Blog

FTC warns that quietly changing privacy policies could be deceptive

Julie Rubash, General Counsel and Chief Privacy Officer
February 19, 2024
FTC privacy policies

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

FTC warns quietly changing privacy policies could be deceptive

blog post from the FTC reminded companies that simply changing the terms of a privacy policy to allow for expanded use of personal data, including to train AI models or to share with third parties, may be unfair or deceptive if the change is made retroactively without notifying consumers or getting their consent. In essence, “a business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting users’ data.”

The FTC said it would continue to bring actions against companies that surreptitiously re-write their privacy policies or terms of use in such a manner.

TAKEAWAY

The concept that changing a privacy policy and applying it retroactively without notice or consent may be deceptive isn’t new and hopefully doesn’t come as a surprise to many companies. However, this is the second post from the FTC in less than two months reminding companies to uphold their privacy commitments in the context of AI, the first focusing on promises made by “model-as-a-service companies” regarding use of data. We can probably expect, therefore, that the FTC will have its eye on companies that use data for AI and their transparency about such use to their consumer and business customers. 

EUROPE

Bavaria conducts enforcement sweep of non-compliant cookie banners

The Bavarian Data Protection Authority checked the cookie banners of around 1,000 websites and found around 350 violations of its requirements, including that a “Reject All” option is present and not hidden, worded differently, or otherwise less prominent. The DPA has contacted the violating website providers to correct the violations.

TAKEAWAY

Bavaria isn’t the only DPA to emphasize the need for an equally prominent “reject all” option on cookie banners. The ICO recently sent warning letters to the UK’s top websites requiring that they make it as easy for users to “reject all” advertising cookies as it is to “accept all” and warned that they plan to steadily make their way through the list of websites offering services to UK users. DPAs in other jurisdictions, including Greece, France and Hamburg, have conducted similar enforcement. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Noyb Complaint Alleges Pinterest Personalized Advertising Violates GDPR

October 28, 2024

Noyb Complaint Alleges Pinterest Personalized Advertising Violates GDPR

Three notable developments in privacy class actions

October 21, 2024

Three notable developments in privacy class actions occurred in...

New Privacy Requirements Took Effect October 1 In Three States

October 7, 2024

New Privacy Requirements Took Effect In Montana, Maryland &...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]