NOBODY READS YOUR PRIVACY NOTICE? IT’S TIME FOR A NEW ONE!
If nobody reads your privacy notice, you’re not alone. Studies show that consumers don’t read notices of any type, including electronic contracts, mortgage documents, disclosures in magazines, video disclosures (supers), as well as privacy policies. Furthermore, studies show that the online consumer is "click-happy" in accepting online contracts and is unlikely to consider the legal consequences of his or her online behavior. This has concerned the Federal Trade Commission ("FTC") for several years, and while the FTC has been engaged in multiple efforts to explore appropriate formats for notices that consumers will read, the FTC has also signaled commitment to increase online consumer protection efforts regarding effective disclosures in its statements and with enforcement actions like the FTC’s action against Sears.
As background, in September 2009, the FTC approved a final consent order in the matter of Sears Holdings Management Corp. ("Sears"), in which the FTC charged that Sears violated Section 5 of the FTC Act in connection with a software tracking application it offered as part of its "My SHC Community Program." When installed, the tracking application, tracked participating consumers’ online and offline activities, e.g. online bank accounts and prescription drug records.
In its advertising, Sears had invited customers to join its online “community” and barely mentioned the tracking application. However, Sears provided substantial details about the tracking application in a combined Privacy Statement/User License Agreement (“PSULA”) with which consumers had to agree to in order to enroll in the "community," much like most of the online contracts and privacy notices that we encounter every time we place an order via the Internet. Yet, the FTC charged that Sears’ disclosures in the combined PSULA were not adequate, and that Sears had committed a deceptive act under the FTC Act.
Is Online Privacy Really A Concern?
As an initial matter, we might ask whether privacy notices are a legitimate concern, or if the reason consumers don’t read privacy notices is that they really don’t care about privacy. In 1999, Sun Microsystems Chairman Scott McNealy made news when he famously stated to a group of reporters “You have zero privacy anyway. Get over it." Indeed, some people do not care about online privacy and the fact that their online postings are available for anyone to see. For example, participants in a Carnegie Mellon University study polled regarding the personal information they post on Facebook reported they “had nothing to hide” and “they don’t really care if other people see their information.” Others may care about privacy but still participate. For example, a Canadian study reported that Facebook users care about privacy, but because Facebook is where they experience their social lives, it might be too risky not to participate.
On the other hand, a 2009 study conducted by the University of Pennsylvania and University of California at Berkeley showed that about two-thirds of Americans object to online tracking across websites by advertisers, and once they learn the different ways marketers are following their online movements, that number rises to 86%. An additional 7 percent said behavioral advertising was not acceptable when they were tracked on one website and an additional 20 percent said it was not acceptable when they were tracked offline.
Most important, Jon Leibowitz, the new Chairman of the FTC, and David Vladeck, new director of the FTC's Bureau of Consumer Protection, have indicated that online privacy is one of the FTC’s priorities.
The FTC: Current Privacy Disclosures are Incomprehensible and Unacceptable
The FTC has become particularly emphatic about privacy issues since dealing with Sears. In an interview with the New York Times regarding the Sears matter and the FTC’s position on privacy in August 2009, David Vladeck, stated:
There is a sense of urgency around here. . . Consumers, I don’t think are sufficiently protected under the current regime. . . . I don’t think [privacy disclosures are] written principally to communicate information; they’re written defensively. I’m a lawyer. . . . I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. . . . We’d prefer to persuade industry it’s in their best interests to cooperate on these sorts of things. If not, we’ll be forced to imagine the worst, and that doesn’t help anybody. . . . Maybe we’re moving into a post-disclosure environment. But there has to be greater transparency about what’s going on. Until I see evidence otherwise, we have to presume that most people don’t understand, and the burden is going to be on industry to persuade us that people really are well informed about this. . . . Our patience isn’t infinite. . . . [W]e can always bring enforcement cases, and we do set guidance through enforcement cases. We don’t like to do that — it’s not like we rub our hands with glee every time we can bring an enforcement action. But one way we can affect policy is go after the outliers, people that we think are engaged in misconduct, and use those cases to exemplify what we believe the lines are.
Therefore, it is especially important for businesses to avoid "hiding" material terms in online contracts or privacy policies but rather to ensure that material terms are presented clearly and prominently. The FTC’s Dot Com Disclosures, issued in 2000, provides important guidelines regarding what makes advertising acceptable in an online setting, and a review is helpful in understanding the reasons the FTC took action against Sears. The primary focus of Dot Com Disclosures is that all disclosures to consumers must be both clear and conspicuous, and it provides a lengthy list of actions advertisers should take to ensure that online disclosures are clear and conspicuous. (For more information about the implications of the Sears matter for advertisers, see also my The Details Are In Your Online Contract? Think Again at http://media.ir-law.com/seg/details/).
In addition to guidance from Dot Com Disclosures regarding what kinds of privacy notices are acceptable, guidance can be found in the reports generated by the FTC and other federal agencies as a result of their multi-year studies to determine what types of notices are most effective in reaching consumers. For example, since 2001, the FTC has been engaged in an interagency project with the banking regulators to develop model privacy notices which comply with the Gramm Leach Bliley requirements and which are succinct and comprehensible to consumers. In another consumer disclosure initiative relating to effective mortgage notices, the FTC seems to have found a successful format which involves an initial short notice followed by a more detailed document for those who want more detail. The FTC has suggested a similar format for privacy notices for behavioral advertising and perhaps for other purposes. For example, in its February 2009 report to the U.S. Congress on behavioral advertising, the FTC explained:
Therefore, it is likely that the appropriateness of each privacy notice will depend on the circumstances in which consumer information is collected and used.
Enhanced Notice and Affirmative Express Consent Required for Collection and Use of “Sensitive” Personal Information and Sharing With Third Parties
For instance, the FTC has indicated particular concern regarding collection and use of sensitive data and also data which is shared with third parties. Note for example David Vladeck's indignation about the sensitive financial information which Sears was collecting:
There’s a huge dignity interest wrapped up in having somebody looking at your financial records when they have no business doing that. . . .[Sears was] compiling everything that the consumer did on the computer.
In such circumstances, it is particularly important that all material disclosures are clear and conspicuous. Through the Sears matter and in its Self-Regulatory Principles for Online Behavioral Advertising issued in February 2009 ("2009 Behavioral Advertising Report"), the FTC has indicated that companies must also obtain "affirmative express consent" prior to collection and use in such situations.
For example, the FTC’s decision and order in the Sears matter requires that in the future, Sears must do the following in connection with the advertising, promotion, offering for sale, sale, or dissemination of any tracking application, prior to the consumer downloading or installing it:
B. Obtain express consent from the consumer to the download or installation of the Tracking Application and the collection of data by having the consumer indicate assent to those processes by clicking on a button or link that is not pre-selected as the default option and that is clearly labeled or otherwise clearly represented to convey that it will initiate those processes, or by taking a substantially similar action. (emphasis added)
Finally, both the Sears matter and the statements the FTC has made regarding behavioral tracking indicate that the FTC is likely to particularly scrutinize disclosures made in connection with behavioral advertising. In the next Alert, Perfect Storm for Behavioral Advertising, I discuss the implications of the Sears matter and some other 2009 events on behavioral tracking/advertising practices.
If you have any questions regarding this Alert or your privacy notices, please contact Susan at 303-256-7046 or firstname.lastname@example.org. Susan has been practicing in the areas of data privacy & security, advertising, electronic contracting, and intellectual property law for nearly fifteen years.
Attorney Advertising. This publication is intended to provide clients with information on recent legal developments. It
© 2009 Susan E. Gindin. Susan is Of Counsel, Intellectual Property & New Media Group, Isaacson Rosenbaum P.C., Denver, and she has concentrated on data privacy and security, electronic contracting, advertising, and intellectual property law for nearly fifteen years. She is also the author of Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, 34 San Diego L. Rev.1153 (1997) http://www.info-law.com/lost.html; Guide to E-Mail & the Internet in the Workplace, Bureau of Nat'l Affairs, Inc. (1999) http://www.info-law.com/guide.html; Current Issues in Drafting Electronic Transaction Agreements, Colo. Bar Ass'n (2002), 8 Nw. J. Tech. & Intell. Prop. 1 (Fall 2009); The Details Are in Your Online Contract? Think Again!; and Perfect Storm for Behavioral Advertising: Four 2009 Events That May Hasten Legislation (and What This Means for Companies That Use Behavioral Advertising).
Joseph Turow, Jennifer King, Chris Jay Hoofnagle, Amy Bleakley, and Michael Hennessy, Americans Reject Tailored Advertising and Three Activities that Enable It (Sept. 29, 2009) available at http://graphics8.nytimes.com/packages/pdf/business/20090929-Tailored_Advertising.pdf.
Stephanie Clifford, Fresh Views at Agency Overseeing Online Ads, N.Y. Times, Aug. 5, 2009, available at
As generally described by the FTC, sensitive data categories include information about children and adolescents, medical information, financial information and account numbers, Social Security numbers, sexual orientation information, government-issued identifiers, and precise geographic location.
Available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf.