Website Privacy Policies - Make sure you do what you say!
Business & Corporate, Featured
My research did not reveal any generally applicable federal statute in the United States that regulates online privacy other than the Graham-Leach-Bliley Act (which only covers banks, insurance companies,, and other “financial institutions”), and the Children’s Online Privacy Protection Act (which only applies to personal information collected from children under 13 years of age). The Federal Trade Commission (FTC) currently regulates privacy under its general authority to prohibit unfair or deceptive acts or practices in interstate commerce. There are several FTC cases relating to privacy policies.
In a number of these cases, the most common complaint made against the company is one of deceptive and unfair practices in connection with the use of data collected by the company on its website and material changes to an online privacy policy. The most common fact pattern involves the company “deceives” its consumers by materially changing its established privacy practices, revising its privacy policy to reflect these revisions, and retroactively applying the materially different privacy terms to personal information that was collected from consumers under the original policy without contacting existing customers about the material change nor highlighting the changes on the website.
Most of these cases are settled. Commentators and articles from other law firms advise that there are several lessons that must be learned from these FTC decisions on privacy policies. First, a website must take steps to ensure that it fully complies with each promise set forth in its posted privacy policy and elsewhere on the website. Second, a website cannot change its privacy practices without consumer consent. A mere statement in a privacy policy that the website may change its policies and post these changes on the web site does not give the website the right to retroactively apply the changes to data previously collected. Finally, websites should also evaluate how they notify consumers when a privacy policy is revised.
Thus, the lessons from the FTC cases can be summarized as follows: (a) Do what you say. Anything else is unfair and deceptive; (b) It is not enough to do what you say, you must also say what you do in a clear and conspicuous manner; (c) Strong privacy practices are not enough, you must also have security practices that are reasonable and appropriate to the nature of the data; (d) take appropriate steps to implement the policies; (e) if you change the policy, give consumers the right to “opt out.”; (f) don’t forget to cover transferring such information if you sell the company; The cost of noncompliance appears to be high. The FTC commonly resolves complaints by requiring a consent decree describing in detail specific steps the company must take, subject to agency oversight, typically for a 20 year period.
About: Rayan F. Coutinho is an attorney with the Business Group at Wood & Lamping LLP and can be reached at rfcoutinho@woodlamping.com or (513) 852-6030.
admin @ October 16, 2008