NOBODY READS YOUR PRIVACY NOTICE? IT’S TIME FOR A NEW ONE!

Susan E. Gindin

If nobody reads your privacy notice, you’re not alone. Studies show that consumers don’t read notices of any type, including electronic contracts, mortgage documents, disclosures in magazines, video disclosures (supers), as well as privacy policies.  Furthermore, studies show that the online consumer is "click-happy" in accepting online contracts and is unlikely to consider the legal consequences of his or her online behavior. This has concerned the Federal Trade Commission ("FTC") for several years, and while the FTC has been engaged in multiple efforts to explore appropriate formats for notices that consumers will read, the FTC has also signaled commitment to increase online consumer protection efforts regarding effective disclosures in its statements and with enforcement actions like the FTC’s action against Sears.

As background, in September 2009, the FTC approved a final consent order in the matter of Sears Holdings Management Corp. ("Sears"), in which the FTC charged that Sears violated Section 5 of the FTC Act in connection with a software tracking application it offered as part of its "My SHC Community Program." When installed, the tracking application, tracked participating consumers’ online and offline activities, e.g. online bank accounts and prescription drug records.

In its advertising, Sears had invited customers to join its online “community” and barely mentioned the tracking application. However, Sears provided substantial details about the tracking application in a combined Privacy Statement/User License Agreement (“PSULA”) with which consumers had to agree to in order to enroll in the "community," much like most of the online contracts and privacy notices that we encounter every time we place an order via the Internet. Yet, the FTC charged that Sears’ disclosures in the combined PSULA were not adequate, and that Sears had committed a deceptive act under the FTC Act.

The FTC’s enforcement action is significant for many reasons because it raises serious questions regarding what constitutes effective notice, consent, and disclosure for advertising, privacy policy, and electronic contracting purposes. In this Alert, I discuss the implications of the Sears matter for privacy notices, the fact that it may no longer be enough to obtain consumer consent only via long privacy policies and online contracts, and the kinds of privacy notices that may now be required.

Is Online Privacy Really A Concern?

As an initial matter, we might ask whether privacy notices are a legitimate concern, or if the reason consumers don’t read privacy notices is that they really don’t care about privacy.  In 1999, Sun Microsystems Chairman Scott McNealy made news when he famously stated to a group of reporters “You have zero privacy anyway. Get over it." Indeed, some people do not care about online privacy and the fact that their online postings are available for anyone to see. For example, participants in a Carnegie Mellon University study polled regarding the personal information they post on Facebook reported they “had nothing to hide” and “they don’t really care if other people see their information.” Others may care about privacy but still participate. For example, a Canadian study reported that Facebook users care about privacy, but because Facebook is where they experience their social lives, it might be too risky not to participate.

On the other hand, a 2009 study conducted by the University of Pennsylvania and University of California at Berkeley showed that about two-thirds of Americans object to online tracking across websites by advertisers, and once they learn the different ways marketers are following their online movements, that number rises to 86%. An additional 7 percent said behavioral advertising was not acceptable when they were tracked on one website and an additional 20 percent said it was not acceptable when they were tracked offline.  

Most important, Jon Leibowitz, the new Chairman of the FTC, and David Vladeck, new director of the FTC's Bureau of Consumer Protection, have indicated that online privacy is one of the FTC’s priorities.

The FTC: Current Privacy Disclosures are Incomprehensible and Unacceptable

The FTC has become particularly emphatic about privacy issues since dealing with Sears. In an interview with the New York Times regarding the Sears matter and the FTC’s position on privacy in August 2009, David Vladeck, stated:

There is a sense of urgency around here. . . Consumers, I don’t think are sufficiently protected under the current regime. . . .  I don’t think [privacy disclosures are] written principally to communicate information; they’re written defensively. I’m a lawyer. . . . I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. . . . We’d prefer to persuade industry it’s in their best interests to cooperate on these sorts of things. If not, we’ll be forced to imagine the worst, and that doesn’t help anybody. . . . Maybe we’re moving into a post-disclosure environment. But there has to be greater transparency about what’s going on. Until I see evidence otherwise, we have to presume that most people don’t understand, and the burden is going to be on industry to persuade us that people really are well informed about this. . . . Our patience isn’t infinite. . . . [W]e can always bring enforcement cases, and we do set guidance through enforcement cases. We don’t like to do that — it’s not like we rub our hands with glee every time we can bring an enforcement action. But one way we can affect policy is go after the outliers, people that we think are engaged in misconduct, and use those cases to exemplify what we believe the lines are.

Therefore, it is especially important for businesses to avoid "hiding" material terms in online contracts or privacy policies but rather to ensure that material terms are presented clearly and prominently.   The FTC’s Dot Com Disclosures, issued in 2000, provides important guidelines regarding what makes advertising acceptable in an online setting, and a review is helpful in understanding the reasons the FTC took action against Sears. The primary focus of Dot Com Disclosures is that all disclosures to consumers must be both clear and conspicuous, and it provides a lengthy list of actions advertisers should take to ensure that online disclosures are clear and conspicuous. (For more information about the implications of the Sears matter for advertisers, see also my The Details Are In Your Online Contract?  Think Again at http://media.ir-law.com/seg/details/).
What Kinds of Privacy Notices Are Acceptable?

In addition to guidance from Dot Com Disclosures regarding what kinds of privacy notices are acceptable, guidance can be found in the reports generated by the FTC and other federal agencies as a result of their multi-year studies to determine what types of notices are most effective in reaching consumers. For example, since 2001, the FTC has been engaged in an interagency project with the banking regulators to develop model privacy notices which comply with the Gramm Leach Bliley requirements and which are succinct and comprehensible to consumers. In another consumer disclosure initiative relating to effective mortgage notices, the FTC seems to have found a successful format which involves an initial short notice followed by a more detailed document for those who want more detail. The FTC has suggested a similar format for privacy notices for behavioral advertising and perhaps for other purposes.  For example, in its February 2009 report to the U.S. Congress on behavioral advertising, the FTC explained:

[P]rivacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.
. . . . [A] disclosure (e.g., “why did I get this ad?”) that is located in close proximity to an advertisement and links to the pertinent section of a privacy policy explaining how data is collected for purposes of delivering targeted advertising, could be an effective way to communicate with consumers. Indeed, such a disclosure is likely to be far more effective than a discussion (even a clear one) that is buried within a company’s privacy policy.

Further, as suggested by David Vladeck in his interview with the New York Times regarding the need for better disclosures: "[B]ubble disclosures or pop-up disclosures or anti-cookie devices, there may be all sorts of way to do this, that substitute for the lengthy, form-written privacy policy disclosures."

Therefore, it is likely that the appropriateness of each privacy notice will depend on the circumstances in which consumer information is collected and used.

Enhanced Notice and Affirmative Express Consent Required for Collection and Use of “Sensitive” Personal Information and Sharing With Third Parties

For instance, the FTC has indicated particular concern regarding collection and use of sensitive data and also data which is shared with third parties. Note for example David Vladeck's indignation about the sensitive financial information which Sears was collecting:

There’s a huge dignity interest wrapped up in having somebody looking at your financial records when they have no business doing that. . . .[Sears was] compiling everything that the consumer did on the computer.

In such circumstances, it is particularly important that all material disclosures are clear and conspicuous. Through the Sears matter and in its Self-Regulatory Principles for Online Behavioral Advertising issued in February 2009 ("2009 Behavioral Advertising Report"), the FTC has indicated that companies must also obtain "affirmative express consent" prior to collection and use in such situations.

For example, the FTC’s decision and order in the Sears matter requires that in the future, Sears must do the following in connection with the advertising, promotion, offering for sale, sale, or dissemination of any tracking application, prior to the consumer downloading or installing it:

A. Clearly and prominently, and prior to the display of, and on a separate screen from, any final “end user license agreement,” “privacy policy,” “terms of use” page, or similar document, disclose: (1) all the types of data that the Tracking Application will monitor, record, or transmit, including but not limited to whether the data may include information from the consumer’s interactions with a specific set of websites or from a broader range of Internet interaction, whether the data may include transactions or information exchanged between the consumer and third parties in secure sessions, interactions with shopping baskets, application forms, or online accounts, and whether the information may include personal financial or health information; (2) how the data may be used; and (3) whether the data may be used by a third party; and

B. Obtain express consent from the consumer to the download or installation of the Tracking Application and the collection of data by having the consumer indicate assent to those processes by clicking on a button or link that is not pre-selected as the default option and that is clearly labeled or otherwise clearly represented to convey that it will initiate those processes, or by taking a substantially similar action. (emphasis added)

Similarly, in its 2009 Behavioral Advertising Report, the FTC indicated that if sensitive data will be collected via behavioral tracking, “pre-checked boxes or disclosures that are buried in a privacy policy or a uniform licensing agreement are unlikely to be sufficiently prominent to obtain a consumer’s 'affirmative express consent.'”

Finally, both the Sears matter and the statements the FTC has made regarding behavioral tracking indicate that the FTC is likely to particularly scrutinize disclosures made in connection with behavioral advertising. In the next Alert, Perfect Storm for Behavioral Advertising, I discuss the implications of the Sears matter and some other 2009 events on behavioral tracking/advertising practices.

If you have any questions regarding this Alert or your privacy notices, please contact Susan at 303-256-7046 or sgindin@ir-law.com. Susan has been practicing in the areas of data privacy & security, advertising, electronic contracting, and intellectual property law for nearly fifteen years.

Attorney Advertising. This publication is intended to provide clients with information on recent legal developments. It
should not be construed as legal advice or a legal opinion on specific facts or circumstances. The content is intended for
general information purposes only. Please consult licensed legal counsel if you have any further questions regarding your specific legal situation. This does not create an attorney-client relationship between any reader and the Firm.