Article Detail

News & Knowledge

Fail to Enforce Your Privacy Policy at Your Own Peril

August 22, 2018

By: Brian Lawrence & Drew Sorrell

Most companies have a privacy policy in place for the protection of consumer data (or should), but merely adopting a reasonable privacy policy is by itself not enough.  Rather, a company must also actively ensure compliance with the policy it adopts. Though there can be hesitation in expending resources in adopting, implementing, maintaining and supporting a privacy policy governing a company’s consumer protection practices, such expense pales in comparison to the amounts that may be paid to resolve a levied Federal Trade Commission (FTC) fine.  

Consider the case of VTech, a Hong Kong based company which sells tablets, other electronics and software as educational tools for children. In November, 2015, VTech learned that its Learning Lodge Navigator online platform had been compromised. The Learning Lodge Navigator platform contained names, gender, and birthdates of children. In total, as of the time of the breach, about 2.25 million parents registered and created accounts with Learning Lodge for approximately 3 million children. The issue was that in collecting such consumer data, VTech failed to link parents to VTech’s privacy policy when personal information was collected, and therefore, VTech violated the Children’s Online Privacy Protection Act of 1998 (COPPA), which prohibits online services from knowingly collecting data from children under the age of 13 without obtaining informed parental consent. Such protected child data includes names, addresses, email addresses, telephone numbers, and photo, video or audio recordings. After an investigation of the data breach, the FTC filed a complaint against VTech, alleging that VTech did not obtain verifiable informed parental consent as required under COPPA. A significant area of concern for the FTC was that VTech falsely claimed in its privacy policy that personal information submitted by users through the Learning Lodge Navigator platform would be encrypted, despite never actually encrypting such data.

VTech settled with the FTC in January of this year, and agreed to pay $650,000 to take reasonable steps to secure the data collected. Moreover, the final order required VTech to refrain from misrepresenting its security and privacy practices and to implement a comprehensive data security program, which is subject to independent audits for the next 20 years. VTech is far from the first company which has misrepresented its consumer data protection practices by way of a privacy policy. That said, companies of all sizes which collect consumer data must not just implement a reasonable data security plan, but must actually ensure that nothing contained in such adopted privacy plans is inaccurate. Moreover, as the FTC stresses, data security is a “living” process, and companies should revisit their data security practices periodically as the business and cybersecurity landscapes continue to evolve.


Brian Lawrence concentrates his practice on complex litigation arising from commercial transactions, partnership disputes, trust and probate disputes and intellectual property matters.

Brian regularly advises national and local clients on matters pertaining to restrictive covenants, trademarks, copyrights and trade secrets. He has successfully defended and prosecuted lawsuits on behalf of national and local corporations and limited liability companies, sports teams, athletes and other public figures.

A member of the firm's Cybersecurity, Privacy & eDiscovery Group, Brian has significant experience evaluating complex security incidents and advising clients of their obligations under federal and state data security and privacy regulations. He has handled cybersecurity incident responses and data privacy matters impacting all 50 states and internationally.

Brian is as committed to serving the Central Florida community as he is to his practice. He is actively involved in Big Brothers Big Sisters of Central Florida, as both a big brother and a member of the executive board. He also serves as a guardian ad litem and provides pro bono services to professional guardianship organizations in Central Florida. Additionally, Brian is on the board of the Young Lawyers Section of the Orange County Bar Association, which supports local charitable endeavors and serves underprivileged youth.


Drew Sorrell's practice focuses on complex commercial issues, relating to both litigation and contract/policy drafting.

Drew has years of experience litigating business matters, intellectual property/patent infringement disputes, data breach/privacy issues, wire fraud (spoofing/spear phishing), business torts/disputes, insurance coverage, personal injury and employment litigation. Likewise, he has significant experience drafting and negotiating software licenses (SaaS), Internet service provider agreements, data privacy/breach policies and procedures, employment/services agreements as well as the indemnity and insurance coverage related to those agreements.

Initially, Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan primarily in their litigation department. After spending some time as an assistant county attorney responsible for litigation, he joined Lowndes and is currently chair of the firm’s multi-discipline Cybersecurity, Privacy & eDiscovery Group.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is also currently serving as chair of the Orange County Bar Association Intellectual Property Committee.

Drew has argued to the United States Court of Appeal for the Eleventh Circuit, at the federal level, and the Fifth District Court of Appeal at the state level. He is admitted to The United States Supreme Court Bar, as well as the Florida, New York and District of Columbia Bars. He is admitted to practice before all federal district courts in Florida as well as the Southern District of New York.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is a proud father of two sons who play basketball and soccer, make great grades and generally keep him very busy in his spare time.

Meritas Law Firms Worldwide logo
Do Your Part Logo