CAMBRIDGE, MA — Adopting a privacy policy is only the first part of the battle as far as Martin Eisenstein, a senior partner at Brann & Isaacson, Lewiston, ME, is concerned.
Eisenstein told a group at the New England Mail Order Association's spring conference yesterday that “a lot of companies believe, 'We've adopted a privacy policy — we're OK now,' [but] that is a real, real mistake.”
Forethought is key to a workable privacy strategy, Eisenstein said.
“The place where companies go bad is to simply adopt a lock, stock and barrel privacy policy without thinking about it, without determining how it's going to be implemented in practice,” he said.
He discussed several “danger areas.” The first is adoption of a policy that does not clearly describe how personal information is collected and what is done with that information. Another is not implementing the policy.
“Your privacy policy … is in effect a contract … and it's your promise,” he said. “It's both enforceable as a matter of goodwill but, more importantly, for purposes of lawyers, it's enforceable by contract law, it's enforceable by federal and state law and it's enforceable by these class-action vultures.”
The third issue is a Web site that uses an undisclosed technology, since some states view that as a violation of privacy policy.
“The state of Michigan says that if you don't disclose that, that is an unfair practice and we're going to take action against you,” he said.
Another pitfall Eisenstein described as “a real emerging issue” is state spam laws. He told the audience that 26 states have laws dealing with this issue.
“Most of us think that the e-mail laws are designed to deal with what they first were designed to deal with — [spam],” he said. “What they were originally designed to deal with were these e-mailers that were clogging up the ISPs … with bulk e-mails and oftentimes fraudulent e-mails.
“More recently, states such as Utah have adopted spam laws that apply over and above … to any e-mail that you send that is unsolicited unless the e-mail is sent to an existing customer. If there is any prospect out there for which you do not have an existing business relationship … you're potentially responsible under that state's law.”
And not being located in Utah provides no protection, Eisenstein said.
“[The Utah statute] says that if you violate the law, each e-mail for which you violate the law with is a statutory penalty of $10, regardless of what the damage is,” he said. “[You are also] talking about attorney's fees.”
Eisenstein said that a law firm in Utah has filed 200 lawsuits against companies accused of violating the law.
“Two of our clients have received a 'nice' letter from the law firm that says, in effect, 'We are prepared to file this lawsuit, but we'll go away for the mere sum of $10,000,'” he said.
A fifth problem is the failure to honor customer requests, including removal from a mailing or e-mail list, Eisenstein said.
