Privacy, Technology and Perspective
Data Accuracy Disclaimers – A “Yellow-Flag” Contracting Issue. Many companies acquire data by buying it. When those companies buy personal information, however, privacy issues arise and the contracts underlying those purchases need a closer look. In particular, lately, we’ve been seeing a lot more disclaimers related to data accuracy. In this post, we’ll highlight why that raises a “yellow-flag” under which parties should proceed with caution.
Accuracy Disclaimers. As basic contracting issue, a disclaimer is contract clauses that limits the responsibility of the party providing the disclaimer. In the context of a deal sourcing data, when a disclaimer relates to the accuracy of information, the provider is relieved of the obligation of making sure that information being provided – especially the personal information – is actually correct. Instead, the information is provided “as-is” basis, with-all-faults, and with no warranty as to whether it’s correct or not. Therefore, the counter-party receiving such information accepts the “as-is” disclaimer, along with the liability that comes from passing along or using the data, if it turns out to be inaccurate. This can be a dangerous deal for the receiving party. And strikingly, many businesses don’t even realize they’ve signed “as-is” waivers, because they’ve just “clicked through” a provider’s contract terms for what seemed like fairly routine purchases.
Accuracy under Privacy Laws Around the World: Data accuracy is a vital issue under privacy laws around the world, and under the Fair Credit Reporting Act (“FCRA”) in the U.S. One of the foundational principles of data privacy and governance around the world is the principle that data — specifically personal information – must be accurate. An illustrative, but non-exhaustive list follows:
United States – FTC’s Fair Information Practice Principles (“FIPPs”):
(2) The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
A link to the FTC’s FIPPs follows:
European Economic Union – Article 5 (1) (d) of the General Data Protection Regulation (“GDPR”):
personal data shall be…accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
A link to Article 5 of the GDPR follows:
Canada -– Personal Information Protection and Electronic Documents Act (“PIPEDA”) Fair Information Principle 6 – Accuracy
Minimize the possibility of using incorrect information when making a decision about an individual or when disclosing information to third parties.
How to fulfill this responsibility
Keep personal information as accurate, complete and up to date as necessary, taking into account its use and the interests of the individual.
Establish policies that govern what types of information need to be updated.
One way to determine whether information needs to be updated is to ask yourself whether using or disclosing out-of-date or incomplete information could potentially have an adverse impact on the individual
Apply the following checklist for accuracy:
o List the specific items of personal information you need to provide a service.
o List where all related personal information can be found.
o Record the date when the personal information was obtained or updated.
o Record the steps taken to verify the accuracy, completeness and timeliness of the information. This may require reviewing your records or communicating with your customer.
A link to PIPEDA’s Principle 6 follows:
Australia – Australian Privacy Principle (“APP”) 10 – quality of personal information:
10.1 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects is accurate, up-to-date and complete.
A link to APP Principle 10 follows:
Asia-Pacific Economic Cooperation (“APEC”) Privacy Framework, Principle 27:
Personal information should be accurate, complete and kept up-to-date to the extent necessary for the purposes of use.
A link to APEC’s Principle 27 follows:
While enforcement of privacy laws based on violations related to the use of inaccurate personal information hasn’t yet become a regularly recurring source of liability, accepting and using presumptively inaccurate personal information certainly flies in the face of numerous privacy laws and frameworks. Moreover, regulators, particularly in the EEA, have authority under the GDPR to assess fines for violation of up to 4% of annual revenue, so the exposure is there. The wise take note, and act accordingly.
Fair Credit Reporting Act f 1970 (“FCRA”), 15 U.S.C. § 1681 et seq.: In the United States, the FCRA is probably the main source of liability where inaccurate personal information is at issue.
The FCRA is something of a “niche” area, well known to credit specialists but often not well enough, and hardly known at all by most average consumers. But it is of sweeping, fundamental importance to both.
You can read the FCRA by clicking on the following link:
The FCRA imposes duties on consumer reporting agencies (“CRAs”) and “furnishers” to “get it right.” Furnishers who regularly provide consumer data to CRAs must make sure the consumer data they’re providing is accurate. “Accuracy” for furnishers means information that “correctly [r]eflects… liability for the account.” 12 C.F.R. § 1022.41(a). And CRAs prepare a consumer report, they must “follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.” 15 U.S.C. § 1681e(b) (emphasis added).
(Think for a moment about just how high a standard “accurate” is, and what an extraordinary emphasis the phrase “maximum possible accuracy” provides. This is a lot harder to achieve than you might imagine, especially at the extremes of common names or very unusual names. You might readily see how many people could have your same name, or one that’s often misspelled or mistaken. You might be astonished to know how many people have your same name and your same date of birth.)
Further, the FCRA has a huge wingspan, extending for a remarkable reach:
· “Consumer reporting agencies” aren’t only the Big 3 (TransUnion, Equifax, and Experian). CRAs also include credit bureaus, tenant screening companies, check verification services, and even medical information services;
· Banks, credit lenders, and collection agencies or anyone else who regularly provides data to CRAs are “furnishers.” See id. at § 1681a(f);
· And most startling of all, the FCRA also defines “consumer report” far more broadly than just reports on credit worthiness, standing, or capacity. It also includes reports on “character, general reputation, personal characteristics, or mode of living” which may be used or be factors in determining a consumer’s eligibility for insurance, employment, or other purposes. See id. at § 1681a(d)(1).
The FCRA further creates a strong, private right of action against CRAs or Furnishers for willful or negligent noncompliance with its requirements. 15 U.S.C. § 1681n (willful noncompliance); § 1681o (negligent noncompliance). And, as distinct from privacy law violations, violations of the FCRA have been target for savvy plaintiffs’ lawyers, who are able to collect actual and punitive damages as well as attorneys’ fees under the FCRA.
Commercial Realities: As technology evolves, background checks become more automated, systems become more complex, volumes of data skyrocket, and data-input accuracy controls (especially in wildly scattered, local businesses and government agencies which furnishers must depend on) fall further behind, accuracy risks are bound to rise. Seen in this light, it’s small wonder that businesses everywhere rely on disclaimers – they want to pass the hot potato as quickly and completely as they can.
But there are additional considerations when data is processed under “as-is” contracts, and these require thought. We suggest that in such cases, the parties to the contract double their efforts to understand exactly what data is being processed and where it is sourced, so as to evaluate the likely risks that it will be inaccurate. At minimum, the parties should have procedures in place to assure the maximum possible accuracy of the data and the ability promptly to correct mistakes. The parties should also consider their obligations to notify and cooperate with each other if data sourced under the contract is found to be inaccurate. In addition, if a party opts to accept a disclaimer, it should evaluate other means for mitigating its risks—which may include other contractual terms, insurance, and internal mechanisms and processes for allowing individuals themselves to access and correct inaccurate personal information about themselves.
A Prediction and a Closing Thought: The penalties associated with FCRA arose, in part, because Congress recognized the toll that inaccurate information could take on a credit- and trust-based economy. In tomorrow’s Big Data-AI World, we see substantive inaccuracy – separate and apart from wrongful use and disclosure – claiming even more of the spotlight.
Meanwhile, be careful. Watch out for and think through “as-is” disclaimers before your company agrees to them, and if it must agree to them, then protect your business and your customers accordingly.
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠