|
FTC Takes Action Against “Hooked on Phonics” for Sharing
Their Users’ Personal Information with Marketers
In the first enforcement case dealing with material changes
to a website privacy policy, the FTC announced the settlement of its claims
against Gateway Learning Company (that owns “Hooked on Phonics”) under Section 5
of the FTC Act for misrepresenting their data collection and sharing policies.
(Section 5 of the FTC Act covers unfair and deceptive practices, as well as
consumer fraud, misrepresentation and false claims. Gateway was required to
disgorge, $4600, the proceeds it received from sharing its users’ personal
information with marketers. The information shared included personal information
about children under the age of 13.
Gateway had a privacy policies in effect at their
www.hop.com website from 2000 until June 2003
(the “Earlier Privacy Policies”). The Earlier Privacy Policies provided under
the title of a “Promise of Privacy” (among other provisions):
As to the use of personal information collected about or
from their users:
As to the use of children’s personal information:
And as to changes in the privacy policy:
(These provisions of the text of the privacy policy in
effect at the website on December 6, 2001 were taken from Exhibit A to the FTC’s
complaint against Gateway, as it appears at the FTC website at http://www.ftc.gov/os/caselist/0423047/0423047cmpexhac0423047.pdf.)
In April, 2003 Gateway began sharing the name, address,
telephone number and purchasing history, as well as the ages and genders of the
users’ children, with marketers for direct mail and telephone telemarketing
purposes.
Two months later, on June 20, 2003 a new privacy policy was
posted at the website (the “Later Privacy Policy”). It contained the same
provisions about sharing children’s information and about notices of changes to
the policy itself.
The provision regarding sharing of personal information
with third parties was changed, however, to provide in its entirety:
(See Exhibit B to the FTC’s complaint against Gateway,
found at
http://www.ftc.gov/os/caselist/0423047/0423047cmpexhac0423047.pdf)
Notwithstanding their promise to notify their users of any
material changes in their information practices either at the website or via
e-mail, no special notations or notices were provided either at the website or
via e-mail of the change. A few weeks later, Gateway ceased sharing this
information with marketers. On July 17, 2003 Gateway once again changed its
privacy policy, this time to include an “updated date” and slightly revised
personal information use provisions and a new provision omitting any promises as
to the use of children’s personal information.
The revised personal information use provision is included
below:
The new provision relating to children’s information
excluded their previous representations about not sharing personal information
about children under 13 years of age and, as revised now read:
(See Exhibit C to the FTC’s complaint against Gateway,
found at
http://www.ftc.gov/os/caselist/0423047/0423047cmpexhac0423047.pdf
Specifically the FTC charged Gateway with:
(1)
making false claims when it promised in its website privacy policy not to
sell, rent, or loan to third parties consumers’ personal information unless it
received the consumers’ consent, and that it would never share information about
children;
(2)
committing an unfair practice when it attempted retroactively make
material changes to an existing privacy policy to now permit sharing of personal
information; and
(3)
for committing a deceptive practice by failing to notify its users (as
promised in their privacy policy) of these changes.
The full FTC release can be accessed at:
http://www.ftc.gov/opa/2004/07/gateway.htm
According to Howard Beales, Director of the FTC’s Bureau of
Consumer Protection, the issue is simple. “If you collect information and
promise not to share, you can't share unless the consumer agrees. You can change
the rules but not after the game has been played.”
As part of the consent order, Gateway will have to obtain
the express consent of its users to sharing of any personally identifiable
information collected prior to June 20, 2003 (the date of the Later Privacy
Policy) and
for any future changes to
their privacy policies.
What
does the decision tell us about changes to privacy policies and terms of service
at websites?
1. All privacy policies
should have dates of the last revision and a page setting for the dates of
earlier revision and the terms of those revisions.
2. Companies should
consider that all information collected at their websites will always be
governed by the privacy policy and terms of service in effect at the time the
information is collected, and if applicable, modified. All data should be
electronically tagged with the conditions of use applicable to that data, no
matter where or how stored or used.
3. Companies need to
know what promises they are making in their privacy policies and terms of
service. Flowery
promises have serious legal ramifications. Lawyers who are expert in privacy law
should be reviewing all privacy policies and all changes.
Even if all these are
adhered to, there is no guarantee that a "browser-wrap" consent will be upheld.
To read more about this, read Parry's Browser-Wrap article.
To
look at the issue from a legal enforceability standpoint, visit Parry Aftab’s
blog,
http://theprivacylawyer.blogspot.com
| 
Parry
Aftab, Esq., 
Marvel and
all character names and the distinctive likenesses thereof are trademarks of
Marvel Characters, Inc., and are used with permission. TM & © 2004 Marvel
Characters, Inc. All rights reserved. “Super Heroes” is a Co-owned registered
Trademark.