By now, most have heard of Ashley Madison, an online dating site for people who are married or in a committed relationship wanting to have an affair, and its data breach. However, for South Florida business owners with an online presence, there are a few lessons to be learned from this website hack. For companies that collect customers’ information, it’s more than just cybersecurity. There are major exposure issues when a company collects and sells the personal data of its customers while marketing itself in a manner that creates a reasonable expectation of secrecy.
The public has come to understand that Ashley Madison is actually a well-organized data mining operation. Although data mining is a standard business practice of any entity with a significant online presence, all businesses must be very wary when their side businesses conflict with the reasonable expectations of their customers. In the wake of Ashley Madison, any company in South Florida that sells information collected about its customers, especially if it is an ancillary service not anticipated by customers (as in Ashley Madison’s case), may face serious civil and regulatory liability.
Business owners and entrepreneurs should pay particular attention to and be familiar with federal and Florida state laws regarding these types of practices, since they may allow the consumers themselves to sue the business, along with collecting damages and attorneys’ fees.
Although many people are aware of Ashley Madison’s cybersecurity issues, few are aware that the company was, in fact, running two businesses. The first is the well-known “extramarital dating site.” The second was collecting private information from customers seeking discretion and then selling it to the highest bidders. Ashley Madison sold its customers on discretion and privacy, then sold private consumer information for profit.
Never miss a local story.
This business model has made Ashley Madison a very large target under the Unfair and Deceptive Trade Practices Act. Under that act, unfair competition and unfair or deceptive acts or omissions are the two main types of violations. False or deceptive advertising or trade practices include making statements in connection with the sale of goods or services known to be untrue or misleading.
Ashley Madison segregates individual information into two separate categories. The first is defined as “Non-Personally Identifying Information,” vaguely identified as “aggregate and anonymous data,” such as height, weight, and sexual preference. In short, this is information that is useless without a way to tie it to a specific individual. However, this information becomes enormously valuable when combined with information that ties it to an individual, also known as “Personally Identifiable Information,” like an individual’s email address, physical billing address, name, and any other directly identifying information.
Further, the company offers a service that allows members to completely erase their profile and information for a $19 fee. However, in light of the recent online hack of the company’s data, it appears that the “full delete” feature that Ashley Madison advertises as “removal of site usage history and personally identifiable information from the site,” does not actually remove this information completely.
The problem is, in this instance, Ashley Madison was selling more than just a casual fling. The company was selling discretion, privacy and the alleged ability to disappear. By offering services like “Complete Profile Deletion,” discrete shipping, or billing under a false name, companies like Ashley Madison recognize that their customers expect, and, in many cases, are willing to pay extra, to ensure their information remain anonymous.
Local business owners should look for contradictions in how they market their products to the public and their actual business practices and stated policies. When a business intentionally markets a product or service in a particular manner to the public, it can no longer safely rely upon vaguely worded or fine-print terms of service and privacy policies as a liability shield against the reasonable expectations of a consumer. This is especially true for a business that actively markets to, and profits, from that consumer’s expectations or a breach of that consumer’s expectations.
As the public becomes wearier of data security issues, the manner in which private information is obtained by a company, and how a company uses that information for profit, will come under the increased scrutiny of litigators and consumer protection attorneys.
Adam R. Barnett is a partner with the Fort Lauderdale office of Kelley Kronenberg, focusing his practice on Institutional Consumer Law, Consumer Protection Compliance and Regulation, and Creditors Rights. He may be reached at email@example.com