FTC: It’s not just about your privacy policy

Google just agreed to pay a $22.5 million fine to resolve an FTC action over Google’s circumvention of the Safari browser’s privacy settings. While the substance of the complaint is particularly important for ad networks, there’s a critical reminder for every website and app publisher: The FTC looks well beyond your privacy policy to determine whether you have accurately disclosed privacy practices to users.

This is important because the FTC’s jurisdiction for deceptive privacy practices often depends on the existence of some kind of express statement that turns out to be inaccurate. Ironically, silence about data practices can actually limit an operator’s exposure to FTC enforcement. But while Google’s conduct in this case may not have violated any express statement in Google’s written privacy policy, the FTC found the misleading statements in two other places:

  1. A statement in Google’s help pages, to the effect that the default Safari configuration effectively prevents them from tracking users; and
  2. Google’s participation in the Network Advertising Initiative, which has a code of conduct that generally requires complete disclosure of data collection practices.

The NAI allegation is particularly important; it is as if the NAI requirements were incorporated directly into Google’s own privacy policy. By being an NAI member, Google was saying that their privacy policy was accurate and complete. For the FTC, this created a general “catch all” liability for any practices that aren’t expressly disclosed.

While expansive, this is not unfair. Companies like Google get plenty of mileage out of NAI participation as a “Good Housekeeping Seal” for privacy, so they should also be liable when they transgress those requirements. As a basis for liability, this is not unlike Rule 10b-5 in securities law, which makes public companies accountable not only for express misstatements, but also for omissions of material facts.

What this means in practical terms:

  1. Publishers must operate in accordance with all statements they make make about privacy, whether those are in the privacy policy, terms of service, FAQ, customer support pages, press releases or anywhere else. If you’re in charge of privacy for your company, you need to be managing those channels as closely as you would changes to your formal privacy policy.
  2. If you participate in industry trade groups or privacy seal programs, you are responsible for their program requirements as if they are part of your privacy policy. For example, TRUSTe’s seal, appearing on thousands of websites, requires that the sealholder disclose “What type of [Personally Identifiable Information] is collected and how it will be used.” This means that even if the statements in your privacy policy are literally accurate, if they omit anything that turns out later to be important, the FTC may have additional authority for enforcement.
This entry was posted in Best Practices, Pros, Website Disclosure. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>