The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, July 05, 2007
I was just browsing Google Inc.'s Form 10-K for 2006 and happend upon this little tidbit under "Risk Factors":
Google Form 10-K for 2006
Privacy concerns relating to our technology could damage our reputation and deter current and potential users from using our products and services.
From time to time, concerns have been expressed about whether our products and services compromise the privacy of users and others. Concerns about our practices with regard to the collection, use, disclosure or security of personal information or other privacy-related matters, even if unfounded, could damage our reputation and operating results. While we strive to comply with all applicable data protection laws and regulations, as well as our own posted privacy policies, any failure or perceived failure to comply may result in proceedings or actions against us by government entities or others, which could potentially have an adverse affect on our business.
In addition, as nearly all of our products and services are web based, the amount of data we store for our users on our servers (including personal information) has been increasing. Any systems failure or compromise of our security that results in the release of our users’ data could seriously limit the adoption of our products and services as well as harm our reputation and brand and, therefore, our business. We may also need to expend significant resources to protect against security breaches. The risk that these types of events could seriously harm our business is likely to increase as we expand the number of web based products and services we offer as well as increase the number of countries where we operate.
A large number of legislative proposals pending before the United States Congress, various state legislative bodies and foreign governments concern data protection. In addition, the interpretation and application of data protection laws in Europe and elsewhere are still uncertain and in flux. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our data practices. If so, in addition to the possibility of fines, this could result in an order requiring that we change our data practices, which could have a material effect on our business. Complying with these various laws could cause us to incur substantial costs or require us to change our business practices in a manner adverse to our business.
Just for fun, I thought I'd check out the 10-K's for Yahoo and DoubleClick.
Yahoo Inc. Form 10-K for 2006
Changes in regulations or user concerns regarding privacy and protection of user data could adversely affect our business.
Federal, state, foreign and international laws and regulations may govern the collection, use, retention, sharing and security of data that we receive from our users and partners. In addition, we have and post on our website our own privacy policies and practices concerning the collection, use and disclosure of user data. Any failure, or perceived failure, by us to comply with our posted privacy policies or with any data-related consent orders, Federal Trade Commission requirements or other federal, state or international privacy-related laws and regulations could result in proceedings or actions against us by governmental entities or others, which could potentially have an adverse effect on our business.
Further, failure or perceived failure to comply with our policies or applicable requirements related to the collection, use, sharing or security of personal information or other privacy-related matters could result in a loss of user confidence in us, damage to the Yahoo! brands, and ultimately in a loss of users, partners or advertisers, which could adversely affect our business.
A large number of legislative proposals pending before the United States Congress, various state legislative bodies and foreign governments concern data privacy and retention issues related to our business. It is not possible to predict whether or when such legislation may be adopted. Certain proposals, if adopted, could impose requirements that may result in a decrease in our user registrations and revenues. In addition, the interpretation and application of user data protection laws are in a state of flux. These laws may be interpreted and applied inconsistently from country to country and inconsistently with our current data protection policies and practices. Complying with these varying international requirements could cause us to incur substantial costs or require us to change our business practices in a manner adverse to our business.
Doubleclick Form 10-K for 2006
Privacy and Data Protection
We continue to be a leader in promoting consumers’ privacy and understanding the technologies that our clients, marketers, advertising agencies and data companies use to communicate with their existing customers and to acquire new customers. Our Chief Privacy Officer leads our privacy and data protection efforts. Our privacy team focuses on ensuring that we are effectively implementing our privacy policies and procedures and works with our clients to institute and improve their privacy procedures, while helping them to educate their customers about the privacy issues applicable to them. In addition, our privacy team actively participates in a number of industry privacy organizations.
Our business may be materially adversely affected by lawsuits related to privacy, data protection and our business practices.
We have been a defendant in several lawsuits and governmental inquiries by the Federal Trade Commission and the attorneys general of several states alleging, among other things, that we unlawfully obtain and use Internet users’ personal information and that our use of ad serving “cookies” violates various laws. Cookies are small pieces of data that are recorded on the computers of Internet users. Although the last of these particular matters was resolved in 2002, we may in the future be subject to additional claims or regulatory inquiries with respect to our business practices. Class action litigation and regulatory inquiries of these types are often expensive and time consuming and their outcome may be uncertain.
Any additional claims or regulatory inquiries, whether successful or not, could require us to devote significant amounts of monetary or human resources to defend ourselves and could harm our reputation. We may need to spend significant amounts on our legal defense, senior management may be required to divert their attention from other portions of our business, new product launches may be deferred or canceled as a result of any proceedings, and we may be required to make changes to our present and planned products or services, any of which could materially and adversely affect our business, financial condition and results of operations. If, as a result of any proceedings, a judgment is rendered or a decree is entered against us, it may materially and adversely affect our business, financial condition and results of operations and harm our reputation.
All three seem relatively boilerplate-ish, but what's interesting is that none of the 10-Ks go to any length to discuss how privacy and customer trust might be a real driver for their brands. Privacy and trust are taken for granted. Some dicussion elsewhere in each document includes privacy as part of their brands, but it is mainly in the context of risks to those brands.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.