Over the last few years, the concept of privacy, particularly with respect to the Internet, has evolved rapidly. Federal and state laws, such as the Gramm-Leach Bliley Act1 and the California Online Privacy Protection Act of 20032 , require the posting or other disclosure of privacy practices for certain companies. To no real surprise, the Federal Trade Commission (FTC) has recommended increased disclosure to consumers of how companies collect and handle customer information obtained through websites.3 Identity theft is on the rise, and many states have adopted mandatory consumer notification laws in the event of a security breach involving certain personal information.4 Privacy law is front and center.
In response to new laws, heightened consumer awareness and general media buzz concerning privacy, including some highly publicized privacy cases, some companies may rush to say what they believe customers want to hear: "We will never share or sell your information and will not change our privacy practices without your consent." Is this what customers want to hear? Perhaps, but many of them never hear this message, because only a small percentage of customers read and pay close attention to website privacy policies.5 The end result is that this kind of statement may generate little customer good will while also leading to a costly and potentially disastrous encumbrance of valuable customer information. Even if the encumbrance can be removed, it may have serious legal and financial implications for the company.
Similarly, in The National Research Center for College and University Admissions, Inc. 10 , the FTC alleged that the defendants violated Section 5 of the FTC Act by collecting personal information from high school students, claiming that they would share the information only with colleges, universities and others providing education-related services, and then selling the information to commercial entities for marketing purposes. Under a consent agreement, the defendants were barred from using the previously collected information for non-educational-related marketing purposes.
Companies that promise too much and then change their privacy policies also open themselves up to direct actions by aggrieved consumers. Consumers may have standing to sue for breach of contract or violation of state consumer protection laws. Some state laws allow for the recovery of damages and attorneys fees.11 In the event of a class action lawsuit, a company's exposure could be quite substantial.
Is there a practical approach to avoiding unnecessary encumbrances in the first instance? The website privacy promise is a double-edged sword. Promising too much may result in overly burdensome encumbrances; promising too little may result in fewer customers and undesired FTC scrutiny. Compromise is the practical solution. For example, promising to not disclose information that is highly sensitive, such as credit card numbers, bank account numbers and social security numbers or other similarly sensitive information, makes good business and legal sense. However, reserving the right to disclose other information such as name, address and the goods or services purchased may also make good business sense. Also, regardless of what is promised, reserving the right to transfer the information in connection with a sale of the company or substantially all of its assets is of vital importance.
3The Federal Trade Commission Act (15 U.S.C.A. 41 et seq.), among other things, prohibits unfair and deceptive practices in and affecting commerce. See report to Congress, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress ( May 2000), www.ftc.gov/reports/privacy2000/privacy2000.pdf.
4Pennsylvania is one of the most recent states to adopt such a law. See Pennsylvania's Breach of Personal Information Notification Act, 73 P.S. 2301 (2005), which went into effect on June 20, 2006.
5Harris Interactive, Inc., Privacy Leadership Initiative : Privacy Notices Research Final Results, November 2001 (survey showed that only 3% read privacy policies carefully, and 66% only glanced at-or never read-privacy policies ). Also see M. J. Culnan and G. R. Milne, The Culnan-Milne Survey of Consumers and Online Privacy Notices, Dec. 2001 (survey showed only 18% read privacy policies frequently or always, 31% read them sometimes, and 50% rarely or never read privacy policies ).
6 F.T.C. v. Toysmart.com, LLC, 2000 WL 1523287 (D. Mass. 2000).
715 U.S.C.A. 45(a).
8See http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html for FTC cases involving the privacy of consumer information under Section 5 of the FTC Act.
9In re Matter of Gateway Learning Corp., Docket No. C-4120.
10 In the Matter of The National Research Center for College and University Admissions, Inc., Docket No. C-4071.
11See, e.g., N.Y. Gen. Bus. Law 349(h), which allows for actual damages or $50 (whichever is greater) and treble damages or up to $1,000 (whichever is greater) if the defendant acted willfully or knowingly. The court may award attorney fees if the plaintiff prevails.
12 Utility Consumers' Action Network v. Sears, Roebuck & Co., Cal. Super. Ct., No. 306232 (Order Approving Settlement was entered on August 18, 2004).
13See, for example, In re Matter of Gateway Learning Corp., Docket No. C-4120.
Published October 1, 2006.