Companies are required to accurately disclose their material consumer data practices in clear, conspicuous and understandable privacy notices. As 2016 came to a close, the Federal Trade Commission (FTC) reminded companies of this in an enforcement action settlement concerning a privacy notice that did not accurately describe interest-based advertising practices and related consumer choice options, which we blog about here, and in an FTC staff report summarizing a Q4 FTC public workshop, Putting Disclosures to the Test (Disclosure Report), that examined academic and research approaches and findings on the effectiveness of disclosures and ways to evaluate disclosure effectiveness, including privacy notices. Two lessons can be learned from what the FTC had to say: (1) privacy notices are potentially deceptive if they are not complete and accurate, and (2) even a complete and accurate privacy notice is potentially deceptive if its disclosures are not made in ways that ensure that “consumers will see or hear and understand them.”
As to completeness and accuracy, companies should:
- At least annually conduct a reassessment of their data practices and ensure that privacy notices are complete and accurate descriptions of the material data practices, and comply with ever-changing legal and self-regulatory requirements (e.g., specific California privacy disclosure obligations).
- Use privacy impact assessments to evaluate all new practices and services, as well as changes to existing practices and services, that include data collection, use, processing, revision, sharing, transfer or deletion, and adjust practices and/or privacy notices accordingly.
- In conducting and applying such assessments, include the data practices of third parties that interact with company sites, apps, data, systems and services, including third-party ad servers, analytics providers, social media plug-ins, service providers, marketing partners and others.
To ensure that a privacy notice is effective, companies should, as reflected in the Disclosure Report:
- Use “simple, unambiguous language wherever possible, and an organized structure.”
- Disclose “the most important and unexpected information first,” potentially through layered notices that “show the most essential information on a top layer with links to more detailed information.”
- Consider even simple and small-scale user testing to gauge consumer comprehension and develop more effective disclosure language and methods.
For more information on FTC recommendations on effective privacy notice disclosures, and suggested language and methodologies, see its guidance on effective digital disclosures and mobile privacy notices, both highlighted in the Disclosure Report. For more information on accessing privacy practices and updating privacy notices, contact the author.