Various large website privacy policies have been scrutinized in the media lately, including those from Google, Reddit, and Facebook. No court has addressed at length whether a privacy policy constitutes an enforceable contract, but, under existing precedent related to clickwrap and browsewrap agreements, it is safe to presume that some privacy policies may be considered to be enforceable contracts and, consequently, serve as evidence of the legal relationship between the website and the end user.
Further, under US law, privacy policies are not required unless a website targets children and falls under the mandates of the Children’s Online Privacy Protection Act. Even though US law does not require privacy policies, the Federal Trade Commission recommends them and views failure to comply with a privacy policy a deceptive trade practice. Implementing a privacy policy also reduces potential liability for trade deception-based claims by disclosing to end-users how the website collects and uses personal or personally identifiable information.
For example, the FTC has penalized websites that do not transparently disclose their use of personal or personally identifiable information. In In re GeoCities, GeoCities collected personal information from visitors to its website, including education and income level information, which it claimed would not be shared with third parties. GeoCities then shared this information with third party advertisers. The FTC filed suit against GeoCities for its practices. The Court ultimately ordered that GeoCities had misrepresented to consumers that it would not share personal or personally identifiable information with third parties.
The terms of a privacy policy may also help protect against deceptive competitive trade practices. In FTC v. ReverseAuction.com, ReverseAuction scraped email addresses, user IDs, and feedback ratings of eBay users by logging into the eBay website to obtain this data. After mining this data, ReverseAuction sent emails to eBay users claiming that their account would soon expire and, therefore, they should sign up for ReverseAuction’s services. The FTC found that ReverseAuction deceptively sent its emails to third parties after wrongfully obtaining their information from eBay in violation of eBay’s privacy policy.
The FTC’s enforcement authority in the privacy policy context derives primarily from Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits unfair or deceptive acts or practices in commerce. A company that publishes a privacy policy and then acts contrary to it commits a deceptive practice regardless of whether the privacy policy is technically an enforceable contract. The FTC’s theory is straightforward: you told your users you would protect their data; you did not; that is deception.
The FTC has consistently pursued this theory across more than two decades of enforcement actions. The consequences of an FTC enforcement action are serious. Companies that settle FTC privacy complaints typically enter into consent decrees that require comprehensive privacy programs, biennial third-party privacy audits for periods of up to 20 years, and often substantial civil penalties. Under the FTC Improvements Act, the FTC can also seek civil penalties of up to $50,120 per day per violation for knowing violations of FTC orders, giving the agency significant leverage in enforcement.
The FTC’s 2019 settlement with Facebook — a $5 billion civil penalty and sweeping structural requirements for Facebook’s privacy governance — remains the largest privacy penalty in FTC history. The settlement resolved allegations that Facebook had violated a 2012 FTC consent order by, among other things, misrepresenting users’ ability to control the privacy of their data in connection with the Cambridge Analytica scandal. The magnitude of the penalty reflects both the severity of the violations and the enormous scale of Facebook’s user data practices.
In 2019, Google and YouTube agreed to pay $170 million to settle FTC and New York Attorney General allegations that YouTube had violated the Children’s Online Privacy Protection Act by collecting personal information from children under 13 without parental consent. The settlement also required YouTube to develop a system for channel operators to identify child-directed content and to obtain parental consent for data collection from users of that content. This case illustrates the intersection of privacy policy obligations and COPPA compliance — a combination that carries substantial regulatory risk for platforms serving mixed-age audiences.
In 2020, the FTC settled with Zoom over allegations that the company had misrepresented its encryption practices in its privacy policy and marketing materials. Zoom had claimed to offer end-to-end encryption but actually implemented a lower standard. The settlement required Zoom to implement a comprehensive security program and submit to regular third-party assessments. The case is a reminder that privacy and security representations are not merely a marketing issue — they are legal commitments enforceable by the FTC.
While the FTC does not mandate specific privacy policy language for most commercial websites (COPPA and certain sector-specific statutes impose more specific requirements), the FTC’s guidance and enforcement history suggest that an adequate privacy policy should address the following:
A privacy policy that is accurate, complete, and clearly written is not a guarantee against regulatory scrutiny — but it is a substantial defense. A privacy policy that is inaccurate, incomplete, or contradicted by the company’s actual practices is an invitation to FTC enforcement.
Federal FTC enforcement is only part of the privacy compliance picture. State privacy laws impose additional obligations that vary by jurisdiction and audience. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), requires businesses that meet certain thresholds to provide California residents with specific rights regarding their personal information and to disclose those rights in their privacy policies. Virginia, Colorado, Connecticut, Texas, and many other states have enacted similar comprehensive privacy statutes. Michigan has its own internet privacy protection statutes governing specific categories of data.
A privacy policy that is adequate for federal FTC purposes may nonetheless expose a business to state regulatory action if it fails to address the specific rights and disclosures required by applicable state laws. Businesses with national customer bases must ensure their privacy policies address the requirements of the most demanding state laws to which they are subject.
Revision Legal’s internet and privacy attorneys draft privacy policies that accurately reflect your data practices, satisfy FTC guidance, and comply with applicable state and federal statutes. We also advise on FTC enforcement defense and data privacy compliance programs. Contact us today to ensure your privacy practices withstand regulatory scrutiny.
A privacy policy that accurately describes your data practices, is prominently displayed on your website, and is written in plain language that users can understand is one of the most cost-effective legal risk management tools available to any online business. It does not require expensive technology or complex compliance infrastructure. It requires honest, clear communication about how you use the data your users share with you. The FTC enforcement actions in this space are almost uniformly cases where companies said one thing and did another. Don’t be that company. Contact Revision Legal to ensure your privacy policy is accurate, complete, and legally sound.
California’s revised CCPA regulations offer some compliance clarity but leave significant questions unanswered. Here’s what businesses need to act on now.
Read more about Revised CCPA Regulations: Guidance and Uncertainty
Revenge porn involves the non-consensual distribution of intimate images to harm a victim. Revision Legal’s internet attorneys explain the legal definition and remedies for revenge porn victims.
Read more about What is Revenge Porn? Legal Definition and Remedies
Montana’s data breach notification law requires businesses to notify residents when their personal information is compromised. Here’s what the law requires and who must comply.
Read more about Montana Data Breach Notification Law Explained