Do I really have to obtain consent from all my customers to make a change to my privacy policy?

"Do I really have to obtain consent from all my customers to make a change to my privacy policy?  No one else seems to be following that rule."

We get this question all the time.  It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent of their users.  (In other words, they add a new offering to their service that expands their use or sharing of consumer data, and they default their users into the new offering.) Sometimes they back off temporarily when faced with media backlash or Congressional or regulatory scrutiny, but the pattern nonetheless persists in the long term.  Sometimes we scratch our heads in wonder, since the FTC has taken the position in countless actions for over a decade that if you make a material, adverse, retroactive change to your privacy policy, you need to obtain consent from consumers to apply your new policy to the data you collected under your old policy.

Last week, the FTC gave us their latest message.  This time, it took the form of a settlement with Facebook in an action alleging that Facebook engaged in unfair and deceptive trade practices by, among other things, altering or enhancing their service in a manner that expanded their sharing of user data, without obtaining the consent of their users.  (See our recent blog post detailing the settlement in full.)

In Facebook’s defense, they actually did, at least in some instances, take steps to obtain the consent of their users by requiring users to click through a multipage Privacy Wizard that walked users through the revised privacy settings.  However, the FTC alleged that the Privacy Wizard process was in itself deceptive, since the explanatory wording used on the Wizard spun the changes as affording more control on the part of users, when in fact, according to the FTC, the changes reduced user control over how their data would be shared with third parties and overrode users’ existing privacy settings.  

Under the terms of Facebook’s settlement with the FTC, Facebook denied all the FTC’s legal and factual allegations (with the exception of those regarding jurisdiction), so an outsider’s only way of knowing the facts at hand is through his experience as an observant user of Facebook over the course of years, or, alternatively, trust in the accuracy of media coverage of Facebook’s privacy changes over the last several years.

It is worth noting that Facebook is not required to pay a fine under the settlement.  However, as part of the settlement, Facebook is required to suffer the scrutiny of the FTC for the next twenty years. For example, as is characteristic of the FTC’s privacy settlements, Facebook must retain an independent third party to assess and report on its privacy practices biennially.  It also must implement a privacy program that entails taking a “privacy-by-design” approach to its product development going forward, and it must retain for the FTC’s review: (i) all widely disseminated materials relating to its privacy practices and changes thereto, including any backup materials, for the next three years; (ii) all consumer complaints for six months after receipt; (iii) all documents prepared by or on behalf of Facebook that contradict, qualify or call into question its compliance with the settlement terms for five years from receipt thereof; (iv) documentation of changes that Facebook makes to its privacy policies along with documentation of users’ consent and their settings prior to consent for three years from the date of such documents’ preparation or dissemination; and (v) all backup materials of its biennial privacy assessments for three years after each such assessment.

What is the takeaway for other businesses?  One, the FTC wants businesses to disclose important changes in their privacy practices (such as how they share data with third parties) conspicuously, and not merely in their privacy policies and other legal boilerplate.  Two, the FTC wants businesses to obtain affirmative consent from their customers when they make material adverse retroactive changes to their privacy policies. (They can obtain user consent the next time the user interacts with the business, such as when the user returns to the business’s Web site.) Three, the FTC wants businesses to be upfront and straight with their customers when they solicit their consent to new uses they want to make of user data – not to “spin” changes that expand the business’s usage rights as if they are enhancing user privacy.  

It is worth noting that the statute that the FTC invokes to set these standards (the FTC Act) does not contain any of these requirements.  It simply prohibits unfair and deceptive trade practices.  Yet, each time we see an example of the FTC’s enforcement of this law in the privacy space, we learn something about the FTC’s interpretation of the law.  (It is not often challenged, although it could be by a defendant so inclined.) And anything new and interesting we learn from these settlements is what we at Proskauer impart to you.
 

Flash Cookies -- Back on the Radar

 

When Flash cookies (also known as a “Local Shared Objects”) were first flagged as a privacy issue back in 2005, a few savvy companies added a disclosure about Flash cookies into their web site privacy policies. Since then, we have not heard the issue raised again. Now this sleeper issue seems to have been awakened by a recent report by researchers at the University of California, Berkeley, entitled Flash Cookies and Privacy

Flash cookies, which utilize a little-known capability of Adobe’s Flash plug-in, are a method to store information about a user’s preferences. (Estimates suggest that Adobe’s Flash software is installed on some 98 percent of personal computers.) Flash cookies may be used to provide better functionality to the user by, for example, storing the user’s preferences about sound volume or caching a music file for smoother play-back over an unreliable network connection. Flash cookies may also be used as unique identifiers that enable advertisers to track user preferences and circumvent deletion of HTTP cookies. Because Flash cookies are stored in a different location than HTTP cookies on one’s personal computer, simply erasing HTTP cookies, clearing browser history, or deleting the cache does not remove Flash cookies.

The Flash Cookies and Privacy report found that 54 of the top 100 websites utilized Flash cookies. Some of the Flash cookies found by the researchers were used for function-improving purposes, while others were found to store unique identifiers, which could be used to track the user. Moreover, some of the Flash cookies that stored unique identifiers were used to recreate an HTTP cookie after its affirmative removal by the user (so-called “respawning”). Research also revealed that privacy policies of the top 100 websites surveyed generally did not mention the use of Flash as a tracking mechanism – indeed, only 4 polices reviewed by the study included such a disclosure.

The report is already making some waves: QuantCast, a company that measures web destinations and internet use, has said that it stopped its practice of using Flash cookies to respawn HTTP cookies after the report, which specifically named QuantCast, was released. And the timing of the report coincides with Congress and federal regulators examining behavioral advertising. 

Computer users should be aware of the presence of Flash cookies and, if desired, visit Adobe’s website to learn how to disable Flash cookies. Website operators should, as a best practice, disclose their use of Flash cookies in their privacy policies, including information about how Flash cookies are used and how users can opt out or remove them. 

Privacy Policy

The publisher of this blog (hereafter, "publishing lawyer or law firm") values the privacy of its clients and Web/blog site viewers. Any of the following personal information that may be made available to the publishing lawyer or law firm when browsing or navigating the site shall be kept confidential:

  • First and last name
  • Company, home, postal or other physical address
  • Other contact information, including but not limited to telephone number, fax number, email address, and other similar information
  • Title or position in a company or an organization
  • Occupation
  • Industry
  • Personal interests
  • Any other information needed to provide a service you requested

Examples of scenarios in which our visitors provide their personal information include, but are not limited, to:

  • Communicating - by means including but not limited to email or telephone - with the publishing lawyer or law firm.
  • Posting a question or comment through the site.
  • Requesting literature.
  • Registering to attend a seminar or event.
  • Participating in an online survey.
  • Requesting inclusion in an email or other mailing list.
  • Submitting an entry for a contest or other promotion.
  • Entering a user name and/or a password.
  • Any other business-related reason.

The publishing lawyer or law firm provides you the opportunity to agree or decline to give your personal information via the Internet. The publishing lawyer or law firm will inform you of the purpose for the collection and does not intend to transfer your personal information to third parties without your consent, except under the limited conditions described under the discussion entitled "Information Sharing and Disclosure" below. If you choose to provide us with your personal information, the publishing lawyer or law firm may communicate with you at the contact information provided and may transfer that information within the law firm or to a third party service provider as necessary.

Domain Information Collection

The publishing lawyer or law firm may collect domain information to enable it to analyze how visitors use this site. This data enables the publishing lawyer or law firm to become more familiar with which people visit the site, how often they visit, and what parts of the site they visit most frequently. The publishing lawyer or law firm uses this information to improve its Web-based offerings. This information is collected automatically and requires no action on your part.

Use of Cookies and Tracking User Traffic

Some pages on this site may use "cookies"--small files that the site places on your hard drive for identification purposes. A cookie file can contain information such as a user ID to track the pages visited, but the only personal information a cookie can contain is information you supply yourself. Cookies are used for site registration and customization the next time you visit us.

Some parts of the site may also use cookies to track user traffic patterns. The publishing lawyer or law firm does this in order to determine the usefulness of its Web site to its users and to gauge the Web site's navigability. Please note that cookies cannot read data off of your hard drive. Your Web browser may allow you to be notified when you are receiving a cookie, giving you the choice of whether to accept it. If you prefer not to receive cookies, you can set your browser to warn you before accepting cookies and refuse the cookie when your browser alerts you to its presence. You can also refuse all cookies by turning them off in your browser. However, by not accepting cookies, some pages may not fully function and you may not be able to access certain information on this site.

Information Sharing and Disclosure

Your personal information is never shared or disclosed outside the publishing lawyer or law firm without your permission, except under conditions listed below:

  • You consent to having your information shared with a third party service provider working on our behalf to serve you.
  • You request us to provide you with a product or service.

The publishing lawyer or law firm also will disclose your personal information if required to do so by law, or in urgent circumstances to protect personal safety, the public or its sites.

Internet Security

The publishing lawyer or law firm strives to protect your personal information. However, you should take every precaution to protect your personal data when you are on the Internet. Change your passwords often and use a combination of letters and numbers.

Protecting the Privacy of Children

Children under 13 years old are not the target audience of this Web site. To protect their privacy, the publishing lawyer or law firm prohibits the solicitation of personal information from such children.

Links to Third Party Sites

This site may contain links to other sites. The publishing lawyer or law firm does not share your personal information with those Web sites and is not responsible for those sites' privacy practices. We encourage you to learn about the privacy policies of those companies.

Changes to this Privacy Policy

This policy is effective March 5, 2007 and was last revised on January 3, 2008. The publishing lawyer or law firm reserves the right to change, modify or update this policy at any time without notice. Any substantial changes in the way we use your personal information will be posted on this site.

If you have questions or concerns about this Privacy Policy, or wish to change the information the publishing lawyer or law firm has about you, please email the publishing lawyer or law firm at the contact information on this site.