The Perils of Privacy Policy Changes

Let us consider the following hypothetical. You have spent time implementing your Web site privacy policy and have ensured that it reflects the actual practices conducted at your site.

Now, owing to changed circumstances in how your company collects, stores and discloses your customers’ data, you think it is time to update your policy. As diligent as your company has been in drafting its initial privacy policy, you have recognized the business reality that a company’s consumer data usage practices evolve over time.

Accordingly, you wish to heed the admonitions that if a company fails to update its policy to reflect its new practices, it may expose itself to lawsuits and regulatory actions.

What you might not be aware of, however, is a new dilemma in the privacy policy arena: Choosing to update a policy to reflect new practices could expose you to the same legal actions you were seeking to avoid., the 800-pound gorilla of e-tailers, very publicly changed its privacy policy Aug. 31 by classifying customer information as a “business asset,” thus making the data of Amazon’s users transferable to third parties if Amazon or one of its business units were acquired.

Amazon’s new policy also permitted it to share user data with its growing list of partners and affiliates while providing its users with little control over such data sharing. Amazon posted conspicuous notices of the policy change on the Amazon site and went so far as to e-mail each registered user about the policy changes.

Amazon, more than likely, was responding to a Federal Trade Commission lawsuit against earlier this year when the failed site attempted to sell its users’ names, personal data and usage patterns as business assets in its bankruptcy case. While Amazon may have expected some approval for taking the proactive step of modifying its policy to accord with the evolution of its business model and for making such change public, it instead was excoriated for its actions.

Two privacy watchdog groups, the Electronic Privacy Information Center and Junkbusters, have recently taken Amazon to task for not allowing its users to expressly consent to or opt out of its new policy and for reneging on its original promise that it would never sell, trade or rent personally identifiable consumer data.

They further chastised Amazon for removing the option previously provided to users to bar prospective transfers of their data to third parties.

EPIC and Junkbusters have requested that the FTC, and some international enforcement agencies, investigate Amazon for what they claim is tantamount to a massive bait-and-switch tactic.

The prospect and outcome of any legal action against Amazon for changing its privacy policy are far from certain. There is simply little guiding precedent in this area. Any formal investigation of Amazon by the FTC likely would provide the first legal standards for what may and may not be done without risking legal liability. That said, there are already lessons that can be learned from Amazon’s missteps:

• Consider whether modifying your privacy policy is necessary at all, and if so, whether notifying your customers of such change is appropriate.

Existing law provides some guidance. The Children’s Online Privacy Protection Act requires Web site and online service operators to provide notice of a material change to its privacy policy to parents of children about whom personally identifiable information was previously provided. Generally, a material change is one that a person would reasonably wish to be advised of before continuing to disclose personal data or allowing you to reveal usage patterns.

In Amazon’s case, the policy change clearly was necessary to reflect its radical change in how it would use the data. In other cases, the changes may be so immaterial that drafting a new privacy policy may not be justified and may even risk needlessly upsetting or confusing your users or unnecessarily attracting the attention of privacy watchdogs.

• Consider doing what Amazon did not. Allow your users to expressly agree to the new policy and to opt out of any change. One of the main industry guidelines for the fair use of consumer information is to provide consumers with choice. Notifying customers of a material change in your privacy policy will do little to insulate you from their wrath (or that of the courts) if you do not give them the option to remain users under the original terms pursuant to which they first came to you.

This may create technological nightmares; you no longer will be able to treat all of your user data the same, but considering the alternative, it may be a small price to pay.

• Segregate your user data. Unless you provide notice of a material change to your customers and allow them to either opt out of or opt in to such changes, you may not presume they have agreed to such changes. This will require maintaining a “two-bucket” system: The first bucket will contain all the user data collected prior to the change in your privacy policy, and the second will contain only data collected after the policy change.

Letting user data slosh from one bucket to another may expose you to risk; keeping the contents of the buckets separate will help ensure that you use your customers’ personal data only in the manner consented to.

• Maintain consistency in the use of your customers’ data. When Amazon changed its policy to allow its user information to be deemed a business asset, one could argue that it was only clarifying what is regarded as acceptable general business practice — that in the unlikely event it were to be acquired, Amazon, like any other business, would have to transfer whatever could be deemed an asset.

However, when Amazon also changed its policy to allow for transfer of user data to its “trusted partners,” all semblance of from the old policy to the new policy disappeared. Without overwhelming reasons to make such an about-face, it may be best to stick with the policies to which your company initially committed.

Business realities may require certain changes in the use of your customers’ data, but undoing the trust that has built up between your customers and you may require more modest and incremental changes than initially desired. Where reputation is everything online, it is best to balance the benefits of information flow and user personalization against users’ very real expectations of privacy.

• Marc Roth is an attorney at Brown Raysman Millstein Felder & Steiner LLP. Jonas Kant, an associate at the firm, assisted in the preparation of this article. Reach Roth at [email protected]

Related Posts