FTC Says It's Now Going After A Lot More Than Just Violated Privacy Policies

In another sign the FTC is putting some teeth in its enforcement, the commission followed up the announcement of its $22.5 million privacy settlement against Google on August 9 with a list of ways companies may be turning themselves into FTC targets.

In a blog post on Monday (Aug. 13), FTC Senior Attorney Lesley Fair said that following a published privacy policy isn't enough. The FTC could go after businesses that misrepresent privacy protections in their opt-out and customization instructions—or even just those that join an industry self-regulation group but then don't follow its code of conduct.

Historically, the FTC's privacy enforcement actions have been slaps on the wrist. Part of the reason is that the commission can't go after privacy breaches, only cases where a business doesn't live up to the privacy protection it promises (whether there's a breach or not).

But with the FTC's first-ever attempt to actually take a chain with major privacy problems to court (Wyndham Hotels, announced in June) and its largest-ever civil penalty against Google last week, it's increasingly clear that FTC intends to push that one basis for enforcement as aggressively as the commission can.

How far will the FTC push it? Way beyond examining privacy policies. "Chances are you're conveying claims not just in your privacy policy, but also where you talk about choice mechanisms, opt-outs, and other ways users can customize their experience," FTC Attorney Fair wrote in her explanation. Prudent companies "know where they make privacy promises, maintain an inventory of the cookies they use, and don't launch new ones without thinking through the implications."

Another potential source of blindsiding: Industry self-regulatory programs that your chain joins. If the program or group has a code of conduct for privacy-related behavior and disclosure, and your chain doesn't fulfill the requirements of that code, the FTC could go after you for misrepresentation even if the program itself doesn't take disciplinary action. "Once you advertise your adherence to an industry code, live up to its terms," Fair wrote.

And if there's evidence that technical tricks are being used to work around privacy settings, despite what a privacy policy or other "privacy promises" say, that "can lead to costly legal missteps," according to Fair.

Fair touches on one other element, but it's worth underlining: A firm commitment to following privacy policy needs to come from the top of your organization—but that's not enough. Your CEO isn't going to write code that works around a browser's anti-cookie code. That's something a programmer will do at the request of a marketing manager, usually to solve a problem collecting CRM data that neither figures is really breaking the privacy rules, just bending them.

That type of bending isn't something the FTC will accept any longer—in fact, the commission will specifically be looking for red flags like that. That means IT, and especially E-Commerce and M-Commerce developers, need to be watching for anything that bends the rules from the bottom up.

A $22.5 million settlement is pocket change to Google, and it may not even be a big deal for your chain. But if you end up as a target, the numbers are just going to get bigger.