Any time your company collects data, including combining data obtained from third parties, those practices should be clearly disclosed. The Federal Trade Commission (FTC) has taken an increasingly aggressive enforcement stance against companies that fail to clearly disclose the scope of their data collection and use practices. FTC privacy litigation can be divided into two general areas of prosecution: deception and unfairness.
- Broken promises to maintain confidentiality or to refrain from disclosing information to third parties
- Broken promises to provide adequate notice regarding how data is being used
Surprisingly, deception cases can include violation of implied promises. In the case of In re Google Inc., the FTC alleged that Google breached its implicit promise that previously established privacy settings such as "blocked" emails and visibility settings would be respected in the future. In that case, the FTC also alleged that Google had violated an explicit promise.
Google had informed users, "When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use." Despite that pledge, when Google launched its social media contact service, Google Buzz, it used that same registration information to share data for social networking purposes without first providing sufficient notice and choice. Among other things, Google failed to disclose that consumers' frequent email contacts would become public by default. Finally, although Google purported to give consumers a choice about joining Google Buzz, even when users opted out, those consumers were enrolled in certain features of Buzz.
In addition to bringing lawsuits based on allegations of deception, the FTC has also brought cases under a theory of unfairness. Examples of "unfairness" cases include retroactive policy changes, undisclosed collection of data and inadequate data security practices.
An example of a case where it was alleged that the failure to disclose data collection practices constituted an unfair data practice is the case of In re Aspen Way, in which the FTC held that installing spyware and gathering data without notice was an unfair practice.
Take away tips
The take away tips that can be gleaned from these recent FTC cases include the following:
- Confirm with your marketing department (and your IT and any other relevant departments) what data is being collected, including from third parties, and how that data is being used
- Stay up to date with industry standard data security protocols and implement those practices
- Repeat steps 1 through 4 on a periodic basis, which, depending on how dynamic your marketing department is, may require quarterly or even monthly review