Know your Privacy Policy and Practices: An Important Reminder Illustrated by Recent FTC Actions

The Federal Trade Commission’s (“FTC”) announcement last week of settlements with 13 separate companies for charges of falsely advertising certification with the U.S.-EU and/or U.S.-Swiss Safe Harbor Frameworks (“Safe Harbors”) – some of which never existed but several of which had simply lapsed – serves as a reminder that businesses should periodically and often review their online privacy policies (“PP”). During this review, businesses should ensure that: (i) they are following all of the stated provisions of the PP; (ii) the PP accurately reflects current business practices, technologies used on the applications, websites or other online services (“Online Services”), and business arrangements with third parties; and (iii) the PP remains current with regard to applicable laws, regulations and self-regulatory programs for which the Online Services are subject. A look at recent FTC actions illustrate the importance of this review.

1. Follow Provisions in the PP

The 13 settlements related to Safe Harbors show the significance of following all of the stated provisions in a company’s PP. The FTC accused these companies of misleading consumers by claiming certification as members of Safe Harbors when certifications had not been renewed or the companies never applied for membership in the programs. The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks are international privacy frameworks that enable U.S. companies to transfer consumer data from the European Union and Switzerland to the United States in compliance with EU and Swiss laws. This is part of the FTC’s continuing effort to crack down on these matters. Earlier this year, two companies settled FTC charges that the companies falsely claimed they were abiding by the Safe Harbors.

On the same day as the latest Safe Harbor settlement announcement, the FTC posted an article on its business blog entitled U.S.-EU Safe Harbor compliance: Don’t run aground. Among the advice in the post, the FTC says that companies should not “just cut ‘n’ paste” from templates. This is a key reminder that PP drafters need to understand what clauses mean and whether the language accurately reflects the company’s business practices. Obviously, this is not only important when dealing with the Safe Harbors. Drafters must understand the meaning behind each and every clause to ensure that the company is following stated provisions. Truly understanding all of the provisions is a good first step. A necessary second step is to truly understand the company’s current business practices and the functionality of its Online Services, especially the collection, storage, use and sharing of users’ information.

2. Accurately Reflect Current Business Practices, Technologies Used on Online Services, and Business Arrangements with Third Parties

Just as companies should follow the provisions of the PP, companies should update their posted PP to correctly state and reveal their company’s actual business practices. Accordingly, the PP must accurately reflect current business practices, technologies used on Online Services, and business arrangements with third parties. Again, examining recent FTC actions illustrate the importance of reviewing privacy practices.

Last year, the FTC approved a final order settling charges against Goldenshores Technologies, LLC, and its owner, Erik Geidl. The complaint alleged that the company’s privacy policy for its Brightest Flashlight App failed to disclose, or adequately disclose, that the application transmitted users’ precise location and unique device identifier to third parties, including advertising networks.

Also last year, Snapchat, Inc. settled FTC charges that Snapchat’s statements that messages disappeared were false. The FTC’s complaint alleged that Snapchat made misrepresentations to consumers about its product that were in contrast to how the app actually worked. Among the FTC’s allegations was that Snapchat transmitted geolocation information from its Android app users, despite its privacy policy stating that it did not track or access such information. In a press release, the FTC quoted Chairwoman Edith Ramirez as saying, “If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises . . . Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

These FTC actions show that a company’s PP must include and accurately reflect all material aspects of information collection, use, and sharing. The PP should communicate to the end user what they would want to know about how the company uses their information. In order to do this, an attorney reviewing the PP will need some technical prowess to understand how these Online Services actually function, and must consult with the business and technical teams that run the Online Services to see how all platforms operate. Note that the business teams are particularly good to knowing future plans, and the technical teams tend to be the best resource for current business practices. A company’s advertising team will most likely hold crucial information about business arrangements with third party advertising networks. These advertising arrangements may affect the PP, particularly given the proliferation of behavioral/targeted advertising. Third party agreements related to advertising are not the only third-party relationships that should be reflected in a PP. Vendors, platforms, analytics companies and promotional partners are among the many third-party relationships that should be considered. Legal should review contracts with third parties, and check in with internal teams regularly, to know of any important changes that would affect or be affected by the posted PP.

3. Ensure PP Remains Current with Applicable Laws, Regulations and Self-Regulatory Programs

Another issue that should be considered when reviewing a company’s PP is whether the PP remains current with regard to applicable laws, regulations and self-regulatory programs for which the Online Services are subject. Yelp Inc. found itself in hot water with the FTC last year when the FTC accused Yelp of improperly collecting children’s information in violation of the Children’s Online Privacy Protection Act (COPPA). According to the FTC complaint, Yelp collected personal information from children through the company’s mobile apps without first notifying parents and obtaining the parent’s consent.

Privacy law in the U.S. is a patchwork of laws, provisions, and regulatory bodies; and ensuring that a company’s Online Services operate in accordance with the law is no easy task. Not only must federal laws and regulations be considered, but state laws and attorneys general, court cases, regulatory bodies and self-regulatory programs must also be taken into account. On top of that, these are subject to various interpretations and seemingly constant changes. The Yelp complaint serves as a reminder of how certain functionalities, even if unintentional, may violate the law. It is essential that the person reviewing Online Services’ functionality understands the interplay between the Online Services technologies and the latest rules, regulations, laws, industry best practices, and regulatory actions.