Blog
FTC warns that quietly changing privacy policies could be deceptive
February 19, 2024
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
USA
FTC warns quietly changing privacy policies could be deceptive
A blog post from the FTC reminded companies that simply changing the terms of a privacy policy to allow for expanded use of personal data, including to train AI models or to share with third parties, may be unfair or deceptive if the change is made retroactively without notifying consumers or getting their consent. In essence, “a business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting users’ data.”
The FTC said it would continue to bring actions against companies that surreptitiously re-write their privacy policies or terms of use in such a manner.
TAKEAWAY
The concept that changing a privacy policy and applying it retroactively without notice or consent may be deceptive isn’t new and hopefully doesn’t come as a surprise to many companies. However, this is the second post from the FTC in less than two months reminding companies to uphold their privacy commitments in the context of AI, the first focusing on promises made by “model-as-a-service companies” regarding use of data. We can probably expect, therefore, that the FTC will have its eye on companies that use data for AI and their transparency about such use to their consumer and business customers.
EUROPE
Bavaria conducts enforcement sweep of non-compliant cookie banners
The Bavarian Data Protection Authority checked the cookie banners of around 1,000 websites and found around 350 violations of its requirements, including that a “Reject All” option is present and not hidden, worded differently, or otherwise less prominent. The DPA has contacted the violating website providers to correct the violations.
TAKEAWAY
Bavaria isn’t the only DPA to emphasize the need for an equally prominent “reject all” option on cookie banners. The ICO recently sent warning letters to the UK’s top websites requiring that they make it as easy for users to “reject all” advertising cookies as it is to “accept all” and warned that they plan to steadily make their way through the list of websites offering services to UK users. DPAs in other jurisdictions, including Greece, France and Hamburg, have conducted similar enforcement.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
FTC and Sensitive Location Data; New Pen Register Class Actions
December 9, 2024FTC takes action against the sale of sensitive data...
California CPPA Issues Notice of Proposed Rulemaking
November 25, 2024News out of California this week. The CPPA moved...
Mitigating risk under the Video Privacy Protection Act (VPPA)
November 23, 2024Because VPPA is just one of many tools being...
Latest White Papers
E-book: Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...
Benchmark Report: US Privacy Compliance
August 19, 2022The current state of publisher compliance with CCPA, and...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.