- Material Changes to Privacy Policies May Require Adequate Notice and Opt-In Consent Under Proposed Gateway Settlement With FTC
- August 4, 2004 | Authors: Albert Gidari; Barry J. Reingold; Ann M. Nagele; Suchon Tuly
- Law Firms: Perkins Coie LLP - Seattle Office ; Perkins Coie LLP - Washington Office ; Perkins Coie LLP - Seattle Office ; Perkins Coie LLP - San Francisco Office
The proposed Gateway settlement affects any company that materially changes its privacy policies in ways that contradict promises made to consumers at the time their information was collected. For example, if the old policy told consumers that the company would not share personal information with third parties, the company cannot do so under the new policy unless the company obtains from consumers opt-in consent for the continuing use of information collected under the old policy. Also, companies that have promised in their privacy policies to "notify" customers of material changes in the policy must do more than simply post the new policy to its Web site and provide an opt-out period. Instead, they must also provide an explanation of the changes.
Gateway then applied its new policy retroactively to the personal information that customers had provided under Gateway's old policy.
Implications for Your Business
First, companies that make material changes in ways that contradict promises made to consumers at the time their personal information was collected may not treat that information in a different manner without first obtaining the consumers' express opt-in consent. What constitutes a material change may be open to debate. At a minimum, however, a change is material if it results in the disclosure of personal information to third parties. It is unclear, however, whether terms in the new policy that were not present in any form in the old policy (therefore, arguably, not contradictory) would require such opt-in consent before retroactive application. For example, it is possible that a policy that was silent about the use of certain types of personal information could be amended to explicitly permit the sale of that data. This would turn on the exact language in the old and new policies.
Third, companies that have promised in their policy not to share consumer information with any third party should amend their privacy policies to permit disclosure of personal information in the event of a bankruptcy, insolvency, merger or acquisition. Otherwise, they may find that their customer list -- which may be their most valuable asset -- cannot be transferred to a successor in interest without obtaining the customers' opt-in consent. This can delay the due diligence process and impose unanticipated transaction costs.