This is a little late in posting, but I'm glad that it was because I have been able to sit down and think about this at great length.
Is simply posting a privacy policy good enough anymore? Is simply saying what you will and will NOT do in a privacy policy enough? It may not be.
As you may have heard now, the Federal Trade Commission (FTC) charged in their complaint Sears, Roebuck and Company and Kmart Management Corporation that it failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software application.
Users could downloaded Sears' tracking software, which monitors web activity and each user was paid $10.00 (which is a lot) if they kept it for a minimum of one month... oh and all one had to do to secure this plentiful bounty was turn over to the company every single bit of information about one's Web browsing.
Now your probably saying, so? No worries on them tracking their customers on their site. No so fast, Sears and its data collection partner also gained access to the "contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails," said the FTC. They also collected non-Web information about the user's personal computer.
Did Sears hide this fact they were collecting all this personal information? NOPE... They posted every juicy detail of what they were doing in their privacy policy and in a fifty-four (54) page license agreement for users to in GREAT detail read at their convenience. yea right! Who reads that stuff? (CYA note: I do as the Chief Privacy Officer) ;)
So, of course a few researchers noted this problem to the FTC who then charged that Sears did not "adequately disclose the scope of the tracking software's data collection."
Now, when you look at all the details involved here, Sears wasn't trying to hide the fact they were monitoring you, they weren't hijacking browsers, secretly doing drive-by installations, or anything illegal or anything unfair. The FTC was concerned that Sears would be tracking people online for marketing purposes but hadn't clearly disclose what they're doing. Up until now, Sears's disclosures were both legally valid and commonplace. However, in the past the FTC has said in two (2) other cases that companies couldn't bury critical disclosures about the nature of adware in fine print (Zango and Direct Revenue). The Sears case here is NOT adware mind you. This is a case where the user would/should have known they were sharing personal identifiable information (PII) when they read those documents. They were ASKED to share their information if they download this program.
So what's the lesson learned here? What's the big deal to your business? Will it REALLY impact you? The simple answer in my eyes this beautiful fall morning in Texas is YES!
This settlement with the FTC shows that the FTC is watching and waiting for those who might be trying to confuse the average consumer. This means that you will need to be "hyper transparent" when your collecting, transferring, and processing PII. You can NO longer just think by posting in your privacy policy what your doing with a persons information is sufficient. You need to become "hyper transparent".
This could mean that in certain sign-up forms or marketing processes you should break out the relevant impact points of how your collecting and what your planning on doing with this information once you collect it upfront and not buried in some legal linked document. This means if you plan on doing more with transference of data that you warn the users more upfront about it. This means that if you want use their information for more than just normal out of ban use you need to be up front about it.
You get the point here? A PRIVACY POLICY IS NOT A GET OUT OF JAIL FREE CARD FOR YOUR MARKETING PROGRAMS AND PROCESSES. Never has been to be honest.
In this settlement
- Sears has agreed to destroy all data gained from the experiment and stop collecting data from any software still running in the public domain.
- If it wants to do any tracking in the future, the company has committed to "clearly and prominently disclose the types of data the software will monitor, record, or transmit.
- Any disclosure must be made prior to installation and separate from any user license agreement.
- Sears must also disclose whether any of the data will be used by a third party."
Here are the relevant links to the FTC announcements if you want to read further.
Sears Settles FTC Charges Regarding Tracking Software
-Dennis
Eloqua
Don't Just Send, Deliver!
Comments