Sections
INTA Bulletin


January 15, 2018 Vol. 73 No. 1 Back to Bulletin Main Page

Privacy’s Goodwill Implications



INTA and IAPP’s Strategic Partnership

INTA is pleased to feature the International Association of Privacy Professionals (IAPP) as a guest contributor to this edition of the INTA Bulletin. INTA and IAPP are collaborating on a number of initiatives to explore the ways that trademark and privacy laws intersect in brand protection. This strategic partnership is the result of the hard work of INTA’s Data Protection Committee and INTA staff.


Trademark and privacy law today may be governed by unique regulatory regimes and government agencies, but they share at least one major common concern: the company’s relationship with its customers.

Trademark and privacy laws work to protect consumers when they purchase goods and services. While trademark law ensures authenticity and consumer choice, privacy law looks to protect customers’ expectations when they share their personal data in exchange for goods and services. It also turns out that can hurt the brand if a company doesn’t take care of its customers’ data.

A recent study by the International Association of Privacy Professionals (IAPP) underscores the importance of privacy in protecting trademark goodwill.

For each of the past two years, the IAPP has studied mandatory reports (Form 10-K) filed annually by the largest U.S. corporations with the Securities and Exchange Commission. These reports warn investors about the biggest risks to the companies’ financial success. This year, the companies unanimously cited cyber security risks as a top concern. Although the loss of computing infrastructure, or loss of IP, are some negative byproducts of a hacking incident, U.S. companies are most concerned about losing the personally identifying information (PII) of their customers; 87 percent of companies named losing PII as a risk.

Why? Because customers will lose faith and trust in the company’s brand. Of all the named pitfalls to losing PII, the top concern by far—reported by 95 percent of surveyed companies—is harm to reputation and brand, outweighing system downtime and operational disruptions (89 percent), general financial losses (82 percent), and even concerns about regulatory enforcement actions (63 percent) or class action litigation (52 percent).

Privacy as a brand concern is sure to get the Board of Directors’ attention. This can only help privacy and IP lawyers who are now working with their employers and clients on a major piece of privacy legislation affecting companies around the world—the EU’s looming General Data Protection Regulation (GDPR). More than 100 pages in length and the product of more than five years of legislative deliberations, the GDPR stands to redefine the way that privacy is done globally. It introduces and codifies new rights that allow people a great deal more access to, and control of, their personal data as it’s collected and used by organizations.


Rita Heimes is the Research Director of the International Association of Privacy Professionals (IAPP) and serves as the organization’s Data Protection Officer. She has also worked in IP and trademark law, is an INTA member, and taught at the University of Maine School of Law. The IAPP is the world’s largest privacy association, providing conferences, events, networking opportunities, and a large library of privacy resources and content for over 34,000 privacy professionals worldwide. 


Coming into force in May 2018, the GDPR protects the personal data of all natural persons in the EU—even non-citizens who happen to be within the territory of the EU when their data is collected. Further, its jurisdictional reach is such that any organization that is marketing to EU citizens, or processing the data of EU citizens, falls under its scope, regardless of where in the world that organization is located.

While the media and some compliance managers might be focusing on the potential penalties for GDPR infringement—up to 20 million euros or 4 percent of annual turnover—savvy privacy and IP professionals are likely more focused on the brand damage that an enforcement action might cause. Another perspective, however, is that the GDPR simply states in legal form what companies have known all along: the responsibility companies face when handling their customers’ personal data is significant, and it speaks directly to the company’s relationship with its customers and their trust in the company’s brand.

In short, getting privacy right enhances that goodwill and deepens customer loyalty. Getting privacy wrong is not only a regulatory compliance problem, but a brand problem as well.

Although every effort has been made to verify the accuracy of items in the INTA Bulletin, readers are urged to check independently on matters of specific concern or interest.

© 2018 International Trademark Association