Effective May 25, 2017, privacy statements that are “materially inconsistent” with how you handle consumer information violate a new amendment of the Oregon Unlawful Trade Practices Act (“UTPA”).[1]  A consumer may file a complaint against you based on the belief that you handle consumer information inconsistent with the terms of your privacy statements.  The Oregon Attorney General (“AG”) or a local district attorney (“DA”) has discretion to initiate an “investigative demand,” enforce a voluntary settlement, an “assurance,” that requires you to pay restitution, punitive damages to the injured consumers or enjoin your behavior.  Granted, you have the right to defend your interests and recoup damages that you incur due to a frivolous or malicious complaint.  However, in responding to an investigative demand, you still have to review your statements and processes to demonstrate consistency between your processes and statements to the FTC, AG or DA.  The first step in the journey is to conduct an audit proactively.

The amendment reinforces that performing an annual review of privacy statements and information handling processes is a good practice.  A responsible, comprehensive review should include your online privacy policy and the privacy statements in consumer contracts, cloud-hosting agreements, registration requirements and any other documents that describe your information processes and the information you require consumers to provide to you.  You should know how you and your organization process data before an AG or DA compels a public review by way of an investigative demand.

A “material inconsistency” between what you practice and what you preach violates the amendment to the UTPA.  Privacy statements about consumer information explain how, and for what purpose, the information is:

  • Collected,
  • Used,
  • Stored,
  • Disclosed,
  • Discarded, or
  • Deleted.

If you state that you only disclose consumer information to your vendors, you should only disclose the information to vendors.  If you disclose information with third party marketers without updating your privacy statements to identify the change in your process, you are taking action that is materially inconsistent with your privacy statement.

Your privacy statement should notify consumers of their right to control the information you collect and how you use it. Good privacy statements also explain why you need certain consumer information to meet your contractual obligations to the consumer.  Ideally, consumers will understand precisely what you will and will not do with their information after reading your privacy statements.  If consumers cannot understand your privacy statements, the probability of confusion and a resulting complaint increases.  Clarity is important in privacy statements to minimize the chance that consumers believe compliant companies use consumer information inconsistently with public privacy statements.

Now is the time to review the privacy statements in your consumer contracts, websites and publications.  Conducting a voluntary audit serves several purposes, including:  (1) avoiding a violation, (2) demonstrating your commitment to protect consumer information and (3) signaling your desire to meet the spirit of the amendment.  Additionally, if you are the subject of an investigative demand, you will benefit from already having information from your audit to formulate a defense.  Having current information immediately available to the investigating office may substantiate your commitment to comply voluntarily with the amendment.

Investigative demands may encourage voluntary compliance with the amendment. The stated purpose of an investigative demand is “to receive an assurance of voluntary compliance.” The investigative demand may require the subject, under oath or otherwise, to:

  • appear and testify,
  • answer written interrogatories,Money_Plants
  • produce relevant documentary material or physical evidence for examination,
  • agree or respond to an order restraining/halting the alleged unlawful practice, or
  • deliver an assurance of voluntary compliance.

O.R.S. § 646.618.

An assurance of voluntary compliance sets forth what actions, if any, the subject of the investigation intends to take with respect to the alleged unlawful trade practice.  The prosecuting attorney has discretion to reject a voluntary assurance, obtain a temporary restraining order or institute a collection or enforcement action for unpaid monies or violation of the assurance. O.R.S. § 646.632(3) and (7). The voluntary assurance may include the payment of restitution to consumers who have . O.R.S. §§ 646.632.  The court may also impose penalties up to $25,000 per violation in some circumstances and an award of reasonable attorney fees and costs at trial and on appeal.  O.R.S. § 646.642.  A “violation” includes each separate occasion on which you mishandle consumer information for each consumer, so there may be multiple violations associated with one consumer.

Investing in the review of privacy statements alongside your consumer information processes may be cheaper than responding to an investigation.  There are many “hidden” expenses associated with responding to an investigative demand:

  • Potentially harming your reputation with consumers and your business associates.
  • Responding to the investigation may distract employees and owners from doing their jobs.
  • Incurring unbudgeted legal fees to defend yourself and/or to prosecute your claim for a frivolous complaint.

Best practices:  Avoid the stress, strain and worry of an investigation by taking a few hours to audit your policies, contracts and processes at least once a year.

  • If you regularly conduct business in a state that enacts amendments and new legislation on a specific date, schedule your audit before the effective date to avoid a last minute scramble to comply.
  • Monitor the FTC’s decisions, rules and enforcement actions.  You can register through the FTC and most state attorney general websites to receive information about consumer privacy enforcement, legal updates and tips to help businesses comply with consumer protection rules: https://www.ftc.gov/stay-connected.
  • If you conduct business primarily online, see where your customers are located and familiarize yourself with the laws in those jurisdictions.[2]
  • You may want to test whether someone with a demographic profile similar to your typical customer understand your privacy statements.
  • Review the Consumer Complaint Form in the jurisdictions where you conduct business.  They generally identify specific classes of people the enforcement agency has a particular interest in protecting.  For example, the Oregon Department of Justice considers whether the complainants are veterans, over the age of 65 or speak English as a second language:  http://www.doj.state.or.us/consumer/pdf/consumer_complaint.pdf.
  • Ask someone unfamiliar with your business to read your privacy statements to test them for clarity.
    Money_Tree

Conducting a voluntary audit may be money well spent. If you do not have access to a money tree, run the numbers and make the business decision that works for you.

[1] The amendment is similar in application and remedy to the “deceptive” and “unfair practices” consumer protection regulations the Federal Trade Commission (“FTC”) enforces.  https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.

[2] California, for example, requires entities that collect personal information from California residents to include statements regarding online privacy in privacy policies.  https://oag.ca.gov/privacy.

An earlier version of this blog indicated that consumers have a private right of action under the amendment.  At this time, enforcement actions are expressly available only to government actors.  Presumably, the legislature will  determine whether there is an implied right of action.