Policing Privacy

The murkiest part of Internet law right now is how to make material changes to Web site privacy policies.

While no federal or state laws expressly regulate the process, the Federal Trade Commission and state attorneys general have all the authority they need — and the willingness to use it — to take legal action against Web site operators who engage in deceptive and unfair practices in the collection, use, and disclosure of personal data.

Several companies, including Yahoo and eBay, have recently imposed new privacy policies retroactively — that is, on information gathered under previous versions of their privacy policies — without getting opt-in consent from users. Regulators haven’t taken action — a surprise, given consumer groups’ vigorous, well-publicized petitions and the FTC’s own tough guidelines. An FTC report to Congress in 2000 endorsed principles proposed by a trade association of Internet advertising agencies, including a requirement that changes in information practices not be applied to previously collected information collected without opt-in consent.

The fact that the FTC hasn’t enforced it suggests that site owners can simply notify consumers of a policy change in a clear and conspicuous manner and give them the chance to opt out.

At first, it looked like regulators would be aggressive when bankruptcy proceedings prompted site owners to sell their customer databases despite privacy policies that promised not to disclose information to third parties. Regulators objected to Toysmart.com’s attempt to sell its database, for instance, arguing that the move would breach the promise the company made not to share information with third parties. The case was resolved when one of Toysmart.com’s investors purchased the database and destroyed it.

In May 2002, the New York attorney general settled allegations that Internet service provider Juno changed the terms of its service agreement without giving consumers adequate notice and a chance to opt out. This case is significant even though it involved changes to a service agreement, not a privacy policy, because it gives the first detailed picture of regulators’ expectations.

The AG alleged that Juno violated New York law by requiring subscribers to participate in a project designed to make the unused processing power of their computers available to third parties. That went against Juno’s past representations that it would not do so. The company posted the changes on its Web site and sent members an e-mail stating that the agreement had been modified, but the attorney general found this notice insufficient.

Under the settlement, Juno agreed to provide subscribers with notice of any material changes to the service agreement at least 30 days before the effective date, either by e-mail, a “pop-up” screen, or U.S. mail. Juno also agreed to clearly and conspicuously post the notice on its Web site and to identify the nature of any material change, state the effective date, and provide a comparison to the prior agreement.

It seems that conspicuous, detailed notice and a meaningful opportunity to opt-out is likely to pass regulatory muster. Use the Juno system as a template:

• Provide notice by e-mail, pop-up screen, or U.S. mail.

• Post a clear and conspicuous notice on the Web site stating the nature of the change, the effective date, and a link to a document listing the changes.

• Give users a clear and conspicuous opportunity to opt out of the changes.

That approach seems to meet regulators’ expectations — at least for now.

Reed Freeman is a partner and Elisa Nemiroff an associate at Collier Shannon Scott, Washington, DC. Reach them at [email protected] and [email protected].