- November 21, 2010
- Posted by: Seth Heyman
- Category: Business Law
The Federal Trade Commission (FTC) has taken a number of enforcement actions against various companies alleging that specific statements in their privacy policies were “deceptive.” Most companies that have a significant web presence post their privacy policies online (and many that do not, most certainly should). There are several laws that may require companies to provide a privacy notice, and posting one online remains an easy and inexpensive way to disseminate it. A few of the laws that require a privacy notice include the Children’s Online Privacy Protection Act, the California Online Privacy Protection Act, the Gramm-Leach-Bliley Act, HIPAA, and the Fair Credit Reporting Act.
For an illustration, one recent enforcement action against Twitter highlighted a statement in the privacy notice saying, “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” The FTC alleged that statement was deceptive; however, many websites use similar language. What is it about this statement that triggered FTC action? Apparently, although the statement implied otherwise, Twitter in fact failed to implement a “reasonable” security program to back up its promise of privacy protection, suffered a breach that made headlines, and thus attracted the FTC’s attention.
The FTC took issue with Twitter’s failure to keep its system secure when contrasted with the company’s public statement of concern for users’ privacy and charged it with a violation of the FTC Act. So if Twitter hadn’t made that statement, the fact that it suffered a breach most likely would not have resulted in the FTC action.
Past FTC enforcement has tended to focus on overly broad and unrealistic promises (e.g., “We will never disclose your personal information to a third party without your consent.”). The problem is that statements such as these are virtually impossible to enforce in an environment in which disgruntled ex-employees, consultants, third-party service providers, and hackers might access data.