• Material Changes to Privacy Policies May Require Adequate Notice and Opt-In Consent Under Proposed Gateway Settlement With FTC
  • August 4, 2004 | Authors: Albert Gidari; Barry J. Reingold; Ann M. Nagele; Suchon Tuly
  • Law Firms: Perkins Coie LLP - Seattle Office ; Perkins Coie LLP - Washington Office ; Perkins Coie LLP - Seattle Office ; Perkins Coie LLP - San Francisco Office
  • Gateway Learning Corporation ("Gateway"), seller of the "Hooked on Phonics" brand of products, has reached a proposed settlement of charges brought against it by the Federal Trade Commission ("FTC") about its privacy practices. The FTC alleged that Gateway misrepresented how it would use personal information collected from customers through its Web site, www.hop.com. The agency also claimed that, because Gateway made material changes to its privacy policy without satisfactory notice and applied them retroactively without opt-in consent, Gateway had engaged in unfair and deceptive acts and practices in violation of Section 5(a) of the FTC Act.

    The proposed Gateway settlement affects any company that materially changes its privacy policies in ways that contradict promises made to consumers at the time their information was collected. For example, if the old policy told consumers that the company would not share personal information with third parties, the company cannot do so under the new policy unless the company obtains from consumers opt-in consent for the continuing use of information collected under the old policy. Also, companies that have promised in their privacy policies to "notify" customers of material changes in the policy must do more than simply post the new policy to its Web site and provide an opt-out period. Instead, they must also provide an explanation of the changes.

    Background

    Gateway collected personal information from its customers through its Web site, typically from parents buying products for their children. This information included the customer's name, address, phone number, e-mail address, purchase history, and the children's age ranges and gender. Various versions of Gateway's posted privacy policy promised that it: (a) would not sell, rent, or loan to third parties customers' personal information without first obtaining their explicit consent; (b) would not provide to third parties any personal information about children under the age of 13 for any purpose; and (c) would notify customers of material changes to the privacy policy on its Web site. Alternatively, the company could send them an e-mail providing an opportunity to opt-out of any new uses of their information.

    Contrary to these statements, in April 2003, Gateway began renting its customers' personal information to third parties without first obtaining consent. These third parties then used the information to send direct mail and make telemarketing calls. On June 20, 2003, Gateway posted a revised privacy policy stating that it would disclose its customers' personal information to other "reputable companies." It also informed customers that they could opt-out of such use of their personal information by notifying Gateway. The revised policy was posted to Gateway's Web site with no special flagging or indication that the policy was new and no description of the actual changes made to the policy. No contact was made with customers who had given their personal information under the old policy to obtain their consent. The revised privacy policy continued to state that Gateway would not share children's personal information, despite the fact they now rented information regarding children's age ranges and gender to third parties. On July 17, 2003, Gateway added "(updated July 17, 2003)" to its privacy policy link and revised the language regarding privacy of children's information and sharing of personal information collected through the Web site.

    Gateway then applied its new policy retroactively to the personal information that customers had provided under Gateway's old policy.

    The FTC charged that Gateway had engaged in false and misleading advertising by renting personal information to third parties without obtaining consent, renting children's information, and materially changing its privacy policy without providing adequate notice, all contrary to the explicit statements in its privacy policy. The FTC also charged that Gateway's retroactive application of its new privacy policy containing material changes inconsistent with its original promise to customers was an unfair act or practice that had caused those customers substantial injury by subjecting them to unwanted marketing solicitations.

    Gateway has reached a proposed settlement with the FTC that provides, among other things, that Gateway will: (a) not misrepresent its policy about the collection, use, and disclosure of personal information or its procedure for notifying customers of changes to the policy; (b) not disclose to third parties personal information that it received before it posted its new privacy policy in June 2003 unless such customers give their explicit opt-in consent; (c) not apply future material changes in its privacy policy to customers retroactively without first getting their explicit opt-in consent; and (d) surrender the money it earned from renting personal information of customers that provided such information under the old policy. This proposed settlement agreement is subject to a public comment period ending on August 6, 2004, after which the FTC will decide whether to make it final. The FTC's complaint, the settlement agreement, and related documents can be found on the FTC's site at the following link: http://www.ftc.gov/os/caselist/0423047/0423047.htm.

    Implications for Your Business

    At first blush, the settlement is unremarkable. Gateway plainly did the opposite of what it promised in its privacy policy and the FTC called Gateway on it. But the terms of the settlement about retroactive application of privacy policy changes may be more significant for a company making material changes to its privacy policy, depending on what promises it made in the old policy.

    First, companies that make material changes in ways that contradict promises made to consumers at the time their personal information was collected may not treat that information in a different manner without first obtaining the consumers' express opt-in consent. What constitutes a material change may be open to debate. At a minimum, however, a change is material if it results in the disclosure of personal information to third parties. It is unclear, however, whether terms in the new policy that were not present in any form in the old policy (therefore, arguably, not contradictory) would require such opt-in consent before retroactive application. For example, it is possible that a policy that was silent about the use of certain types of personal information could be amended to explicitly permit the sale of that data. This would turn on the exact language in the old and new policies.

    Second, if the old policy promises to notify consumers of material changes, it may not be enough to simply affix a "new" icon to the privacy policy link. Adequate notice of material changes also requires an explanation of those changes. It is doubtful that a "redlined" version or highlighted clauses in a privacy policy are enough under this new standard. Some explanation of the changes is required.

    Third, companies that have promised in their policy not to share consumer information with any third party should amend their privacy policies to permit disclosure of personal information in the event of a bankruptcy, insolvency, merger or acquisition. Otherwise, they may find that their customer list -- which may be their most valuable asset -- cannot be transferred to a successor in interest without obtaining the customers' opt-in consent. This can delay the due diligence process and impose unanticipated transaction costs.

    Fourth, companies that collect personal information may need to segregate data previously collected from data collected under a new privacy policy. Gateway permits a company that changes its policy to use, consistent with those changes, data collected under that new policy. But data collected under the old policy may not be used in ways that contradict promises made to consumers under such old policy without their express opt-in consent. This means, as a practical matter, that some form of segregation of data will likely be necessary, which may or may not be technically feasible or cost-effective.