Privacy Violation Consequences
The consequences for violating privacy policies are minimal. As mentioned in the Amazon case, no punishment was levied against Amazon. In most cases, self-regulation by the industry is the only thing that even makes companies use a privacy policy. So breaking it carries no retribution other than public outcry. Although, public advocates have forced companies and the government to take privacy policies seriously and will continue to do so in the future. Laws such as COPPA will carry penalties for non-compliance, but these laws do not strictly enforce an actual privacy policy.
The U.S. has a history of punishing companies for blatant violations of privacy rights. In the case of Boling vs. Tennessee State Bank (1994), a bank was liable to borrowers for $14,825 in compensatory damages for disclosing borrowers' personal information and business plans to a bank president who had a conflicting interest. Fraudulent misrepresentation requires either actual knowledge or at least the belief that the representation is false. Liability can also be attached to the case for negligent misrepresentation of services or intent. Whoever makes a false statement in the course of his business, profession, employment, or any transaction can be held liable “if he fails to exercise reasonable care or competence in obtaining or communicating the information.” This case was a use of information, not a collection of information judgment.
In another recent case, the Superior Court of Connecticut held that a failure by an electric utility to disclose its reporting of customer payment information to national credit agencies sustained a cause of action for misrepresentation, Brouillard vs. United Illuminating Co. The plaintiff was denied credit because the defendant reported payments not received within 30 days of the billing date as “late,” and the plaintiff was not informed of the policy. The court specifically held that “a claim for negligent misrepresentation can be based on the defendant's failure to speak when he has a duty to do so.” Fraudulent intent is not a necessary element in a cause of action for negligent misrepresentation. This type of case effects how information on what is collected and reported affects consumer personal information and privacy. Disclosing information without consent can be punished, and recent laws are making punishing such violations easier.
In the case of AmSouth Bancorporation, a class action lawsuit alleged the defendant “exploited the trust depositors placed in the Bank, by sharing confidential information regarding Bank depositors and their [consumers'] accounts” to enable a bank affiliate to sell mutual funds and other investments. This is, of course, prior to GLB. The legality of what companies have done that can compromise the privacy of consumers is not clearly defined by laws. Court cases will eventually determine what is lawful and what is not. Damages are often awarded in such cases when it is made clear that the consumer has been taken advantage of.
The litigation against Amazon and Alexa was of a similar type of action, but that was not prosecuted because Amazon and Alexa corrected the issues that brought the lawsuit. The Computer Fraud and Abuse Act was cited as using unlawful access to stored communications, and the Electronic Communications Privacy Act was cited for unlawful interception of electronic and wire communications. The unknowing collection of personal information was debated in the Amazon case. In cases such as AmSouth Bancorporation, laws could be cited that were broken. When it comes to companies collecting and sharing your information through legal means such as cookies and buying e-mail lists, as was the case with Amazon and Alexa, your legal rights are not being broken and you have no recourse to stop it until new laws are passed.
New laws and proposed laws are providing for more direct consequences to privacy violations against specific laws. The pending Online Privacy Protection Act of 2001 makes it unlawful for an operator of a Web site or online service to collect, use, or disclose personal information concerning an individual (age 13 and above) in a manner that violates regulations to be prescribed by the FTC. The operator must protect the confidentiality, security, and integrity of the personal information it collects. The FTC will be directed to provide incentives for self-regulation, and the government can bring action against a site on behalf of the public. It provides for enforcement of this act through the Federal Trade Commission Act. This is a step in enforcing protection of user information in a tangible manner because these punishments are specific to laws and not site privacy policies.