Beware: The FTC Is Monitoring Your Online Privacy Notices & Policies

January 1, 2000 Advisory

Companies with websites should be aware that they can face liability despite the absence of specific Internet privacy policy legislation. In two recent cases, the Federal Trade Commission ("FTC") has exercised its authority by taking enforcement action against companies with websites that compromised or impeded individual rights of privacy due to inadequate privacy notices and policies.

The FTC first took action against GeoCities for allegedly engaging in deceptive practices involving the collection and dissemination of personal information of GeoCities' website visitors. The FTC charged GeoCities with using personal information for purposes other than that which the company stated it would be used for, falsely informing website visitors that personal information would only be given to third parties upon the visitor's permission, and misrepresenting that the company retained the personal information when, in fact, a third party collected and maintained the data.

The second action brought by the FTC was against Liberty Financial Companies, Inc. The FTC charged Liberty Financial with three separate acts of misrepresentation: The FTC's complaint alleged false statements by Liberty Financial that questionnaire responses would be anonymous, that visitors who supplied personal information would receive newsletters, and that they possibly would win prizes.

The FTC's proposed consent orders in the GeoCities and Liberty Financial cases directed each company to change their websites to include more comprehensive and responsive privacy policy notices. The FTC ordered that the privacy notices be changed to contain information including:

  • what information is being collected
  • whether personal information will be shared with third parties
  • how the collected information will be used
  • how the website visitor can obtain access to their private information
  • how the website visitor can change or delete their private information
  • the identity of the party collecting the information, or the sponsorship of any activity on its website
  • detail special parental consent programs if the company knows that the site may attract a child audience
  • hyperlinks containing the message
    "NOTICE: We collect personal information on this site. To learn more about how we use your information, click here."
    on the website's home page, as well as any page that collects information
  • a hyperlink with its privacy notice directing visitors to the FTC's website to learn more about consumer privacy on the Web
As privacy concerns gain momentum due to failed self-regulation by anxious Web-based marketers or businesses, these recent cases will act as a benchmark for determining violations in the future. Another lesson from these cases is that companies that are embarking into the Web arena can not simply borrow the privacy notice from another website, because that notice will not address the unique attributes of the company's business or business strategies. Presumably, a company that is contemplating a website is doing so because they are partly motivated to demonstrate that their products and services are different. This attitude must predominate in the development of the company's privacy notice and policies as well. It is dangerous to copy the privacy notice from another site because it is unlikely that the two sites will collect the same type of information, use it in the same way, and share that information either internally, or with third parties, in the same manner or have the same target audience.

There are websites, such as BBBOnline and TrustE, that offer membership seal programs, monitor privacy practices, and assist companies new to e-commerce in developing privacy notices and policies. These sites are useful educational and planning tools for companies looking to put their business on to a website. These sites will also give approval seals to those companies whose website privacy notice and policies meet certain standards. In addition, the approval seal provides the company with a certain degree of credibility since it demonstrates to website visitors the company's commitment to and concern for protection of private information.

Practice Pointer
Until Congress passes comprehensive privacy policy guidelines, it is important for companies with websites to assess their current policies and protocols, or implement one if they do not yet have one. Although the FTC favors self-regulation, a company contemplating putting its business, products, and services on the Internet should not attempt a self-help approach. In the current environment it is prudent to meet with counsel who understands your business, business practices, business strategies, and most importantly your business relationships, and is aware of current legal decisions that may impact your online business plans.