Continued Use Of Site Means Consent to Privacy Policy Changes?

I speak with many folks about the importance of published website privacy policies, along with the issues of obtaining consent…not implied but explicit/express…to change the terms of privacy policies.
I also participate in LinkedIn, and I have found it to be a great and valuable tool to network and communicate with other information security and privacy practicitioners.
So, today when I logged in I was quite interested to see the following banner posted on the home page…

“We’ve updated! On November 14, 2008, LinkedIn published revised versions of our Privacy Policy and our User Agreement. Using LinkedIn means you consent to these policies, so please take a few minutes to read and understand them.”

And I was interested to see that once I navigated away from the page, then returned, the policy change notice was not re-posted.
Trying to use this type of implied consent has had significant troubles in the past for several other organizations and businesses, and the FTC does not look too kindly upon making changes to privacy policies in this way and telling the users that just by using the site they are giving consent. Most individuals using the site don’t like this kind of situation, either.
As just one example, here is an excerpt from the FTC’s “Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles” report regarding getting explicit, or “affirmative express,” consent for material changes in privacy policies…

“:3. Affirmative express consent for material changes to existing privacy promises
• Industry and consumer representatives alike state that the privacy policy – a set of commitments about how information is handled – not only is an important tool for providing information to consumers, but also serves to promote accountability among businesses. It is widely recognized, however, that businesses may have a legitimate need to change their privacy policies from time to time.
Proposed Principle:
• As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers.
This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.”

I haven’t read the actual LinkedIn privacy policy changes yet, but it will be interesting to see if the changes made could be considered as material changes, and if the brief, one-time notice given about the change could even be enforceable as a valid type of consent by site users to agree to the policy change.

Tags: , , , , , , , , , , , ,

Leave a Reply