I see privacy policies going the same route as the Federal CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, which became effective January 1, 2004. The idea of the CAN-SPAM Act, which spells out penalties for spammers, originated in California. Other states began issuing similar laws, and dealing with these Internet laws that vary slightly from state to state was a nightmarish proposition for companies that conducted business on the Web. The Federal CAN-SPAM Act preempted all the state laws.
We are seeing a similar scenario with privacy policies. Right now, there are 22 states that have a breach-of-security law on their books, which essentially means that a company needs to inform customers if any information has been digitally stolen (i.e., first name, last name, credit card or Social Security number). Like the state spam laws that existed before the Federal CAN-SPAM, the state laws are not identical, which makes it extremely difficult to comply if you have a national business.
Will there be a future federal privacy-policy act?
If the CAN-SPAM Act is any indication of the wave of the future, you can bet that there will soon be a federal privacy-policy law. So it would be wise for companies doing business on the Web to start thinking about their privacy policies.
One caveat: once you write one, the Federal Trade Commission considers it binding, so you can be exposed to FTC legal action if you mislead your customers about what you do with their information. So make sure you run it by your attorney first.
Benita A. Kahn is a certified privacy professional and an attorney whose practice areas include privacy, telecommunications and energy law. She is partner at Vorys, Sater, Seymour and Pease LLP, one of the largest law firms in the United States with offices in Columbus, Akron, Cincinnati and Cleveland, Ohio, as well as in Alexandria, Va., and Washington, D.C. Reach Kahn at (614) 464-6487 or firstname.lastname@example.org.