FTC warns that quietly changing privacy policies could be deceptive

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

FTC warns quietly changing privacy policies could be deceptive

A blog post from the FTC reminded companies that simply changing the terms of a privacy policy to allow for expanded use of personal data, including to train AI models or to share with third parties, may be unfair or deceptive if the change is made retroactively without notifying consumers or getting their consent. In essence, “a business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting users’ data.”

The FTC said it would continue to bring actions against companies that surreptitiously re-write their privacy policies or terms of use in such a manner.

TAKEAWAY

The concept that changing a privacy policy and applying it retroactively without notice or consent may be deceptive isn’t new and hopefully doesn’t come as a surprise to many companies. However, this is the second post from the FTC in less than two months reminding companies to uphold their privacy commitments in the context of AI, the first focusing on promises made by “model-as-a-service companies” regarding use of data. We can probably expect, therefore, that the FTC will have its eye on companies that use data for AI and their transparency about such use to their consumer and business customers. 

EUROPE

Bavaria conducts enforcement sweep of non-compliant cookie banners

The Bavarian Data Protection Authority checked the cookie banners of around 1,000 websites and found around 350 violations of its requirements, including that a “Reject All” option is present and not hidden, worded differently, or otherwise less prominent. The DPA has contacted the violating website providers to correct the violations.

TAKEAWAY

Bavaria isn’t the only DPA to emphasize the need for an equally prominent “reject all” option on cookie banners. The ICO recently sent warning letters to the UK’s top websites requiring that they make it as easy for users to “reject all” advertising cookies as it is to “accept all” and warned that they plan to steadily make their way through the list of websites offering services to UK users. DPAs in other jurisdictions, including Greece, France and Hamburg, have conducted similar enforcement. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.