At the IAPP Global Summit in Washington, D.C. which just ended, I didn’t get a chance to ask my question of newly appointed FTC Chair Edith Ramirez. She had only been in office 5 days and privacy is at the top of her agenda. She had previously been scheduled for a Q&A but because of her new appointment, the questions were posed by a moderator and the audience was not allowed to participate.
Had I been given the opportunity, I would have asked the following question. Would the FTC consider action against a company for violating the unfair and deceptive practices act if it turned over information to a government agency in violation with the company’s stated privacy policy? Or is such an enforcement action verboten.
I suspect I know the answer.
To date, to my knowledge, the FTC has never made such a complaint against a company. However, the potential is there.
I would like to examine two different clauses from privacy statements and their particular risks to users of those services. Here is one common clause I’ve found in many privacy statements.
We may disclose any subscriber information to law enforcement agencies without further consent or notification to the subscriber upon lawful request from such agencies. We will cooperate fully with law enforcement agencies.
Notice the phrase “lawful request.” Such a policy does not preclude the scenario where a law enforcement agency simply asks for the information, no subpoena, warrant or national security letter. The request is lawful. No law prohibits the agent from making the request and no law prevents the company from disclosing the information to anybody (except the FTC’s enforcement of the company’s own privacy statement). Could such a policy be deceptive? To the average consumer, the term lawful request seems to imply that the company will respond to legal requests such as the aforementioned court recognized documents. However, to a lawyer, arguing before the FTC, the phrase could be read as I’ve described above, nothing unlawful, therefore the request was lawful. The clause could be a result of sloppy draftsmanship or crafty lawyering.
Contrast that to the pertinent section of Facebook Data Use Policy:
We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so. This may include responding to legal requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent with internationally recognized standards.
Notice they include the requirement that they must have good faith belief that the law requires them to comply. Not that it allows them to comply, but requires them. This is a significant difference in function. Under the previous construction, they will comply with a request if the law allows them but under the Facebook policy, they will only comply if the law requires them. I also appreciate the out they provide themselves for international requests that it must be consistent with internationally recognized standards, possibly providing them a legal out to not enforce some dictator’s decree. However, it would be nice if it was stronger still.