Website operators may need to update their privacy policies when they make changes to their respective personal information collection, storage, sharing and usage practices. Depending on the nature of the privacy policy changes, businesses may also need to provide notice to, and obtain consent from, consumers in order to comply with applicable privacy laws.
The Federal Trade Commission (“FTC”) recently charged 1Health.io with making privacy policy changes without adequately notifying and obtaining consent from consumers whose data the company had already collected. This should serve as a cautionary tale to businesses in all industries.
Which Privacy Policy Changes Require Consumer Notice and Consent?
All privacy policy changes should be made commensurate with a prominent consumer notice posted on the website home page (including, if desired, via a pop up on that web page). Such notice should include the date that the subject privacy policy was or will be updated.
However, if there are material changes to the types of personal information collected, how that information is used and/or how that information will be shared/sold, then notice and consent is required. For such material changes, an email should be distributed to consumers, where possible. Further, consumers must also provide affirmative consent by checking an unchecked box on a web page in order to authorize changes that affect the use of their data.
In the 1Health.io matter, the FTC alleges that the company changed its privacy policy by retroactively expanding the categories of third parties that it could share consumer data with. However, 1Health.io allegedly failed to: (1) adequately notify consumers who had previously shared personal data with the company of this change; and (2) obtain their consent to share their information in such expanded ways.
Privacy Policy Changes Should Comply with Applicable Privacy Laws
Most online businesses will need to change their privacy policies at various times in order to reflect changes to their data collection, use and sharing practices, as well as to comply with evolving privacy laws. It is essential, however, that businesses provide the requisite notice, and obtain valid consent, from their existing users in order to use data in materially different ways. Given the significant liability that exists for failing to comply with notice and consent requirements, businesses must consult with experienced counsel to ensure that they comply with applicable consumer privacy regulations.
If you require assistance in connection with consumer privacy law compliance for your business, including compliant privacy policy change procedures, please e-mail us at info@kleinmoynihan.com, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Attorney Advertising
Similar blog posts:
Businesses Must Make State Specific Privacy Policy Changes!
Website/App Provider in Hot Water for Ambiguous Privacy Policy
NY AG Targets Mobile Health Applications Over Privacy Policy, Misleading Claims Concerns