Privacy Policies and FTC Enforcement Actions

Various large website privacy policies have been scrutinized in the media lately, including those from Google, Reddit, and Facebook. No court has addressed at length whether a privacy policy constitutes an enforceable contract, but, under existing precedent related to clickwrap and browsewrap agreements, it is safe to presume that some privacy policies may be considered to be enforceable contracts and, consequently, serve as evidence of the legal relationship between the website and the end user.

Further, under US law, privacy policies are not required unless a website targets children and falls under the mandates of the Children’s Online Privacy Protect Act. Even though US law does not require privacy policies, the Federal Trade Commission recommends them and views failure to comply with a privacy policy a deceptive trade practice. Implementing a privacy policy also reduces potential liability for trade deception-based claims by disclosing to end-users how the website collects and uses personal or personally identifiable information.

For example, the FTC has penalized websites that do not transparently disclose their use of personal or personally identifiable information. In In re GeoCities, GeoCities collected personal information from visitors to its website, including education and income level information, which it claimed would not be shared with third parties. GeoCities then shared this information with third party advertisers.

The FTC filed suit against GeoCities for its practices. The Court ultimately ordered that GeoCities had misrepresented to consumers that it would not share personal or personally identifiable information with third parties. Further, the Court ordered GeoCities to clearly display an accurate privacy policy on each page of its website and provide members with an opportunity to have their information deleted from GeoCities’ website and third party databases.

The terms of a privacy policy may also help protect against deceptive competitive trade practices. In FTC v. ReverseAuction.com, ReverseAuction scraped email addresses, user IDs, and feedback ratings of eBay users by logging into the eBay website to obtain this data. After mining this data, ReverseAuction sent emails to eBay users claiming that their account would soon expire and, therefore, they should sign up for ReverseAuction’s services.

Subsequent to these actions, the FTC took action against ReverseAuction. The FTC found that ReverseAuction deceptively sent its emails to third parties after wrongfully obtaining their information from eBay in violation of eBay’s privacy policy. In short, the FTC used ReverseAuction’s violation of eBay’s privacy policy as justification (in part) for its enforcement action.

These actions evidence that, though law in the United States, except in limited cases, does not require privacy policies, they are incredibly useful and help companies avoid liability. Consequently, it is important to implement a well drafted and custom privacy policy tailored to your business’s needs.