Online Privacy Policies–Don’t Believe the Hype

The FTC just announced its agenda for its upcoming privacy-related conference, aptly named, PrivacyCon. The FTC hails the event as a first-of-its-kind conference “regarding important consumer privacy and security issues by leading academics from universities and think tanks from around the world.”

But despite the FTC’s examination of the issue, online privacy is still a highly misunderstood (and highly abused) concept in online transactions. Having counseled hundreds of clients on privacy-related issues for the past fifteen years, I can tell you this: The laws (or lack of laws) related to online privacy aren’t going to change anytime soon.  Before I tell you why nothing is going to change, consider the following:

Consumers have a poor understanding of privacy policies—usually because they don’t read them.
When was the last time you actually read a site’s privacy policy? I know, you can’t remember.  Don’t feel badly—I write them, and I don’t read them either. I think there are three reasons why we don’t read privacy policies: First, we often believe that if a website’s owner is reputable and well-known, then our private information will be secure. (This, of course, is not based on anything in reality; however, research shows that reputation is a strong motivating factor for consumers who readily give up their private information.)  Second, we sufficiently crave whatever it is that the site is selling, such that giving up our private information is merely a speed bump on our way to getting what we want. (And after all, who slows up for speed bumps?) Third, we rationalize giving up our private information under the theory that the site will do whatever it wants with our private information anyway, so there’s really no reason to give much thought to privacy concerns. Unfortunately, this last reason is grounded in reality. More on that in a moment…

Privacy seals don’t mean as much as consumers (and companies) think they mean.
Privacy seals purport to certify that the owner of a website complies with certain minimum levels of online privacy and security. But how much do you really know about what it takes to get a “privacy seal”? For that matter, how do you know whether a website displaying a privacy seal actually complies with the seal’s minimum requirements? Here’s a scary (but true) revelation: Some site owners display privacy seals without taking any steps whatsoever to comply with any required privacy procedures. (Yes, it’s trademark infringement, but unfortunately, it happens.)

On the flip side, consumers don’t usually make decisions to divulge their personal information based solely on the presence or absence of a privacy seal. Case in point: Think about the websites from which you regularly buy things. Do those sites even have privacy seals? (Don’t look until you venture a guess). In my case, the first three sites I thought of did NOT have privacy seals—but I buy stuff from those sites all the time, and will continue to do so.  My point is this: If companies think that the presence of a privacy seal will be a game-changer for their online sales, then they are sorely misguided. Reputation-building activities, like improved customer service and support, will always pay higher dividends than privacy seals.

Government agencies can enforce an existing privacy policy, but can’t require a company to have one.
Contrary to popular thought, most companies aren’t required to post, or even have, a privacy policy. In fact, the few states that require companies to post privacy policies online simply require the impacted companies to disclose what information they collect and how they use it.  Notably, there are virtually no restrictions on what a company may do with information it obtains. (For example, see California’s law here.  It describes the circumstances under which a privacy policy must be posted, but doesn’t restrict the use of the information obtained.)

Certain government agencies, such as the Federal Trade Commission or each state’s Attorney General, are empowered to sue companies that post privacy policies and then fail to follow them; however, those lawsuits are few and far between.  In any event, those agencies cannot force a company to create or post a privacy policy if the company isn’t legally required to do so.

It wouldn’t be hard to require companies to post a privacy policy; California does it now, and a similar law, on a federal level, would probably enjoy bipartisan support.  But no law will (or even could) prohibit companies from doing what they want with the information they collect—there are simply too many types of commercial transactions to consider, and they can’t all be covered under a single statute.  Even the most stringent law would likely give an escape clause to companies that disclose how they consumer information—even if that use is ambiguous or vague.

For example, a privacy policy stating, “We reserve the right to divulge your information to our affiliates if we believe that such disclosure would be in your best interests, but before doing so, we will require our affiliates to keep your information confidential” likely complies with California’s current law. (That’s not legal advice, only an observation. Consult your attorney if you’re planning on doing business in California.)  However, this type of provision would allow a company to transfer your information to practically any third party as long as that party “promised” to keep the information confidential.  But what good are promises if you don’t know whether the promises are enforceable or monitored? You see the point, right?

Online privacy-related laws will always have exceptions enabling sufficiently initiated companies to circumvent the spirit and purpose of the law. So while I applaud the government’s efforts in confronting the pervasive online privacy problem, I don’t expect to see too many changes any time soon. Indeed, changes won’t come until we stop looking at the privacy problem from a (mostly) intellectual perspective, and start addressing the issue from a business-oriented perspective.

Until then, assume nothing is private.