Revising Privacy Policies on the Internet

P A U L, W E I S S, R I F K I N D, W H A R T O N & G A R R I S O N

REVISING PRIVACY POLICIES ON THE INTERNET

LESLEY SZANTO FRIEDMAN - CLAUDINE MEREDITH-GOUJON

PUBLISHED IN STATE BAR NEWS JULY/AUGUST 2001 PAUL, WEISS, RIFKIND, WHARTON & GARRISON

Concerns about online privacy can cause clients to promise broad protection of consumer information obtained over the Internet. A change in business practice, the launching of a new service or a change in the legal landscape may prompt clients to revisit existing privacy policies. The negative publicity some companies have received when amending privacy policies demonstrates the need to manage such revisions wisely in order to avoid jeopardizing consumer confidence. After summarizing the experiences of some companies that have recently amended their privacy policies, this article will provide some suggestions on how to revise privacy policies without incurring negative publicity or running afoul of regulatory requirements.

Recently Revised Privacy Policies

Amazon.com and eBay recently amended language in their existing privacy policies that stated they would not share customer information with third parties. Amazon had retained the right to share such information in the future, but allowed its customers to preclude a transfer of personal information by e-mailing never@amazon. com. In their revised policies, both companies qualified their representation, stating that they would share personal information with another party if they merged with, or were acquired by, another corporate entity.

Toysmart

The changes made by Amazon and eBay were adopted in the wake of the Federal Trade Commission’s (FTC) suit against Toysmart.com. When Toysmart entered bankruptcy proceedings in June 2000, Toysmart tried to sell its customer lists as a stand alone asset, despite the representation in Toysmart’s privacy policy that it would never transfer customer information to third parties. The FTC brought suit to block the sale of the customer information. The FTC and Toysmart settled the case by agreeing that the customer lists could be sold to a buyer who would abide by the same privacy policy and was in a similar business. No such buyer was found. Walt Disney, a majority owner, ultimately agreed to pay Toysmart $50,000 to destroy the customer lists.1 eBay

Prior to changing its privacy policy, eBay notified its users of the changes. As a member of the TRUSTe privacy seal-of-approval program, eBay also consulted with TRUSTe. The new policy stated that eBay or its subsidiaries “could merge with or be acquired by another business entity. Should such a combination occur, you should expect that eBay would share some or all of your information.” eBay expressly permitted users to cancel their eBay registrations if they found the changes unacceptable. TRUSTe supported eBay’s revision, stating that “eBay actually checked with us before making the change; and we gave them the OK because they are not taking the control away from the consumer.”2 Privacy watchdog organizations like the Electronic Privacy Information Center (EPIC) and Junkbusters Corp. did not censure eBay’s revised policy.

This article is reprinted with permission from the July/August 2001 edition of State Bar News. www.nysba.org www.paulweiss.com PAUL, WEISS, RIFKIND, WHARTON & GARRISON 2

Amazon.com

By contrast, Amazon received negative attention for the revisions to its policy. Amazon’s new policy stated that “in the unlikely event that Amazon.com, Inc. or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.” Unlike eBay, Amazon did not consult with a privacy organization. Amazon is not a part of the TRUSTe privacy seal-of-approval program, and if it were, it could not have changed its policy on its own. 3 Amazon did not provide users with prior notice of the change, and the new policy did not allow customers to opt- out of third-party data sharing.4 EPIC and Junkbusters called for FTC action claiming that the changes were a deceptive trade practice under Section 5(a) of the FTC Act. They claimed that customers who had e-mailed [email protected] gave personal information with the expectation that Amazon would never release it, yet ambiguous language in the new policy could permit Amazon to share that information.

Amazon again found itself a target of negative attention due to privacy concerns involving Alexa, Amazon’s Internet unit. Alexa developed a comparison shopping service called zBubbles, and the Alexa privacy policy stated that the service did not collect personally identifiable information. In fact zBubbles did involve the collection of some personal information. After investigation, the FTC declined to pursue any enforcement action in spite of its conclusion that “Amazon.com’s and Alexa Internet’s practices likely were deceptive in violation of Section 5 of the FTC Act.”5 The FTC stated that it based its decision on the fact that zBubbles was no longer operational and that Alexa had revised its representations “to more accurately reflect its information practices.” The FTC also noted that pursuant to a preliminarily approved settlement in a class action against Amazon and Alexa regarding information collection, Alexa would be required to delete some of the collected personally identifiable information. If the settlement is approved, Amazon and Alexa would also pay up to $3.8 million in damages and legal fees.

Microsoft

Microsoft has been the target of attention from privacy groups regarding Passport, Microsoft’s “single-sign-in” service. Microsoft’s announcement of a new software initiative, Hailstorm, that would incorporate the Passport service, drew attention to Passport’s existing terms of use. In those terms, Microsoft had claimed broad rights to all communications with or through Passport. Although Microsoft claimed that the privacy policy on the Passport site would control in the case of conflicting language with the terms of use, Microsoft rewrote the Passport terms due to the privacy controversy. 6

Although most companies are not scrutinized like Amazon or Microsoft, there are at least three steps companies can take when revising their privacy policies to avoid negative attention and possible FTC action.

www.paulweiss.com PAUL, WEISS, RIFKIND, WHARTON & GARRISON 3

Step 1: Revise Privacy Policies to Reflect Business Practices Accurately

As business grows, clients may find that broad statements made in their initial privacy policy that they would not share personally identifiable information with any third parties are simply unworkable. For example, a sweeping statement that no third party will receive customer information could be read to limit a company’s ability to provide necessary information to shippers. Additionally, many clients will need to share some information with third parties in order to outsource services such as marketing and promotions or data mining. Clients should therefore revise their privacy policies with counsel in order to make accurate representations in those policies. A carefully crafted revision of broadly protective language in an existing privacy policy can help dispel concerns that the company is trying to expand its use of consumer information and clarify that the sharing of certain personal information is necessary for the company to deliver a high quality product to the consumer.

Step 2: Avoid Possible Investigation for Unfair Trade Practices

Failure to comply with the terms of stated privacy policy can amount to a deceptive trade practice under either the FTC Act7 or state law. The Toysmart settlement indicates that the FTC is monitoring companies’ compliance with stated privacy policies.

In addition to reviewing Amazon’s practices in connection with Alexa, the FTC investigated Amazon for the revisions to its privacy policy at the behest of EPIC and Junkbusters. The FTC ultimately declined to pursue Amazon despite ambiguous language in Amazon’s revised policy that would have allowed Amazon to act in violation of its previous policy. The FTC justified its non-action based on Amazon’s assurances that the company had not actually acted to contravene its previous policy such that the different representations in the old and revised policies were immaterial. 8 Amazon maintained to the FTC’s satisfaction that it had not actually transferred the information of customers who had requested that their information never be shared, and that it would continue to respect these customers’ requests that Amazon not share the information with a third party.

State attorneys general are also monitoring compliance with privacy policies, and may pursue actions under state laws prohibiting trade practices. In January 2000, New York settled a suit brought against InfoBeat, an e-mail service provider, alleging deceptive business acts or practices pursuant to N.Y. Gen. Bus. Law §§ 349-50. New York alleged that the company had violated its privacy policy by inadvertently revealing confidential information about its customers to advertisers. The privacy policy stated that the company would “NEVER release, sell or give a subscriber’s name or e-mail address to any other party or organization, without the subscriber’s explicit permission.”9

Counsel should monitor future actions by the FTC and the states in order to understand which practices are likely to be considered deceptive trade practices. www.paulweiss.com PAUL, WEISS, RIFKIND, WHARTON & GARRISON 4

Step 3: Manage Public Relations

Although Amazon and eBay made similar changes to their privacy policies, the reactions from privacy groups differed greatly. eBay not only consulted with TRUSTe and notified its customers in advance of the change, it also allowed customers to cancel their eBay account if they found the new policy unacceptable. By contrast, Junkbusters and EPIC severed ties to Amazon and called for FTC action against Amazon for its revisions. They claimed that Amazon’s unilateral denial of customers’ rights to control their personal information constituted a “massive bait and switch tactic.”10 TRUSTe stated it would not have approved Amazon’s changes had Amazon participated in TRUSTe’s privacy seal program because the revisions did not give consumers who had provided personal information under the assumption that Amazon would never transfer their information the choice to prevent their information from being transferred to a third party. 11

TRUSTe’s proposed guidelines on the use of personally identifiable information in mergers, acquisitions and bankruptcies are a useful model for revising privacy policies in an open and cooperative manner.12 The guidelines recommend third-party oversight during any transfer of personally identifiable information. They also recommend giving consumers notice of the change and providing an opt-in provision when the company promised never to share personal information.

TRUSTe also emphasizes the need to honor the promises contained in a privacy policy at the time of a bankruptcy, acquisition or dissolution. TRUSTe licensees must obtain TRUSTe approval prior to making any material changes to their privacy policy, but even companies that are not TRUSTe licensees would be well-advised to contact privacy watchdog groups, such as EPIC, before changing their policies. Companies should also follow TRUSTe’s recommendation to give consumers advance notice of the changes. If the company had promised never to share customer information with a third party, TRUSTe’s recommendation that customers opt-in to the new policy is the strongest protection the company can provide. At a minimum, the company should provide an opt-out provision so that consumers can decide whether or not they want their information to be shared.

DoubleClick, Inc. is trying a cooperative approach by asking for public comment on its proposed new privacy policy. While EPIC has stated that it has concerns regarding DoubleClick’s practices, EPIC did acknowledge that DoubleClick is “making an effort to be more responsive to public concerns about privacy.”13 Seeking public comment and approaching the privacy watchdogs prior to adopting a new privacy policy not only evinces goodwill, it also underscores a company’s commitment to consumer privacy.

Most clients are unlikely to face the same level of scrutiny as eBay, Amazon or Microsoft. Nevertheless, no company wants to find itself investigated for an unfair trade practice or accused of violating its customers’ privacy. By informing customers in advance and by taking a cooperative approach with privacy groups, companies can use revised privacy policies as an opportunity to emphasize their commitment to protecting customer information obtained online. www.paulweiss.com PAUL, WEISS, RIFKIND, WHARTON & GARRISON 5

* * *

Lesley Szanto Friedman is a senior associate and Claudine Meredith-Goujon is an associate in the New York office of Paul, Weiss, Rifkind, Wharton & Garrison

www.paulweiss.com PAUL, WEISS, RIFKIND, WHARTON & GARRISON 6

Footnotes

1 The Bankruptcy Reform Act recently passed by the U.S. Senate contains provisions that would allow a bankruptcy court to prohibit the sale of personally identifiable information as an asset in bankruptcy upon consideration of the facts, circumstances, and conditions surrounding sale of nonpublic personal information. The Bankruptcy Reform Act of 2001, S. 420, 107th Cong. (1st Sess. 2001).

2 Jennifer DiSabatino, “eBay Amends Its Privacy Policy,” COMPUTER-WORLD, Apr. 9, 2001, LEXIS, News Source.

3 See D. Ian Hopper, “Consumer Groups Criticize Amazon’s New Privacy Policy,” ASSOCIATED PRESS, Sept. 1, 2000, LEXIS, News Source.

4 Amazon made its amendments shortly after the Toysmart settlement, whereas eBay made its revisions in April 2001. eBay may have learned from Amazon’s experience in order to avoid the same problems.

5 Letter from C. Lee Peeler, associate director, Division of Advertising Practices, Bureau of Consumer Protection, FTC, to David A. Zapolsky, associate general counsel, Litigation, Amazon.com, and Barry J. Reingold, Perkins Coie, LLP (May 25, 2001), available at www.ftc.gov/os/closings/staff/amazonalexa.pdf.

6 Tom Mainelli, “Microsoft Amends Passport Policy Amid Complaints,” PC WORLD (April 6, 2001), at www.pcworld.com.

7 Section 5(a) prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45 (2001).

8 See letter from Jodie Bernstein, director, Bureau of Consumer Protection, FTC, to Jason Catlett, president, Junkbusters, and Marc Rotenberg, executive director, EPIC (May 24, 2001), available at http://www.ftc.gov/os/closings/staff/ amazonletter.htm.

9 See Infobeat Settlement, Office of the New York State Attorney General Eliot Spitzer (Jan. 2000), at www.oag.state.ny.us/internet/litigation/infobeat.pdf; press release, Office of New York State Attorney General Eliot Spitzer, “Infobeat Settlement Resolves Web site Privacy Violation” (Jan. 25, 2000), available at www.oag.state.ny.us/press/2000/jan/jan25c_00.html.

10 Letter from Jason Catlett, president, Junkbusters, and Marc Rotenberg, executive director, EPIC, to Jodie Bernstein, director, Bureau of Consumer Protection, FTC (Dec. 4, 2000), at www.junkbusters.com/ht/en/amazon.html.

www.paulweiss.com PAUL, WEISS, RIFKIND, WHARTON & GARRISON 7

11 D. Ian Hopper, “Consumer Groups Criticize Amazon’s New Privacy Policy,” ASSOCIATED PRESS, Sept. 1, 2000, LEXIS, News Source.

12 TRUSTe, The TRUSTe Guidelines on Personally Identifiable Information Uses in Mergers, Acquisitions, Bankruptcies, Closures and Dissolutions of Web Sites, at www.truste.org/programs/mabs.doc (submitted for public comment on Apr. 11, 2001).

13 David McGuire, “DoubleClick Asks For Feedback on New Privacy Policy,” NEWSBYTES, June 1, 2001, LEXIS, News Library.