Observers of Internet trends often pronounce that privacy is a fiction and
that it is futile to try to reclaim it. Whether that perspective is correct
or not does not matter when faced with a Complaint issued by the Federal
Trade Commission (FTC). The Facebook Complaint and Consent Order recently
issued by the FTC provides valuable lessons for how to stay out of the FTC's
crosshairs. Internet attorneys, businesses, consultants and advisors should
study what the FTC views as deceptive in order to make necessary adjustments
to business plans and operations.
In the U.S., there is no federal law that requires a website to have a
privacy policy. However, California requires any website that collects
personally identifiable information from California residents to have a
privacy policy. Therefore, in practice, based upon the California law, most
websites would be required to have a privacy policy. As far as the FTC is
concerned (which operates on the federal level), there is no absolute
requirement to have a privacy policy, but if a website does have a privacy
policy, failure to comply with the policy will be considered a deceptive
practice in violation of the FTC Act. As will be explored below, the FTC is
not shy at splitting hairs, in search of deceptive practice claims.
Below is a discussion of some of the more significant and relevant claims of
deceptive practices alleged by the FTC Complaint. It should be noted that in
the FTC Consent, Facebook denied all allegations.
1. Facebook privacy pages offered options to restrict profile information to
"Only Friend" or "Friends of Friends". However, even when such options were
selected, Facebook often still provided profile information to an
application that a Friend was using on their Facebook page. Such information
included a user's birthday, hometown, activities, interests, status updates,
marital status, education (e.g., schools attended), place of employment,
photos, and videos. Even though Facebook allowed users to restrict this
access through other pages, Facebook nevertheless represented, according to
the FTC, either expressly or by implication, that access could be limited to
"Friends" or "Friends of Friends" on the Profile Privacy Page, and did not
indicate that further actions would be required to restrict access to
applications of friends.
LESSON: As seen by the above claim, a disconnect between the Privacy Policy
and the technical personnel implementing strategies can result in a claim by
the FTC for deceptive practices. Furthermore, statements in a Privacy Policy
must be vetted to verify that they do not claim, or appear to claim, a
higher level of privacy than is actually provided.
2. In November, 2009, Facebook changed its privacy policy to designate
certain user information as "publicly available" which change applied
retroactively to information provided by users prior to the change. For
instance, many users selected privacy settings to (i) restrict profile
information from applications used by a Friend, (ii) restrict their Friends
List, and (iii) restrict access to profile pictures and pages from users
using the "search" function . To implement the privacy changes, Facebook
required each user to click through a multi-page notice, known as the
"Privacy Wizard." According to the FTC, the Privacy Wizard did not disclose
adequately that users no longer could restrict access to the
newly-designated publicly available information via their profile privacy
settings or that their existing choices to restrict access to such
information via these settings would be overridden.
The FTC alleged that the Privacy Wizard, either explicitly or by
implication, indicated that users would have "more control" over their
privacy settings, above the prior settings. Which the FTC claimed was not
the case. Facebook did not adequately explain that the new changes overrode
prior settings as to name, profile picture, gender, friend list, pages, or
networks. The FTC claimed that Facebook's failure to adequately disclose
these facts, in light of the representations made, constituted a deceptive
act or practice.
LESSON: Changes made retroactively to prior privacy settings without
informed consent, amounts to an unfair act or practice. The FTC requires
that (i) material changes to a Privacy Policy be conspicuously disclosed,
(ii) users affirmatively opt-in to material changes that affect personally
identifiable information previously collected, and (iii) material changes to
Privacy Policies be explained clearly and truthfully. As a note, the
simplest way to obtain affirmative consent is the next time a user comes to
the website, he or she is directed to an explanatory process and given the
option to consent to the new changes.
3. The FTC Complaint states numerous examples of statements from Facebook
that even though non-identifiable information is shared with advertisers so
that they can provide advertisements targeted to the particular user,
personally-identifying information is never provided to an advertiser
without prior consent of the user. However, the FTC noted that if ads were
clicked, then Facebook would provide to the advertiser a unique ID that
Facebook assigns to each user. Apparently, advertisers could use the ID to
identify the person. Then they could match criteria that they had selected
for serving ads to that person. (e.g., if the ad targeted 23-year-old men
who were "Interested In" men and "liked" a prescription drug, the advertiser
could ascribe these traits to a specific user), plus the date, time and ad
visited. Over time additional traits could be identified.
LESSON: This Claim is the easiest to understand and comply with. Personally
identifiable information can only be disclosed as set forth in a Privacy
Policy or in a manner otherwise consented to by the user.
BOTTOM LINE: Privacy Policies must be carefully drafted, and be clear and
accurate. Management and technical personnel should review and confirm the
contents of the Privacy Policy. Privacy Policies should be regularly
reviewed to verify that procedural or technical changes are reflected in the
Privacy Policy. Material changes to a Privacy Policy that affect previously
collected personal user information require affirmative consent from the
users. As a result of the FTC Consent, Facebook is now subject to detailed
scrutiny and reporting for the next 20 years. It's important to keep up with
changing Internet laws.
If you have any questions or comments please contact me.
Regards Gerald
Website: http://www.webcraft.ws
E-mail: gerald@webcraft.ws
Twitter: WebcraftGuru
Facebook: Webcraft Guru
I'm protected by SpamBrave
http://www.spambrave.com/
No comments:
Post a Comment