On the eve of the release of its long awaited Privacy Report (“Report”), the FTC fired a warning shot signaling its intent by concluding an enforcement action against EchoMetrix, who failed to provide adequate notice of its privacy practices. Last week, we summarized the FTC’s new Report which outlines a new framework for online and offline privacy, and emphasizes the inadequacy of the current approach to privacy policies. The Report goes into considerable detail about the need for greater transparency, and suggests a new approach that companies should adopt in their privacy policies. The enforcement action against EchoMetrix underlines the FTC’s position outlined in its Report that disclosure to consumers relating to data collection and use cannot be buried in lengthy privacy policies or user agreements. It is clearly time to re-examine privacy disclosures and re-evaluate information handling practices.
Enforcement Actions
In the most recent enforcement action last week, the FTC charged that EchoMetrix violated federal law by failing to adequately disclose to parents that it would share the information it gathered from their children with third-party marketers. The only disclosure made to parents about this practice was a vague statement approximately 30 paragraphs into a multi-page end user license agreement.
In a previous settlement, the FTC alleged that Sears’s privacy notice was inadequate because the company disclosed the full extent of the information collected only in a lengthy user license agreement which was available to consumers at the end of a multi-step registration process.
These actions, together with the FTC’s Report, illustrate that the FTC expects to see companies provide privacy policies that are easy to find and easy to understand, that provide an easy-to-use mechanism for exercising choice, and that provide consumers with access to data about them in certain situations.
Privacy Policies, Consumer Access to Data, and Choice
In its Report, the FTC stated that privacy policies have become longer, more complex, and, “in too many instances, incomprehensible to consumers.” Too often, the FTC said, privacy policies appear designed more to limit companies’ liability than to inform consumers about how their information will be used. Because of this trend, “consumers face considerable burdens in understanding lengthy privacy policies and effectively exercising any available choices based on those policies.” Instead, the FTC wants to see companies provide privacy policies that are “clearer, shorter, and more standardized.”
The FTC Report also proposes providing consumers with reasonable access to the data that companies maintain about them. Recognizing the significant costs associated with providing access, the Report supports a sliding scale approach so that the extent of access is proportionate to the sensitivity of the data and the nature of its use. For example, where a company maintains data to be used for authentication or decision-making purposes, erroneous data could lead to significant consumer harm. In this circumstance, the FTC says that it may be appropriate to provide the actual data about the consumer, along with the ability to correct or delete the data. On the other hand, companies that maintain marketing data might disclose the categories of consumer data they possess and provide a suppression right that allows consumers the ability to have their name removed from marketing lists. While data subject access and correction rights have been prevalent in Europe for the last decade, they have been largely absent from most company privacy policies in the U.S., and the FTC’s position on these issues is yet another sign of an approach that mirrors the European privacy framework.
For data practices that are not “commonly accepted,” the FTC expects to see changes in how companies provide choice. To ensure that choice is meaningful and accessible to consumers, companies should provide easy-to-use choice mechanisms at a time and in a context in which the consumer is making a decision about his or her data. The FTC provided specific guidance on how choice may be presented.
- Where a company has a relationship with a consumer, the choice mechanism should be offered at the point when the consumer is providing data or otherwise engaging with the company. In the context of an online retailer, the disclosure and control mechanism should appear clearly and conspicuously on the page on which the consumer types in his or her personal information. For an offline retailer, the disclosure and consumer control should take place at the point of sale by, for example, having the cashier ask the customer whether he or she would like to receive marketing offers from other companies.
- With respect to social media services, if consumer information will be conveyed to a third-party application developer, the notice-and-choice mechanism should appear at the time the consumer is deciding whether to use the application and, in any event, before the application obtains the consumer’s information.
- Where the information sharing occurs automatically, through a default setting, that fact should be disclosed clearly and conspicuously at the time the consumer becomes a member of the service, not merely buried in the privacy policy.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations. For more information, please contact a member of Loeb & Loeb's Advanced Media and Technology Group.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.