The Federal Trade Commission‘s settlement with Facebook – as well as those with Twitter and Google – strongly signals that that the FTC will use its broad authority regarding “unfair and deceptive trade practices” to police the privacy beat.   

Our friends at the Data Privacy Monitor put together a pretty good summary of the FTC’s complaint against, and settlement with, Facebook.  This should be required reading for those wanting to see how the FTC applies its standards.  But those looking to familiarize themselves with what the standards are should check out the blog post from FTC staff attorney Leslie Fair – Lessons from the Facebook Settlement (even if you are not Facebook).  We summarize her “practical pointers” as follows:

  1. Like any other advertising claim, what you say about how you handle people’s data has to be truthful.  That means your statements (or promises) should be backed up with substance.
  2. Privacy policies should be like the rest of your website – clear, direct, easy to understand, and (brace for it) possibly even eye-catching.  Just because your lawyer is happy with the privacy policy doesn’t mean that it satisfies these criteria.
  3. Privacy policies are living documents.  When implementing new technology, make sure the policy gets updated to address any changes.  And when you need to materially change the privacy policy, make sure that the change is disclosed conspicuously and that customers have a chance to affirmatively consent.