Deena Fischer

E-Business Law Group / Just1Group - Managing Partner/ Principal and CEO
Yardley, PA

    Read this! No. Seriously. Read this... Privacy Law Changes...

    August 9, 2009

    Normally, I wouldn't do this (and I apologize to those of you who read my legal blog on a regular basis, since I just posted this there too).  But it's too important to all of you for me not to repeat it here.

    Just When You Thought That You Were Compliant With Privacy Law

    by Deena Burgess, Esq.

    You're a responsible business owner.  I know that you are.  If you weren't, you wouldn't have stopped to read this blog post. 

    You know that you have to follow certain privacy laws regarding the information that you collect on your site.  You've even read my blog post on why you shouldn't use free privacy policies and hired a great lawyer to write them for you. 

    You're all done, right?

    Sadly, no. 

    The law is an ever changing set of requirements.  And there's just been another change that you should be aware of.

    As of September 12, 2009, a new privacy law in the State of Maine will go into effect about the requirements for collecting and using information from minors in the State of Maine. 

    And it's a doozy.

    Here's the gist of what it says.  It says that you cannot collect any personally identifiable information from a minor in Maine without "verifiable parental consent". 

    Verifiable parental consent is defined as "any reasonable effort, taking into consideration available technology, including a request for authorization for future collection, use and disclosure described in the notice, to ensure that a parent of a minor receives notice of the collection of personal information, use and disclosure practices and authorizes the collection, use and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that minor."

    And even if you collected the information properly, there are prohibitions about using that information "for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product."  There are also prohibitions against the transfer or sale of such information. 

    So, basically, even if you gather the information, you won't be able to use it.

    And there's no grandfather clause.  Starting on September 12th, you're responsible for making sure that your previously gathered lists are in compliance. 

    Here's the part where it gets interesting though...

    If you violate, you can end up in a great deal of trouble with the Maine Attorney General's office and there are civil penalties of $10,000 to $20,000 for the first violation (and $20,000 per violation thereafter). 

    But that's not all.

    Maine is also allowing for a private right of action for any minor whose personally identifiable has been gathered or who has been marketed to in violation of the law.  They can sue for up to $250 per violation (or actual damage, whichever is greater) plus attorneys' fees and court costs. And, worse yet, if it is found that it was a knowing violation, the court can increase the award to three times the statutory amount (so, $750 per violation). 

    That's nothing to sneeze at.

    So, what should you do? 

    First, you need to amend your privacy policy to comply with the law and to amend your sign up process (if you're still allowing minors from Maine on your site) to create a way to comply with the verifiable parental consent portion of the law. I'm suggesting to my clients that they add a date of birth field to the sign up process and that they specifically exclude minors from Maine in their privacy policies.

    Next, you need to figure out a way to cull your current marketing lists that you've gathered to eliminate any minors from Maine.  I'm also suggesting to my clients that they send out an email to everyone they have in their list in Maine about the new law and requesting that those people respond with verification of their date of birth.  If people don't respond, they're off of the marketing list. 

    I'm interested to see how this will be applied and whether it will extend to social media platforms like Facebook, where a business can send out an email to their fan group.  By definition, those companies have gathered personally identifiable information about their "fans" and, as far as I know, there's no ability to keep someone from being a fan of a company based on their age.  My opinion is that, in order to comply with the law, if you have a Facebook fan group (or another similar group at another networking platform), you're going to need to send an email to all of the fans who are from Maine asking them to verify their age if they want to remain fans.

    And you need to get all of this done before the 12th of September.

    If you have more questions, drop me a message or an email.  I'm happy to discuss it.

    Read Deena's other blog entries >

Please Wait