“War is too important to be left to the generals.” – Georges Clemenceau
Imagine going out on a date and having to bring along your little brother or sister. It’s not that their presence is overbearing (unlike, say, your father’s). It’s that they’re eager, interested and generally clueless.
So it often is with company privacy programs and lawyers.
The Rise of the Privacy Function and Privacy Rules
Privacy as a corporate discipline arose because electronic databases and the internet made data incredibly accessible. Access, in turn, created a market for the data. It was one thing for the owner of the friendly corner store to know what kind of toys you liked, beer your father drank or magazines your mother read. It’s another thing when that information can be sold instantly and globally to thousands of marketers or posted on social media. What’s worse, a global black market in data has made hacking not just fun, but highly profitable.
The prospect of a data free-for-all served nobody’s commercial interests. One hundred years before the internet, even a world-class cynic like Mark Twain observed that “a business cannot thrive where the parties to it cannot trust each other.”
The modern response involved associations like the Internet Advertising Bureau (IAB) and Network Advertising Initiative (NAI) adopting privacy codes and guidelines. Of course, many people – and not just Bernie Sanders supporters – take a dim view of such efforts. They think private businesses amoral, rapacious predators eager to use and abuse consumers for short-term gain.
There are bad apples, to be sure. But, except for Don Rickles, few people can make a living out of offending their customers. The IAB and NAI guidelines represented a sincere attempt to strike a balance between consumers’ privacy concerns and fast-growing and ever-changing online business models.
And, of course, governments also got into the act. State governments passed data breach notification laws. The federal government enacted a patchwork of laws focused on financial data (Gramm Leach Bliley), health care (HIPAA, HITECH), spam, etc. Canada and the EU passed comprehensive privacy laws/directives. The Federal Trade Commission (FTC) has no direct statutory authority to regulate internet privacy, except with respect to children (COPPA). To gets its bureaucratic nose under the tent, the FTC has encouraged companies to post their privacy policies, then hammered them for deceptive trade practices when these policies are violated. The FTC has also issued a breach-disclosure rule regarding health data. In short, in the United States and abroad, proposing and adopting new privacy laws, regulations and rules represents a growth industry.
Which brings us back to lawyers.
What Role for Lawyers
Generally, the first Chief Privacy Officers (CPOs) were not only lawyers, but reported to the General Counsel. Over time, however, many CPOs – and the privacy function they led – shifted to the CIO or COO.
This shift has occurred because at root, privacy is an operational and marketing issue. Privacy rules are typically straightforward, if occasionally asinine. Citing them is easy; implementing them is hard. This is because the rules require companies to do things like implement “reasonable and appropriate security” (HIPAA), or “a comprehensive written information security program…appropriate to [the] complexity of the institution” (Gramm Leach Bliley). Such rules ultimately depend on technical and operational, rather than legal, analysis.
On the back end, privacy rules concern architecture, firewalls, access protocols, password requirements, etc. Operationally, companies need to treat sensitive data like hazardous chemicals, at once both useful and potentially deadly. Best practices involve avoiding accepting such information, deleting it as soon as possible, obfuscating sensitive elements, etc.
On the customer-facing side, businesses need to consider their “social compacts” with customers. This means managing the privacy and commercial expectations customers have when interacting with the business and its website. It also means managing change in a way customers will understand and accept. By analogy, a nightclub, at differing times on differing nights, might leverage differing “social compacts” with customers. For example, the club might impose a cover charge, require a drink minimum, insist that those sitting at a table buy a bottle of liquor or champagne, etc. In the right social context, the nightclub might even get customers to accept and reward the club for overt discrimination – e.g., Ladies’ Night. What matters is that the social compact is made clear to customers and matches a paradigm customers recognize and accept.
Businesses thrive when they please their customers. In the online world, establishing and evolving social compacts with customers represents a critical marketing function.
Deciding Who Drives
The technical/operational back end and the marketing front end are areas where business leaders have to lead. Systems and social compacts need to evolve with changing technology, rules and consumer expectations.
The lawyers have a role to play to be sure, but it should be a supporting and enabling one. The company must follow the law. The company needs to keep its privacy promises. But the lawyers also have to bear in mind that the only business with perfect privacy is one that has shut down.
So, by all means, bring the lawyers along. But, as with your kid brother/sister, don’t let them drive.