Plaxo's Personal Card: Are Privacy Policies Unenforceable and Meaningless?

[08.30.04] Are Privacy Policies Unenforceable and Meaningless?

From the desk of the Privacy Officer...

David Coursey recently wrote an article titled, "Beware of 'Free' Services". In the article, he voices concerns over "What might these companies do, especially with personal information, when they become desperate for money? Or when the new owner arrives on the scene? "

As the Privacy Officer here at Plaxo responsible for addressing Privacy, Security, and Trust issues pertaining to the usage of Plaxo, I wanted to address some of the privacy concerns that David touches on.

I believe David voices a common concern many people have regarding privacy policies. Many people believe that promises made within an organization's privacy policy are unenforceable and meaningless. After all, who really has jurisdiction over privacy policies and even if there did exist an oversite agency, couldn't an organization simply change their policy at any time to suit their needs?

At Plaxo, we certainly believe that Privacy Policies are enforeable and meaningful.

The fact is promises made within privacy policies are enforceable, specifically by the FTC. People may be familiar with Section 5 of the FTC Act, which declares "unfair or deceptive acts" are declared unlawful. The FTC has demonstrated in the past that an organization's failure to live up to published privacy practices are considered "unfair or deceptive" and the FTC has taken corrective action to protect consumers in these cases.

In the case of Plaxo, our Plaxo Privacy Policy sums up our privacy practices within the following principles:

Your Information is your own and you decide who will have access to it.
You maintain ownership rights to Your Information, even if there is a business transition or policy change.
You may add, delete, or modify Your Information at any time.
Plaxo will not update or modify Your Information without your permission.
Plaxo will not sell, exchange, or otherwise share Your Information with third parties, unless required by law or in accordance with your instructions.
Plaxo does not send spam, maintain spam mailing lists, or support the activities of spammers.

But the question remains, can't an organization simply change their privacy policy at any time?

The answer is yes, but the FTC Act also covers material changes to privacy policies. In speaking with an FTC official at a recent IAPP/TRUSTe Privacy Symposium, I was told the FTC operates under the concept that "a privacy policy walks with the information". In the recent case between the FTC and Gateway Learning, Howard Beales, Director of the FTC's Bureau of Consumer Protection, summed it up by stating, "You can change the rules but not after the game has been played." I direct you to the FTC site for more information: http://www.ftc.gov/opa/2004/07/gateway.htm

As you know, privacy law is a new area of the law and therefore very much still in a state of flux -- in state and federal statutes, court rulings, and enforcement by government agencies. We are committed to monitoring the evolution of privacy law and making appropriate changes to our Privacy Policy, consistent with our goal of providing optimal protection of the privacy rights of our members.

But these issues aside, trust is essential to our business. Any violation of the provisions in our privacy policy would undermine the trust we have established with users of our service. We realize in order to be successful we must continually earn that trust from both members as well as non-members. We strive to operate in an open and public fashion and allow people to judge for themselves. Our Plaxo Privacy Policy is one such example of our public statement.

I hope this helps. People can feel free to comment on our Plaxo Customer Forum, or contact me directly.

Stacy Martin
Plaxo Privacy Officer
privacy @t plaxo.com

Posted by Stacy Martin at August 30, 2004 @ 11:35 AM | permalink

From the desk of the Privacy Officer... David Coursey recently wrote an article titled, "Beware of 'Free' Services". In the article, he voices concerns over "What might these companies do, especially with personal information, when they become desperate for money? Or when the new owner arrives on the scene? " As the Privacy Officer here at Plaxo responsible for addressing Privacy, Security, and Trust issues pertaining to the usage of Plaxo, I wanted to address some of the privacy concerns that David touches on. I believe David voices a common concern many people have regarding privacy policies. Many people believe that promises made within an organization's privacy policy are unenforceable and meaningless. After all, who really has jurisdiction over privacy policies and even if there did exist an oversite agency, couldn't an organization simply change their policy at any time to suit their needs? At Plaxo, we certainly believe that Privacy Policies are enforeable and meaningful. The fact is promises made within privacy policies are enforceable, specifically by the FTC. People may be familiar with Section 5 of the FTC Act, which declares "unfair or deceptive acts" are declared unlawful. The FTC has demonstrated in the past that an organization's failure to live up to published privacy practices are considered "unfair or deceptive" and the FTC has taken corrective action to protect consumers in these cases. In the case of Plaxo, our Plaxo Privacy Policy sums up our privacy practices within the following principles:

Your Information is your own and you decide who will have access to it.
You maintain ownership rights to Your Information, even if there is a business transition or policy change.
You may add, delete, or modify Your Information at any time.
Plaxo will not update or modify Your Information without your permission.
Plaxo will not sell, exchange, or otherwise share Your Information with third parties, unless required by law or in accordance with your instructions.
Plaxo does not send spam, maintain spam mailing lists, or support the activities of spammers.

We feel this is one of the most stringent privacy policies around. Plaxo has committed not to sell, rent, exchange or otherwise share information about its members with any third party, unless required by law or in accordance with the member's instructions. Even ZiffDavis's own privacy policy, that people agree to in order to post to that free service, does not makes such a promise. You can also compare Plaxo to many other popular services. But the question remains, can't an organization simply change their privacy policy at any time? The answer is yes, but the FTC Act also covers material changes to privacy policies. In speaking with an FTC official at a recent IAPP/TRUSTe Privacy Symposium, I was told the FTC operates under the concept that "a privacy policy walks with the information". In the recent case between the FTC and Gateway Learning, Howard Beales, Director of the FTC's Bureau of Consumer Protection, summed it up by stating, "You can change the rules but not after the game has been played." I direct you to the FTC site for more information: http://www.ftc.gov/opa/2004/07/gateway.htm As you know, privacy law is a new area of the law and therefore very much still in a state of flux -- in state and federal statutes, court rulings, and enforcement by government agencies. We are committed to monitoring the evolution of privacy law and making appropriate changes to our Privacy Policy, consistent with our goal of providing optimal protection of the privacy rights of our members. But these issues aside, trust is essential to our business. Any violation of the provisions in our privacy policy would undermine the trust we have established with users of our service. We realize in order to be successful we must continually earn that trust from both members as well as non-members. We strive to operate in an open and public fashion and allow people to judge for themselves. Our Plaxo Privacy Policy is one such example of our public statement. I hope this helps. People can feel free to comment on our Plaxo Customer Forum, or contact me directly. Stacy Martin Plaxo Privacy Officer privacy @t plaxo.com