specialization. She has been writing legal columns for 25 years. The information contained in this column is general information only and does not constitute legal advice. She can be reached at vnh@hammerle.com or 940-383-9300.