Over the last few years, the concept of privacy, particularly with respect to the Internet, has evolved rapidly. Federal and state laws, such as the Gramm-Leach Bliley Act1 and the California Online Privacy Protection Act of 20032 , require the posting or other disclosure of privacy practices for certain companies. To no real surprise, the Federal Trade Commission (FTC) has recommended increased disclosure to consumers of how companies collect and handle customer information obtained through websites.3 Identity theft is on the rise, and many states have adopted mandatory consumer notification laws in the event of a security breach involving certain personal information.4 Privacy law is front and center.
In response to new laws, heightened consumer awareness and general media buzz concerning privacy, including some highly publicized privacy cases, some companies may rush to say what they believe customers want to hear: "We will never share or sell your information and will not change our privacy practices without your consent." Is this what customers want to hear? Perhaps, but many of them never hear this message, because only a small percentage of customers read and pay close attention to website privacy policies.5 The end result is that this kind of statement may generate little customer good will while also leading to a costly and potentially disastrous encumbrance of valuable customer information. Even if the encumbrance can be removed, it may have serious legal and financial implications for the company.
One of the first cases to deal with the issue of a transfer of consumer information in contravention of express promises to the contrary in a privacy policy was the Toysmart.com case.6 In May 2000, Toysmart.com, struggling to remain solvent, attempted to sell all of its assets, including its customer information. Upon learning of the proposed sale, the FTC brought an action under section 5 of the FTC Act. Section 5 prohibits "unfair or deceptive acts or practices in or affecting commerce."7 The FTC argued that Toysmart.com could not complete the sale because doing so would result in a breach of Toysmart.com's privacy promise to its customers, which would amount to an unfair or deceptive business practice. Toysmart.com, in its privacy policy, had promised customers, "When you register with Toysmart.com, you can rest assured that your information will never be shared." The FTC and Toysmart.com reached a settlement under which Toysmart.com was permitted to sell the customer information only to a "qualified buyer" who would agree to abide by Toysmart.com's privacy policy. The practical effect was that the value of the information was diminished because the buyer would have to agree to be bound by the same encumbrances. For example, the buyer could not rent the customer information to third parties, a practice that may otherwise have been permitted and profitable.
Building on the Toysmart.com case, FTC enforcement has continued and has resulted in successful actions against several other companies that have attempted to unilaterally change, or simply chosen not to comply with, privacy policy promises.8 Since disgorgement is one of the FTC's remedies, the risk cannot be taken lightly.
In the Gateway Learning Corp. case9, again the FTC alleged a violation of section 5 of the FTC Act. According to the FTC, Gateway Learning Corp., in its privacy policy, promised, "We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive customer's explicit consent." The FTC alleged that Gateway Learning Corp. subsequently modified its privacy policy to allow it to share information with "reputable companies." The FTC alleged that Gateway Learning Corp. did not notify customers that its privacy policy had changed and that retroactive application of a materially changed privacy policy was unfair. Under the terms of a settlement agreement, Gateway Learning Corp. was prohibited from sharing any of its customer information unless it first obtained the express affirmative "opt-in" consent from customers and could not retroactively apply future material changes to its privacy policy unless it first obtained customer consent. Additionally, Gateway Learning Corp. was required to surrender the $4,608 it had earned from renting customer information.
Similarly, in The National Research Center for College and University Admissions, Inc. 10 , the FTC alleged that the defendants violated Section 5 of the FTC Act by collecting personal information from high school students, claiming that they would share the information only with colleges, universities and others providing education-related services, and then selling the information to commercial entities for marketing purposes. Under a consent agreement, the defendants were barred from using the previously collected information for non-educational-related marketing purposes.
Companies that promise too much and then change their privacy policies also open themselves up to direct actions by aggrieved consumers. Consumers may have standing to sue for breach of contract or violation of state consumer protection laws. Some state laws allow for the recovery of damages and attorneys fees.11 In the event of a class action lawsuit, a company's exposure could be quite substantial.
One such case involved Sears, Roebuck & Co.12 In September 1999, a group of Sears consumers sued Sears, alleging that it had inappropriately disclosed customer information to its affiliates and third parties, and misrepresented the scope and nature of its customer privacy policy. Plaintiffs alleged that such disclosures violated Sears' privacy policy and California law. The parties reached a settlement agreement under which Sears agreed to modify its privacy policy and also agreed to provide each member of the class a choice of either (i) a $10 certificate and a 15% discount voucher, or (ii) a $15 certificate.
Adding greater complexity to this issue is the fact that most companies receive customer information through multiple sources: telephone, email, mail, web, in-store purchases. Therefore an important decision needs to be made as to whether information received through means other than the website should be covered by the website privacy policy. If the policy says it applies to all information the company gathers from customers, a court may find that it applies to all such information, whether intended or not. A privacy policy that promises too much and that extends to all corners of the company may be inconsistent with the company's overall business goals, particularly any long-term goals such as a merger or acquisition or other forms of strategic affiliation that require a sharing of customer data for purposes of co-branding or cross-marketing. A blanket policy may not allow sufficient flexibility if a company desires to make distinctions among divisions or product lines concerning how customer information will be used.
For a company that desires to remove a website privacy policy encumbrance, removal of the encumbrance should be done in a coordinated manner involving the company's technical, business and legal functions. First and foremost, steps should be taken to prevent the encumbrance from attaching to new customers. To prevent the information associated with new customers from being "encumbered," a new privacy policy for new customers should be introduced. It should be clearly explained to new customers that they are subject to the new policy and not the old policy. With respect to the customer data associated with the old privacy policy, the steps to be taken depend on the language of the old privacy policy. First and foremost, the old privacy policy should remain on the website because it still applies to customers who became customers under such policy. If the old privacy policy requires customer consent to any changes involving the use or disclosure of customer information, then the prudent approach would be to obtain such express, affirmative consent - from each customer. Simply giving customers the right to opt-out from a new policy is insufficient under recent FTC cases.13 Obvious methods include sending an e-mail and asking for consent. To encourage customers to consent, a coupon or other product discount could be offered. In the alternative, the company could wait until the customer returns to make a new purchase, at which time the customer could be notified (before completing the purchase) that the company has updated its privacy policy and that the customer is being requested to consent to the change. A more aggressive approach would be to inform the customer of the new policy at the time of a new purchase and explain that the new purchase by the customer will signify consent to the new privacy policy, with respect to all information (past and present). The more aggressive of these two approaches may be called into question, but given the quid pro quo context, and provided that the changes to the privacy policy have been described to the customer, reasonable arguments could be made that the process was fair (i.e., the customer had the option not to proceed with the purchase and in effect not be bound by the new privacy policy).
Obviously, in any transaction that involves a company with consumer information, the other party needs to be diligent and determine whether any such encumbrance exists or existed. While a company's current website privacy policy may not create such encumbrances, a previous website privacy policy (or a separate privacy policy mailed to the customer) may have resulted in an encumbrance that was not properly removed. Due diligence should involve a review of the company's entire history concerning customer information privacy practices (both online and offline practices). Of course, appropriate representations and warranties concerning privacy laws and customer information should also be sought.
Is there a practical approach to avoiding unnecessary encumbrances in the first instance? The website privacy promise is a double-edged sword. Promising too much may result in overly burdensome encumbrances; promising too little may result in fewer customers and undesired FTC scrutiny. Compromise is the practical solution. For example, promising to not disclose information that is highly sensitive, such as credit card numbers, bank account numbers and social security numbers or other similarly sensitive information, makes good business and legal sense. However, reserving the right to disclose other information such as name, address and the goods or services purchased may also make good business sense. Also, regardless of what is promised, reserving the right to transfer the information in connection with a sale of the company or substantially all of its assets is of vital importance.
In sum, a company can avoid creating a website privacy policy that places undesired encumbrances on customer information by carefully considering the types of customer data that are collected and taking into account both short-term and long-term legal and business goals. 115 U.S.C.A. 6801-6809 (imposing affirmative and continuing obligations on financial institutions to respect the privacy of customers and to protect the security and confidentiality of customer nonpublic personal information).
2California Business and Professions Code, 22575 et seq. (imposing affirmative and continuing obligations on an operator of a commercial website or online service that collects information concerning California consumers to, among other obligations, post, or make available, its privacy policy on its website).
3The Federal Trade Commission Act (15 U.S.C.A. 41 et seq.), among other things, prohibits unfair and deceptive practices in and affecting commerce. See report to Congress, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress ( May 2000), www.ftc.gov/reports/privacy2000/privacy2000.pdf.
4Pennsylvania is one of the most recent states to adopt such a law. See Pennsylvania's Breach of Personal Information Notification Act, 73 P.S. 2301 (2005), which went into effect on June 20, 2006.
5Harris Interactive, Inc., Privacy Leadership Initiative : Privacy Notices Research Final Results, November 2001 (survey showed that only 3% read privacy policies carefully, and 66% only glanced at-or never read-privacy policies ). Also see M. J. Culnan and G. R. Milne, The Culnan-Milne Survey of Consumers and Online Privacy Notices, Dec. 2001 (survey showed only 18% read privacy policies frequently or always, 31% read them sometimes, and 50% rarely or never read privacy policies ).
6 F.T.C. v. Toysmart.com, LLC, 2000 WL 1523287 (D. Mass. 2000).
715 U.S.C.A. 45(a).
8See http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html for FTC cases involving the privacy of consumer information under Section 5 of the FTC Act.
9In re Matter of Gateway Learning Corp., Docket No. C-4120.
10 In the Matter of The National Research Center for College and University Admissions, Inc., Docket No. C-4071.
11See, e.g., N.Y. Gen. Bus. Law 349(h), which allows for actual damages or $50 (whichever is greater) and treble damages or up to $1,000 (whichever is greater) if the defendant acted willfully or knowingly. The court may award attorney fees if the plaintiff prevails.
12 Utility Consumers' Action Network v. Sears, Roebuck & Co., Cal. Super. Ct., No. 306232 (Order Approving Settlement was entered on August 18, 2004).
13See, for example, In re Matter of Gateway Learning Corp., Docket No. C-4120.
Published October 1, 2006.
