Day-to-day business counseling can feel a bit like a visit to a Vegas buffet – you never know exactly what’s on the menu but you know you’ll be full by the end of the day. One of the entrées that always seems to come back to my plate is the review of new projects against a company’s online privacy notice.
Drafting an initial notice is a balancing act. Say too little and you’re being vague. Say too much and you’re tying your own hands. All the same, regulators expect that your privacy notice will be both easy to read (i.e., free of legalese) and meet all regulatory requirements. Sure, and for my next trick I will be pulling this rabbit out of my hat! ;)
After the initial notice is drafted, it usually takes about six months for the business to decide that they want to (a) acquire a new kind of vendor tool, (b) undertake a new kind of social media ad campaign, (c) collect a new kind of personal data, (d) use existing personal data in a new way, or (e) some combination of the foregoing.
In those situations, the first step is to check the initial privacy notice and see if the current language addresses what the business wants to do now. If it does, you’re in the clear and can move forward. If it doesn’t, you’ll need to amend your policy.
The question then becomes whether it’s OK to simply make the edit and post the revised version in place of the current version or whether you need to take some further step such as emailing the revised version to consumers or, in the most extreme case, having users opt-in to the new policy.
Half of this answer comes from the original policy itself. If you’ve already promised that you’ll notify users of any changes via email, then so you must. The other half comes courtesy of our friends at the U.S. Federal Trade Commission.
Their 2001 Toysmart action established the standard of opt-in for retroactive material changes to one’s privacy notice. Under this standard, a mere website posting, or even email notice, is not sufficient if the change will materially affect users who received the prior notice.
So what constitutes a material change? First, I might be stating the obvious but we’re talking about material degradations to privacy so a material improvement would not require an opt-in.
Second, you need to put yourself in the consumer’s shoes and ask yourself whether the proposed behavior would strike the average person as, for lack of a better term, icky. This is more art than science so if your gut tells you that something is even remotely problematic, it’s better to be safe than sorry. Being cute might work for the kid with her hand in the cookie jar but it didn’t work for Gateway Learning two years after the Toysmart action.
Of course, from a privacy perspective, abstaining from a retroactive material change altogether is even better than procuring an opt-in to the change.