Be careful marketing doesn't also drive one of your company's biggest risks: Online privacy litigation

The FTC has taken an increasingly aggressive enforcement stance against companies that fail to clearly disclose the scope of their data collection and use practices

Your company's marketing department is always interested in gathering data about your customers and potential customers — the more data, the better. The Internet allowed companies to track online activity for the first time to gain a direct understanding of what content was most interesting to customers. Tracking that data is great for getting to know your customers, driving product development and new features, but if you don’t know exactly what your marketing company is doing — particularly as it relates to data collection and use — you need to find out, and then make sure to update your privacy policy to disclose those practices.

Any time your company collects data, including combining data obtained from third parties, those practices should be clearly disclosed. The Federal Trade Commission (FTC) has taken an increasingly aggressive enforcement stance against companies that fail to clearly disclose the scope of their data collection and use practices. FTC privacy litigation can be divided into two general areas of prosecution: deception and unfairness.


Cases alleging deception are the most common theory the FTC relies upon when prosecuting privacy violations. These cases are commonly known as "broken promise" cases. A "broken promise" case involves a representation in a privacy policy and then a breach of that representation or promise. Examples of "broken promise" cases include:

  • Broken promises to maintain confidentiality or to refrain from disclosing information to third parties
  • Broken promises to only collect data consistent with the company's privacy policy
  • Broken promises to provide adequate notice regarding how data is being used

Surprisingly, deception cases can include violation of implied promises. In the case of In re Google Inc., the FTC alleged that Google breached its implicit promise that previously established privacy settings such as "blocked" emails and visibility settings would be respected in the future. In that case, the FTC also alleged that Google had violated an explicit promise.

Google had informed users, "When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use." Despite that pledge, when Google launched its social media contact service, Google Buzz, it used that same registration information to share data for social networking purposes without first providing sufficient notice and choice. Among other things, Google failed to disclose that consumers' frequent email contacts would become public by default. Finally, although Google purported to give consumers a choice about joining Google Buzz, even when users opted out, those consumers were enrolled in certain features of Buzz.

In addition to cases alleging a "broken promise" theory of deception, other cases also allege deception based on the failure to provide adequate "notice." In FTC v. Echometrix, Inc., the FTC alleged that the broad statement contained in the defendant's privacy policy — "[Sentry] uses information for the following general purposes: to customize the advertising and content you see[,] . . . improve our services[,] . . . conduct research, and provide anonymous reporting for internal and external clients" — was too vague to adequately disclose that information monitored and collected by the defendant’s computer-monitoring software program would be shared with third parties. Ironically, the monitoring software sold to parents seeking to monitor their children's online activity was also being disclosed to third party advertisers.



Home Depot confirms potentially record-setting data breach

Verizon settles with FCC over missing privacy rights

Risk strategies to avoid becoming a cybersecurity casualty




In addition to bringing lawsuits based on allegations of deception, the FTC has also brought cases under a theory of unfairness. Examples of "unfairness" cases include retroactive policy changes, undisclosed collection of data and inadequate data security practices.

Retroactive policy changes involve a company changing privacy policies without providing notice or the ability to opt out. In the case of In re Gateway Learning Corp., the company changed its privacy policy to allow the renting of personal data to third parties when previously it had promised that it would not do so. The FTC stated that if a company makes material changes to its privacy policy, it cannot use previously collected data without first obtaining consent to the new uses.

An example of a case where it was alleged that the failure to disclose data collection practices constituted an unfair data practice is the case of In re Aspen Way, in which the FTC held that installing spyware and gathering data without notice was an unfair practice.

Lastly, the FTC has taken the fairly counterintuitive position that failing to take reasonable steps to protect data constitutes an "unfair" practice even if a company does not represent that it has taken steps to secure data. In United States v. Rental Research Services, Inc., the FTC alleged that the defendant failed to take reasonable security measures to secure personal information such as by verifying the identities of prospective subscribers who would have access to sensitive data. Although the company's privacy policy did not represent that the company had taken any security measures, the FTC deemed the defendants' lack of adequate security measures itself to be an unfair practice.

Take away tips

The take away tips that can be gleaned from these recent FTC cases include the following:

  1. Confirm with your marketing department (and your IT and any other relevant departments) what data is being collected, including from third parties, and how that data is being used
  2. Review your privacy policy to ensure that your actual data collection and use practices are consistent with the representations in your privacy policy. If they are not, either change your practices (and confirm that data was not used in a manner that was inconsistent with the existing privacy policy), or update your privacy policy
  3. Stay up to date with industry standard data security protocols and implement those practices
  4. If you materially change the terms of your privacy policy, only use data that is collected after those changes are posted online or obtain consent for new uses
  5. Repeat steps 1 through 4 on a periodic basis, which, depending on how dynamic your marketing department is, may require quarterly or even monthly review


author image

Deanna Conn

Deanna Conn, a partner at Quarles & Brady, practices in commercial litigation and in all areas of intellectual property litigation, including patent and troll defense,...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.