Privacy Policies: Don't Promise What You Can't Deliver

The Federal Trade Commission (FTC) has taken a number of enforcement actions against various companies alleging that specific statements in their privacy policies were “deceptive.”  Most companies that have a significant web presence post their privacy policies online (and many that do not, most certainly should). There are several laws that may require companies to provide a privacy notice, and posting one online remains an easy and inexpensive way to disseminate it.  A few of the laws that require a privacy notice include the Children’s Online Privacy Protection Act, the California Online Privacy Protection Act, the Gramm-Leach-Bliley Act, HIPAA, and the Fair Credit Reporting Act.

However, simply cutting and pasting someone else’s privacy policy onto your site is very unwise, and can result in an FTC enforcement action, unless your company takes the appropriate steps to protect itself.

For an illustration, one recent enforcement action against Twitter highlighted a statement in the privacy notice saying, “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”  The FTC alleged that statement was deceptive; however, many websites use similar language.  What is it about this statement that triggered FTC action?  Apparently, although the statement implied otherwise, Twitter in fact failed to implement a “reasonable” security program to back up its promise of privacy protection, suffered a breach that made headlines, and thus attracted the FTC’s attention.

The FTC took issue with Twitter’s failure to keep its system secure when contrasted with the company’s public statement of concern for users’ privacy and charged it with a violation of the FTC Act.  So if Twitter hadn’t made that statement, the fact that it suffered a breach most likely would not have resulted in the FTC action.

Past FTC enforcement has tended to focus on overly broad and unrealistic promises (e.g., “We will never disclose your personal information to a third party without your consent.”).  The problem is that statements such as these are virtually impossible to enforce in an environment in which disgruntled ex-employees, consultants, third-party service providers, and hackers might access data.

Other problems besides government enforcement actions can also be created by broad privacy promises.  A series of bankruptcy cases has created precedent that customer lists may not be sold if that disclosure would be contrary to statements made in consumer privacy notices.  Between these and other cases and the pattern of FTC enforcement, the potential legal issues associated with overly broad privacy policy statements are significant.


Author: Seth Heyman
Seth D. Heyman is a California attorney with extensive experience in advertising and marketing law, corporate law, contracts, governmental regulations, international business, and Internet law. He has counseled numerous successful companies, both public and private, and was responsible for regulatory compliance, contract management, corporate governance, and HR best practices for multiple organizations in many diverse industries, including marketing, telecommunications, energy, and technology development. He offers insight and guidance on federal and state direct mail, TV, radio, telemarketing, and Internet marketing laws, as well as online promotions, Internet privacy, data protection regulations, and similar matters.
Skip to content