FTC warns that quietly changing privacy policies could be deceptive

Julie Rubash, General Counsel and Chief Privacy Officer
February 19, 2024
FTC privacy policies

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


FTC warns quietly changing privacy policies could be deceptive

blog post from the FTC reminded companies that simply changing the terms of a privacy policy to allow for expanded use of personal data, including to train AI models or to share with third parties, may be unfair or deceptive if the change is made retroactively without notifying consumers or getting their consent. In essence, “a business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting users’ data.”

The FTC said it would continue to bring actions against companies that surreptitiously re-write their privacy policies or terms of use in such a manner.


The concept that changing a privacy policy and applying it retroactively without notice or consent may be deceptive isn’t new and hopefully doesn’t come as a surprise to many companies. However, this is the second post from the FTC in less than two months reminding companies to uphold their privacy commitments in the context of AI, the first focusing on promises made by “model-as-a-service companies” regarding use of data. We can probably expect, therefore, that the FTC will have its eye on companies that use data for AI and their transparency about such use to their consumer and business customers. 


Bavaria conducts enforcement sweep of non-compliant cookie banners

The Bavarian Data Protection Authority checked the cookie banners of around 1,000 websites and found around 350 violations of its requirements, including that a “Reject All” option is present and not hidden, worded differently, or otherwise less prominent. The DPA has contacted the violating website providers to correct the violations.


Bavaria isn’t the only DPA to emphasize the need for an equally prominent “reject all” option on cookie banners. The ICO recently sent warning letters to the UK’s top websites requiring that they make it as easy for users to “reject all” advertising cookies as it is to “accept all” and warned that they plan to steadily make their way through the list of websites offering services to UK users. DPAs in other jurisdictions, including Greece, France and Hamburg, have conducted similar enforcement. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]