The recent settlement between Apple and the Federal Trade Commission (“FTC”) highlights (yet again) why accounting for information privacy and security compliance as part of your company’s comprehensive legal strategy is so important. Quite frankly, it really is no longer a recommended best practice, but a requirement. Well, unless your company has $32 million lying around to refund to customers because it allegedly ran afoul of proper practices for customer notice and consent.
Rather than litigate, Apple chose to settle this case involving in-application purchases made by consumers on its iPhones and iPads. The FTC alleged that Apple violated Section 5 of the FTC Act for “unfair acts or practices” when the company did not inform its device owners that entering their password once would then open a fifteen‑minute period during which individuals, particularly children, could download applications without requiring authorization for the charges. As a result, children were able to download thousands of applications without their parents’ knowledge. Well, not until the charges showed up on their iTunes accounts. FTC representatives claimed Apple’s in-app purchases violated the Act when failing to tell customers that entering a password to authorize the buy would incur these additional charges. As a result of the settlement, Apple will pay back a minimum $32.5 million to affected customers and must change billing practices to ensure that express, informed consent is received prior to such transactions taking place.
Now, the FTC only alleged violations of the FTC Act, but this issue could have easily involved the Child Online Privacy Protection Act (“COPPA”), as well as issues with both federal and state guidance on the need for clear notice, choice and consent options in the newly- developed mobile applications. And these are but a few areas. The truth of the matter is that data moves through products and companies much like water. If you do not have a clear plan for it, you could have issues throughout your enterprise. These issues may appear quickly, such as a data breach as a result of a hacker exposing a vulnerability in your firewall or the security of your new mobile app. Or, the issue may materialize over years, such as failing to have (and follow) a data retention and destruction schedule resulting in your company having exponentially more information subject to data breach, or maybe even discovery in litigation, years later. A company must take a comprehensive approach to its information privacy and security as part of any responsible information management program. Failing to do so exposes a company not only to litigation risk, but brand damage as a result of customer dissatisfaction and relentless media exposure.