Buried in a recent Federal Trade Commission (FTC) report are some juicy tidbits about how the FTC expects online businesses to disclose and get consumer consent to material changes in their data collection practices. If this sounds less than riveting, take note. In my experience, many smaller companies and startups doing business on the Internet either don’t have the privacy regimes in place that they need or choose to ignore the issue entirely. This is a perilous course in a time of aggressive government regulation in the name of consumer protection. Therefore, in addition to discussing the latest FTC oracle on privacy, I’ll give some basic advice on how e-commerce businesses should think about this vital issue. (To make it simple, this post deals with only generally applicable online privacy principles and not with special regulatory regimes like Gramm-Leach-Bliley, the Children’s Online Privacy Protection Act or HIPPAA that apply only to certain types of businesses, like financial institutions, or certain types of information, like health-related information or information collected from children. For businesses operating in these areas – whether you know it or not! – you have to comply with multiple privacy rules.)
For a decade the FTC has taken the position that companies must collect, use and share information from consumers online in ways that are consistent with their posted privacy policies, which the FTC considers to be legally binding promises just as advertising is. For a long time, practically this meant that companies collecting data from website users, especially personally identifiable information like name, address, e-mail address, credit card number or Social Security number, had to have online privacy policies (because if you used and shared consumer information but said nothing about it, this was considered deceptive), and whatever the policies disclosed about the companies’ use and sharing practices, this had to be what was actually done, i.e., companies couldn’t go beyond what was stated in the policies. Violations of these principles were held to be “unfair or deceptive acts or practices” contrary to Section 5 of the FTC Act, and the FTC has brought many costly legal and administrative proceedings against non-compliant companies seeking fines and damages, in addition to reformed behavior. More recently, after numerous highly-publicized breaches of data security at retailers, data aggregators and financial institutions exposed millions of consumers to potential fraud risk, the FTC has modified its approach also to require companies to implement reasonable security measures to safeguard consumer data held by them against unauthorized access or use. Furthermore, the FTC’s assessment of what is “reasonable” covers not only the technical security infrastructure protecting databases, but also whether companies unnecessarily increase risk to consumers by retaining data after any legitimate business need ends or by failing to take adequate precautions when destroying consumer data. (HINT: Do NOT toss records containing credit card numbers, Social Security numbers or other sensitive information into the dumpster behind your building. Burn them or shred them.)
Given this FTC approach to online privacy, a broad, flexible privacy policy may be desirable; this would list all of the various possible types of information a business may collect, all of the various possible types of third parties it may share information with, and all of the various possible uses to which the information may be put. In other words, think of everything the business may conceivably want to do in the future (whether or not there is any interest in doing it now) and cover it in the privacy policy. That way you’re never acting outside the scope of your privacy policy and don’t need to keep amending it as business needs change. Some companies, however, prefer a restrictive privacy policy (i.e., consumer information is never disclosed to third parties except in certain limited cases, which are carefully spelled out) because it reassures consumers and helps with obtaining coveted website privacy certifications.
Now the FTC has come forth with guidelines for the process of making material changes to a company’s data practices (“material” changes being those that might impact a consumer’s decision to buy products or services from the company, such as different uses for data collected or different types of sharing with third parties). The FTC has been looking at the issue of online behavioral advertising (i.e., targeting online advertisements to certain consumers based on data collected about their web activity, such as websites browsed) for over a year and on February 12, 2009, after a public comment period, issued a staff report updating the agency’s “self-regulatory” principles regarding the collection of data for use in online behavioral advertising. (“Self-regulatory” is in quotes because at the end of the 49-page report the FTC states that in the next year it will conduct investigations of industry practices and darkly hints that it may bring enforcement actions against companies for unfair or deceptive acts or practices and violations of other laws.)
This report has significant implications for all players in the booming online advertising market and will be the topic of a separate blog post shortly. However, about 40 pages into the report (as my eyes were beginning to glaze over), the FTC staff broadens the discussion into a general commentary on how material changes to online data practices cannot be made retroactive – that is, they cannot be applied to previously collected data – unless there is a notice and opt-in for the consumer. The consumer must give “affirmative express consent” for a material privacy policy change to be applied to his or her previously collected data. Moreover, the FTC has some very specific ideas about what does and does not constitute valid “affirmative express consent.”
To begin with, the commonly used approach of including in the privacy policy a blanket consent to any changes going forward (“This privacy policy may change from time to time, and any such changes will be posted on our site. Your use of this site following the posting of changes will constitute your acceptance of and consent to such changes.”) clearly will NOT work to bring previously collected data under the new privacy practices. Consumers must receive some actual notification of material changes, and there must be a real “choice mechanism” (or opt-in). This is bad news for those businesses who are hypersensitive about rubbing website users’ noses in legal disclosures because they believe that requiring one extra click in the flow means death from a usability standpoint. Still, there is a range of options for complying with the guidelines. One extremely conservative option is to send an e-mail to all registered users informing them of the changes and asking for their consent. However, this approach may be highly unpalatable from a marketing and customer experience perspective. A less heavy-handed strategy is to separate the pool of user information into two buckets, information collected before the new privacy policy was posted and information collected after. Information collected after the new policy was posted can be used and shared under this policy. Information collected prior to the changes should be handled under the old policy, but in any promotion or other communication sent to the users who provided this information, or when they next attempt to conduct a transaction through the website, they should be prompted to consent to the new privacy policy (and once they do, ALL of their information can be used and shared under this policy). If it is too difficult to separate user information based on date of collection, then you can separate users based on date of site registration, with users who registered under the old privacy policy being covered by this policy until they agree to the new policy in response to a prompt generated by a promotion or attempted transaction. NOTE, HOWEVER, that the users must be required to take some action to consent. The FTC specifically points out that use of a pre-checked box indicating consent to the privacy changes is not valid consent, nor is some sort of choice mechanism “buried deep” in a lengthy privacy policy or uniform licensing agreement. So, yes, an extra click really is required.
Prospective changes to a privacy policy (applying to information collected after the new policy is posted) are not covered by the affirmative express consent requirement, although the FTC does mention a need to alert repeat site visitors to the changes, such as by a prominent notice on a landing page. Minor changes to data practices also are not covered (keep in mind, though, that the FTC will zero in on any changes in how data is used or shared and is unlikely to consider these minor).
With the evolving principles and multiplying layers of nuance in the FTC’s policing of the privacy arena, online businesses now, more than ever, must think carefully about their website privacy policies and ensure that those policies are tailored to their actual practices and needs. Privacy is NOT something to check off your list by posting a template you found on the Internet.
To view the FTC’s staff report in its entirety, please click here.