FTC to DMers: 'Keep Your Privacy Promises'Direct marketers collecting data both online and offline had better be sure to keep any promises made in privacy policies. That's the word from a Federal Trade Commission official.
The agency's privacy agenda was the topic in a luncheon speech given by Howard Beales, director of the bureau of consumer protection at the FTC, which he made at the annual meeting of the Promotion Marketing Society in Washington on Dec. 5.
In October, FTC chairman Timothy J. Muris said the enforcement of existing privacy laws and posted privacy policies would be a focus of the agency under his privacy agenda. Muris, a Republican, was sworn in as the 55th FTC chairman June 4, replacing Clinton appointee Robert Pitofsky and giving Republicans a 3-2 majority on the commission.
Until now, privacy policies have applied to online activities only, whereas offline privacy has been considered almost entirely unregulated.
Marc Roth, an Internet marketing attorney at New York's Brown Raysman Millstein Felder & Steiner LLP, who attended the speech said Beales' remarks hinted that the FTC believed offline practices were unfair.
"Someone at the luncheon asked if the FTC had any intention to take any action against companies for their offline privacy practices," said Roth, who is also a former FTC staffer, who "His comments to me suggested that the FTC might view offline data practices to be unfair or deceptive in some way."
Though marketers are not required by law to post online or offline privacy policies, it seemed to Roth that marketers potentially face liabilities for omissions, based on Beales' comments.
In a clarification of his remarks, Beales told DM News, "The message here is keep your promises. If the promise is we won't share information, then I don't care where they got that information. If they shared it, they broke the promise. If the promise is we don't share information collected on this Web site, then that's the promise they have to honor. The starting point is what did the company promise."
Though many companies specify that privacy policies posted on their Web sites apply to online practices only, Pat Faley, vice president for ethics and consumer affairs at the Direct Marketing Association, recommended that DMA members review their policies to be sure.
"What I would say to members is make sure that when you state your online policy that it's clear that it applies only to the online segment of your market," she said.
This does not necessarily mean that offline data practices are completely off the hook.
"The focus of our privacy agenda is the consequences of information misuse, and the consequences are the same however you got the information," Beales said.
In other words, data collected offline by unfair or deceptive means will be under scrutiny. Still, the majority of traditional direct marketers have nothing to fear in that arena.
"There are a whole lot of lists that trade every day in the list business that there really aren't any of those issues with," Beales said.
DMA members might even be one step ahead in regard to their offline data practices. Under the DMA's Privacy Promise, by which members must abide, direct marketers are required to provide an annual notice to customers about data sharing with third-party firms.
"The FTC is being very thoughtful about this whole issue," Faley said, "and I don't expect we'll see rapid changes or changes without consultation."