Privacy Advisor

Five considerations before publicizing privacy policy updates

March 1, 2012

By Mehmet Munur, CIPP/US, Sarah Branam and Matt Mrkobrad, CIPP/US, CIPP/G

Changes in the law, in practices of your industry or to your business’s or vendor’s data collection or use practices may trigger a need to update your privacy policy. We recommend that you think about the following five considerations when making changes to your privacy policy. These considerations should help you educate your users; be transparent and accurate in disclosing your practices, and steer clear of regulatory scrutiny.

Abide by your own privacy policy terms

It is crucial that any entity revising its privacy policy abide by the provisions in its own privacy policy for revisions. For example, if the current privacy policy states that users will be e-mailed about the revisions to the privacy policy, then users should be e-mailed about the revisions to the privacy policy.

Some courts have concluded that privacy policies are, in fact, contracts and must, therefore, be revised according to their terms. If your privacy policy is incorporated into your website’s terms of use, there may be an even greater likelihood that it will be considered a contract. However, other courts have disagreed with this conclusion. Nevertheless, this distinction may be irrelevant, as the Federal Trade Commission (FTC) believes that privacy policies represent “privacy promises,” and you must abide by them or face enforcement actions from the FTC for deceptive or unfair trade practices under Section 5 of the FTC Act. Therefore, failure to abide by the terms of the privacy policy in revising the policy could result in arguments for breach of contract or enforcement actions for deceptive or unfair trade practices. In particular, the FTC has focused extensively on retroactive applicability of privacy policy changes, as will be discussed in greater detail below.

Note that you can significantly mitigate the challenges presented by revising a privacy policy through proper and thoughtful initial drafting of a privacy policy. For example, if you currently do not share data with affiliates for marketing purposes, but anticipate that you may in the future, it would be shortsighted to state in the initial policy that you will not share with affiliates for marketing purposes. It is best to consider all potential data uses and transfers and accommodate for those rather than continuously revise your policy.

Privacy policy effective date

All privacy policies should have an “effective date” or “last revised date” legend that is easily identifiable. Users may easily identify revisions to a privacy policy if the effective date of the privacy policy has been changed. So, be sure to revise the effective date to reflect the effective date of the new policy.

Moreover, providing advance notice of upcoming revisions to the privacy policy before they become effective for already existing users may increase the enforceability of those revisions. During this period, users who are dissatisfied with the revisions will have the opportunity to cease the use of the website or service without being bound by the new revisions. If users continue using the website or service at the end of such a grace period, that use may increase the likelihood that the revisions will be upheld in a court of law.

Notice of changes to users

If there are material changes to the policy, there may be additional considerations with respect to notice. As discussed below, based on FTC investigations and orders, you should not use data previously collected for new purposes unless you obtain express consent to do so. With respect to ways companies have provided notice of revised privacy policies, some companies have used the privacy policy link on their website to draw the user’s attention to the revised privacy policy. For example, Yahoo and Google websites often indicate that the privacy policy has been updated by using a “Privacy Policy (Updated)” label instead of the “Privacy Policy” link to draw attention to the updates. While the use of this technique is rather new, it is a very effective method of alerting users that the privacy policy has been updated. Such a method uses only a small amount of resources, but the impact on users is significant.

Further, sending e-mails to registered users alerting them to the revisions is also an option. Doing so should increase the perceived adequacy of notice. However, this method may not be applicable to services that do not require user registration. In those circumstances, posting on a blog regarding the revisions may prove more helpful.This may also allow notice to be provided to individuals that have not received an e-mail update. For example, Dropbox, Google, LinkedIn and Yahoo often include these updates on their blogs.

If feasible, you could also publish previous versions of your privacy policy. Doing so may increase transparency to consumers by providing an easily identifiable method for an individual to ascertain what was previously covered in a privacy policy and what is currently covered. Google, IBM and eBay provide the previous versions of their privacy policies on their websites. This provides the user another opportunity to review and understand the differences between the policies. Even if you are unable to publish previous versions of the policy, you should always keep the previous versions archived as business records for consumer, business, regulatory or governmental inquiries.

A final possibility for notice is publishing a summary of the revisions to the privacy policy. This allows users to identify the revisions to the privacy policy without doing a line-by-line comparison of the previous version with the new version. For example, Google, Dell and LinkedIn provide a summary or a comparison version of their privacy policies to enable users to understand the differences between the previous and the new privacy policy. However, you should ensure that any summary is accurate. Otherwise, deceptive and unfair trade practices may result. In fact, in its recent enforcement action of Facebook, the FTC cited Facebook’s Privacy Wizard for misrepresenting the summary of revisions to its privacy policy.

Express consent for retroactive applicability

If you would like the privacy policy to apply retroactively to data previously collected, you must obtain express consent from users. The FTC’s guidance on the issue of retroactive revisions to privacy policies is clear that “companies may not unilaterally alter their policies and use previously collected data in a manner that materially differs from the terms under which the data was originally collected.” Therefore, material revisions to a privacy policy that are also retroactive in application require that you obtain the explicit consent of the user in order to avoid enforcement actions by the FTC. You may do this through click-through boxes with provisions stating, “I have read and agree to the revisions to the Privacy Policy” at login screens.

Consider implications of controversial changes to your privacy policy.

Finally, you should reconsider any controversial revisions to the privacy policy. GM’s reversal on the revisions to its privacy policy regarding the tracking of users for its OnStar service is one example of the kind of revisions that may require reconsideration. GM revised its privacy policy so that it would continue to track users who no longer used its service and possibly sell anonymized data relating to those users. However, the public uproar and the congressional attention resulted in a course change regarding these privacy policy revisions. Therefore, you should reconsider any revisions that may be too controversial or result in negative publicity before making the revisions to how you collect and use personal information. You should also be prepared to justify your revisions where necessary.

In conclusion, taking these five considerations into account when updating your privacy policy should ease the concerns that users may have when you publish the updates to your privacy policy and allow your organization to transition smoothly. The time and resources spent will be well worth it.

Mehmet Munur is an attorney at Tsibouris & Associates, LLC; Sarah Branam is the privacy manager for Epsilon, and Matt Mrkobrad, CIPP/US, CIPP/G, is an associate at Vorys, Sater, Seymour and Pease LLP.