It would be nice if we could create laws before the situations they address present themselves, but the law rarely works that way. Here is how to provide digital policy guidance in an ever-changing landscape
Throughout history, new laws and regulations have always been developed in response to new, “disruptive,” situations that weren’t covered by existing laws. Laws prohibiting stealing, for example, weren’t needed until civilization developed the concept of property ownership.
That’s where we find ourselves today when it comes to digital media. Technology is developing at lightning speed, and courts around the globe are trying to keep up. But it will take years for law schools and even CLE classes to catch up -- and, by then, things will probably have changed even more.
Unfortunately, your clients and employers are facing serious digital risks now. They need your help and guidance today -- not after you’ve had a year or two to see how this all plays out.
So whether you’re a corporate attorney trying to counsel your employer on their digital policies, a member of a legal firm seeking to add value by advising your clients on digital, or an independent attorney hoping to take advantage of a golden opportunity to specialize, the question is the same: How?
That’s no small order. The first step is to understand that changes in the digital landscape affect everybody, not just big brands or global corporations. If an organization has a digital presence -- B2Bs included -- it’s at risk. Your job is to understand what some of those risks are so you can offer your client the right counsel.
So let’s look at some of the biggest areas of digital risk and the steps you should advise your clients to take to minimize that risk.
When everybody was talking about Big Data, many companies started collecting as much data on their customers as they could, even if they didn’t use it -- after all, it might come in handy someday.
Many countries are enacting regulations that turn this data into a liability. The EU’s General Data Privacy Regulation (GDPR) has attracted most of the attention, but other countries -- even some states, like California -- have enacted their own legislation.
Businesses with customers who are EU residents -- regardless of where the company is located -- have to comply with strict privacy rules, and the fees for non-compliance are no laughing matter.
For example, it’s been common practice to offer things like ebooks in exchange for email addresses -- addresses that were then added to the company’s promotional email list. Under the GDPR, however, you can no longer do that. You can’t collect an email address for one purpose and use it for another -- you have to get separate consent for each use.
Many businesses around the world are already following GDPR guidelines under the assumption that the world in general is embracing the concept that personal data belongs to the individual, not the company.
And customers are paying attention. Even if your clients aren’t legally obligated to post privacy statements, consumers are starting to realize that their data is valuable, and they’re going to become less and less willing to give it away for free.
Advise your clients to develop privacy statements for all of their digital properties (apps, for example), not just the website. The statements should assure consumers that the organization is committed to customer privacy and is actively focused on improving performance. Don’t let your clients say they’re 100% there if they’re not; instead, stress the importance of making a good-faith effort.
GDPR Resources and information
GDPR’s Legal Reach: The Long Arm of EU Regulations
How to Get on the Road to GDPR Compliance
Brazil's New General Data Privacy Law Follows GDPR Provisions
Data breaches are constantly in the headlines. Even the biggest organizations aren’t immune, and small companies often can’t survive a data breach: 60% shut their doors within six months. Even the largest companies can suffer a serious financial hit, and the PR backlash can last for years.
Payment Card Industry Data Security Standards (PCI-DSS) are the GDPR of the payment world, setting the standards for organizations that store, process, or transmit cardholder data.
Your clients are responsible for the security of their customer’s payment data at every stage in the process: from the register to the payment processor, from the processor to the merchant bank, etc. Your client is only as strong as the weakest link in the chain, so your advice should include triple-checking not only their own security protocols, but also those of everyone above and below them in the supply chain.
But security extends beyond transmitting payment data. It also addresses things like who has physical access to your servers, long-forgotten files stashed in closets, emails between employees, etc.
Stress the importance of data security. If your client doesn’t have the right talent in-house, urge them to bring in outside experts to do a thorough analysis of their security and to address any weaknesses. It’s also critical for your client to develop policies for mitigating and reporting a data breach (most jurisdictions have legislation addressing how to report a breach).
The Practical Tech Lawyer: Advising a Company on Data Security Compliance
What Lawyers Should Know About Data Security
Is Your Small Business Ready for a Data Breach?
Data Security and Data Breaches: What’s a Lawyer to Do?
Data Security: Advice from the Federal Trade Commission
Website accessibility is both one of the most neglected areas of digital policy and one of the easiest to fix.
Courts have ruled that the Americans with Disabilities Act applies to digital spaces as well as to physical ones. Other countries, such as the UK, Australia, and Canada, have similar laws. What that means for websites is that people with visual, hearing, and motor skill challenges must be able to use them.
It’s also important to know that, while accessibility may be an easy issue to overlook, it can be a costly one to ignore. In addition to potential lost sales from a market with considerable disposable income, lawsuits regarding website accessibility are skyrocketing, with defendants including such well-known organizations as H&R Block, Dominos, Winn-Dixie, Nike, Burger King, Hershey, Lord & Taylor, and Pandora.
The first step is to advise your clients to start an accessibility effort within the organization by adding an accessibility statement to their website, stressing their commitment to making it accessible to everyone. The statement shouldn’t be a pat on the back (unless, of course, your organization has already achieved full compliance), but, instead, a good-faith commitment to meeting consumers’ needs.
There are many components to website accessibility, but there are a few that are relatively easy to do and support your good-faith efforts at compliance:
Those steps are just the low-hanging fruit. For more information on how your clients can make their websites accessible, please refer to the recommendations put forth by the World Wide Web Consortium (W3C).
10 Ways to Make Your Website Accessible
10 Tips for Making Your Website Accessible
Many organizations rely heavily on user-generated content (UGC). For one thing, it’s free advertising. For another, it scores high on authenticity, which is extremely important to today’s consumers.
Unfortunately, it doesn’t come without risks.
These are a few of the risks associated with UGC:
Talk to your clients about whether and how they use UGC. For those who do, examine their processes and plug any immediate holes (like requiring users to confirm that do indeed own the content they’re submitting). Another immediate step should be to have someone review all user content before it’s posted publicly -- and that person should have a list of criteria to help them to decide whether or not to approve the content.
How to Mitigate the Risks of User-Generated Content
What You Need to Know About the Risks of User-Generated Content
6 Critical Pros and Cons of User-Generated Content
Let me stress that this is not an exhaustive list. There are many other areas of digital risk, from legal and financial risk to loss of customer support. If you touch base with all of your clients on the things we’ve discussed here, you can feel confident that you’ve added tremendous value and helped them avoid potentially devastating consequences. But the ship is still headed toward the iceberg; you’ve just slowed it down a little.
The next step -- and a very necessary one -- is to encourage your clients to develop a comprehensive digital policy program that covers everything we’ve discussed here and much more. What that looks like depends on who you are and how you work.
If you’re in-house counsel for a large corporation, I’d recommend kicking off a digital policy development program by appointing a digital policy steward to lead the initiative. If you work for a law firm, you can carve out a nice little digital niche for yourself -- one that is certain to grow. If you’re an independent lawyer still building your client base, you can increase your value proposition exponentially by becoming an expert on all things digital.
At the end of the day, though, it comes down to what’s best for your client or employer. The world of digital policies is like a giant hairball that’s getting bigger by the day, and it’s almost impossible to keep up unless that’s the only thing you do. That’s why a lot of people who have other responsibilities as their “day job” choose to work with an external consultant whose job it is to keep track of the hairball and help their clients manage it.
I relish my role as hairball tamer. So much so that I’ve decided to write a book on digital policy. The Power of Digital Policy: A Practical Guide to Minimizing Risk and Maximizing Opportunity for Your Organization will be out in March 2019 and you can sign up now to be the first to hear about the release.