I see a growing trend in organizations trying to gut the promises made in their website privacy policies through sneaky wording they place in their rarely read “Terms of Use” statements.
Over the past few months I have heard from some CISOs and CPOs who are concerned at some of the wording that their legal counsels are suggesting they put on their web sites. And rightly so. Why? Because the considered “Terms of Use” statements seem to be, 1) trying to eliminate all liability to the organization for anything bad that happens to the personally identifiable information (PII) submitted to or accessed from the site; 2) basically nullifying the posted privacy policy; and 3) trying to require the website user to agree to these terms just by using the site…no active acknowledgment or agreement necessary.
Here is a composite from around half of a dozen of these worrisome passages from the considered drafted Terms of Use statements that I’ve seen…
- “By accessing or using any of the Company X websites you agree that you will comply with, and that your access/use will be governed by, the following Terms of Use.”
This is a form of an “implied consent” contract. Using these types of statements is not typically looked upon favorably by regulatory oversight agencies, such as the U.S. Federal Trade Commission (FTC).
- “You are permitted to access and make personal use of the Company X Sites. This use, however, does not include the use of data mining or similar data gathering and extraction tools.”
The term “data mining” is not defined anywhere in the documents I’ve reviewed, and so is open to widely subjective interpretation. The terms “similar data gathering and extraction tools” are also undefined. Most of your customers would consider getting access to their own account information as a type of “data extraction tool.”
- “Although Company X has used reasonable precautions to safeguard the confidentiality of information received and sent over the Internet or by electronic mail (e-mail), Company X cannot guarantee the confidentiality of such information. If you correspond with us via the Internet or by electronic mail (e-mail) you agree to waive claims against Company X and its suppliers regarding any third party’s access to or use of information that you provide to Company X or information that you receive from Company X.”
Whoa!
Some of the content of this “terms of use” document are very worrisome. Quite frankly, I think the FTC would use passages from these documents as examples of what organizations should NOT post on their websites!
Organizations cannot remove their liability and responsibility for any security incidents or privacy breaches through these types of implied consent statements. Especially since many people using email may never actually have visited your website. The FTC has been very clear about this issue within numerous statements they’ve released over the years. For example, as Ellen Finn, an attorney in the FTC’s Bureau of Consumer Protection stated on April 6, 2004, when discussing website privacy policies “What you promise in the headline you cannot take away in the fine print.”
It is pretty common to put a “Terms of Use” statement on web sites. Putting a “Terms of Use” document on a web site is a good thing to do, but only if worded appropriately, and not in conflict with other policies on your site. However, they need to support, and not conflict, with your posted privacy and/or security policy.
Posting these composite excerpted passages, as worded, would be a very dangerous thing to do, along with being a red flag to regulatory oversite groups. When I have seen wording such as exists within these documents, it has typically been when the FTC has talked about unfair and deceptive business practices involved with such “implied consent” contracts. This has often led to significant fines and long term (such as 20 years) penalties under the FTC Act.
The main issue is that your site would be forcing any website visitors/users into an agreement without getting their active and clearly supplied consent, and often without their knowledge.
Remember, privacy promises can, and often are, made in many different locations on a website, not just in the website privacy policy.
Compare your privacy policy to what you say in your…
- Legal notice
- Terms of use
- FAQs
- Information collection points
- Any other areas where you might discuss information collection, use, maintenance, security, or disclosure
What did you find? Conflicting promises? These are legal problems ready to hatch!
Now and on an ongoing basis, review the privacy and security promises you are making throughout all your website. Resolve any conflicts. For example, don’t tell your website users in the privacy policy that you have implemented strong security measures to protect their PII, and then in your terms of use state that your organization is not responsible for anything security incidents that could occur involving PII.
Also consider and carefully plan:
- How to correctly make changes to the privacy promises on your site; you cannot just make changes on the fly to this legally-binding contract.
- How to address third-party issues when your organization acquires other organizations with websites, or actually websites themselves.
- How to address purchasing customer (PII) databases from other companies that collected the PII via their websites; what privacy promises did they make to those individuals?
Schedule a time to speak with you legal counsel about these issues.
Tags: awareness and training, FTC, FTC Act, implied consent, Information Security, IT compliance, policies and procedures, privacy, risk management, security awareness, security training, terms of use, website privacy policies