FTC Says It’s Now Going After A Lot More Than Just Violated Privacy Policies

Written by Frank Hayes
August 15th, 2012

In another sign the FTC is putting some teeth in its enforcement, the commission followed up the announcement of its $22.5 million privacy settlement against Google on August 9 with a list of ways companies may be turning themselves into FTC targets.

In a blog post on Monday (Aug. 13), FTC Senior Attorney Lesley Fair said that following a published privacy policy isn’t enough. The FTC could go after businesses that misrepresent privacy protections in their opt-out and customization instructions—or even just those that join an industry self-regulation group but then don’t follow its code of conduct.

Historically, the FTC’s privacy enforcement actions have been slaps on the wrist. Part of the reason is that the commission can’t go after privacy breaches, only cases where a business doesn’t live up to the privacy protection it promises (whether there’s a breach or not).

But with the FTC’s first-ever attempt to actually take a chain with major privacy problems to court (Wyndham Hotels, announced in June) and its largest-ever civil penalty against Google last week, it’s increasingly clear that FTC intends to push that one basis for enforcement as aggressively as the commission can.

How far will the FTC push it? Way beyond examining privacy policies. “Chances are you’re conveying claims not just in your privacy policy, but also where you talk about choice mechanisms, opt-outs, and other ways users can customize their experience,” FTC Attorney Fair wrote in her explanation. Prudent companies “know where they make privacy promises, maintain an inventory of the cookies they use, and don’t launch new ones without thinking through the implications.”

Another potential source of blindsiding: Industry self-regulatory programs that your chain joins. If the program or group has a code of conduct for privacy-related behavior and disclosure, and your chain doesn’t fulfill the requirements of that code, the FTC could go after you for misrepresentation even if the program itself doesn’t take disciplinary action. “Once you advertise your adherence to an industry code, live up to its terms,” Fair wrote.

And if there’s evidence that technical tricks are being used to work around privacy settings, despite what a privacy policy or other “privacy promises” say, that “can lead to costly legal missteps,” according to Fair.

Fair touches on one other element, but it’s worth underlining: A firm commitment to following privacy policy needs to come from the top of your organization—but that’s not enough. Your CEO isn’t going to write code that works around a browser’s anti-cookie code. That’s something a programmer will do at the request of a marketing manager, usually to solve a problem collecting CRM data that neither figures is really breaking the privacy rules, just bending them.

That type of bending isn’t something the FTC will accept any longer—in fact, the commission will specifically be looking for red flags like that. That means IT, and especially E-Commerce and M-Commerce developers, need to be watching for anything that bends the rules from the bottom up.

A $22.5 million settlement is pocket change to Google, and it may not even be a big deal for your chain. But if you end up as a target, the numbers are just going to get bigger.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.