Website Privacy Policies: Beware of Changes

If you operate a web site, you should take note of a recent Federal Trade Commission ("FTC") consent order, In re Gateway Learning Corp., which is the first FTC case to challenge deceptive and unfair practices in connection with material changes to an online privacy policy.

FTC's Complaint

Specifically, the FTC's complaint charged Gateway Learning Corporation ("Gateway Learning") deceived consumers by materially changing its already established privacy practices, revising its privacy policy to reflect these revisions, and retroactively applying the materially different privacy terms to personal information that was collected from consumers under the original privacy policy.

According to the FTC, prior to June 2003, Gateway Learning stated in its "Hooked on Phonics" online privacy policy that it would not sell, rent, or loan customer identifying information without consent; that it would not provide information about children under 13 for any purpose; and that consumers would be given the chance to opt-out of any changes to Gateway Learning's information sharing policy. Beginning in April 2003, however, Gateway Learning began renting consumer information, including information about children, to specific marketers. In June 2003, Gateway Learning revised its privacy policy to state that it would from time to time provide customer information to "reputable companies" but neither contacted existing customers about the material change nor highlighted this change on the web site. On July 1, 2003 Gateway Learning stopped renting consumer information.

Settlement Agreement

In the settlement agreement, Gateway Learning is barred from: (1) making misrepresentations about how it will use consumer data, (2) sharing any personal information it collected under the earlier privacy policy without express consent from consumers, and (3) applying future material changes to its privacy policy retroactively without consumer consent. Gateway Learning was also required to give up the money earned from the rental of consumers' information.

Lessons Learned

The lessons learned are that a web site must take steps to ensure that it fully complies with each promise set forth in its posted policy privacy and elsewhere on the web site, and that a web site cannot change its privacy practices without consumer consent. A mere statement in a privacy policy that the web site may change its policies and post those changes on the web site does not give the web site the right to retroactively apply the changes to data previously collected. Web sites should also evaluate how they notify consumers when a privacy policy is revised.

As Howard Beales, Director of the Bureau of Consumer Protection, said in the FTC press release: "It's simple-if you collect information and promise not to share, you can't share unless the consumer agrees .... You can change the rules but not after the game has been played."

Accordingly, owners of web sites would be wise to contact counsel before revising its posted privacy policy or changing its practices with regard to the use of information collected from consumers.

Courtesy of Justine Young Gotshall. Copyright 2004 Wildman, Harrold, Allen & Dixon LLP.