Will Self-Regulation Bring Tort Liability for Privacy Standards?For many years, antitrust law stood as an obstacle to privacy self-regulation. At least, that is what some trade associations, like the Direct Marketing Association, contended. The traditional view was that an association could not impose requirements on its members without facing liability under antitrust laws. A member who did not follow the guidelines could claim that the association's enforcement injured their ability to compete.
In some instances, it's easy to understand how association activities could violate antitrust laws. Suppose that an association decided that all members must raise prices for shipping and handling by 10 percent. The antitrust implications of concerted price fixing should be apparent. If you don't understand this point, you definitely need to spend a few hours with your lawyers. Whether rational privacy guidelines developed and applied fairly and impartially by an association would also violate antitrust laws was always far from clear.
Still, fear of litigation was the stated reason the DMA never adopted mandatory privacy guidelines in the past. That barrier disappeared when Robert Pitofsky, chairman of the Federal Trade Commission, said that the FTC would not take action against a trade association that wanted to adopt enforceable privacy guidelines. The real fear of privacy legislation and increasing public pressure also helped to turn the DMA around.
Now that we have weak but mandatory privacy guidelines from DMA, can the guidelines create a different type of liability? I recently attended a conference that considered the liability implications of clinical practice guidelines for physicians. It turns out that practice guidelines and privacy guidelines have some similarities and both raise the specter of tort liability.
Can an association be liable to consumers for adopting inadequate guidelines? To be more specific, if a trade association acts negligently in setting standards and a customer is injured by a member company that relied on the association's standards, can the trade association be sued by the customer for its negligence?
One immediate reaction might be that the association has no duty to the customer and cannot be liable. Whatever the company did is the company's problem, and it's either liable or not for its actions.
That was the defense in a 1996 New Jersey case called Snyder vs. American Association of Blood Banks. The New Jersey Supreme Court held that the blood bank association had a duty of care to persons receiving blood transfusions from its members. When the association failed to recommend that its members undertake HIV testing for donated blood, it breached that duty and was found to be liable to an individual who was infected as a result of a transfusion from a blood bank that was a member of the association.
Lawyers can suggest ways to distinguish privacy guidelines from blood screening guidelines and to differentiate the DMA from an association of blood banks. Even if a customer could demonstrate that a privacy guideline adopted by an association was negligent, the customer would still have to prove that it was the DMA member's reliance on the guidelines caused the injury.
Nevertheless, even a cursory look at some of DMA's privacy materials reveals language recognizing a duty to protect the privacy of customers. A DMA privacy management top 10 list tells companies to "recognize and respond to consumer privacy expectations." Another item tells companies to "protect your customers." Other guidance tells marketers to ensure that "safeguards are built into their systems to protect health and medical data from abuse, theft, or misappropriation." DMA's privacy rhetoric might help a consumer make the case that the guidelines fail to live up to the goal of protecting consumer privacy.
I do not want to get carried away with the argument here. At best, it is an open question whether a trade association could be found negligent for failing to tell its members to provide better privacy protections for consumers. Of course, lawyers told the blood bank that it wasn't negligent either, and they were wrong.
Proving damages in privacy cases is usually difficult and sometimes impossible. Showing a chain of causation for an invasion of privacy can be hard too. It's not the same as showing that a patient who received blood from a blood bank developed AIDS. Lawsuits involving AIDS have sometimes produced surprising and unexpected results.
But who knows whether someone selling a list of AIDS or HIV sufferers might not provoke a similar lawsuit on the grounds of inadequate notice, insufficient opportunity to opt out, or another failure to comply with fair information practices. The facts might be just as compelling with other medical conditions. The sale of telephone numbers to telemarketers or of other personal information to police or bill collectors might also be actionable. Any trade association for an industry that trafficks in personal information could be vulnerable if it has incomplete privacy guidelines.
I came away from the medical conference with the feeling that medical associations may be in the wonderful position of being damned if they have clinical practice guidelines and damned if they don't. In the case of privacy, failure to have good guidelines increases the chance of legislation. But weak guidelines could produce litigation.
If consumers ever find a way to use tort law to force trade associations and their members to adopt meaningful privacy standards or to pay damages for their failure, legislation would suddenly look a lot more attractive.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House of Representatives' subcommittee on information, justice, transportation and agriculture. His e-mail address is firstname.lastname@example.org.