Trending publication
Are You Using AI to Process Consumer Information? Revisit Your Privacy Policy First!
Print PDFWhat is a Privacy Policy?
A company’s privacy policy details its commitments regarding the handling and use of consumer data. The policy must explicitly define the company’s practices for collecting, storing, processing, and disclosing personal information. Significant deviations from the commitments outlined in the policy may be considered deceptive trade practices, which can result in serious consequences.
Who Regulates Privacy Policy Compliance?
For several decades, the Federal Trade Commission (the “FTC”) has been tasked with regulating privacy issues and enforcing privacy policies at the national level. The FTC is responsible for overseeing various aspects of consumer protection, including privacy and data security, and possesses the authority to take action against companies engaged in unfair or deceptive practices related to privacy. Specifically, the FTC can initiate enforcement actions against companies that fail to adhere to the commitments outlined in their privacy policies. With the ever-increasing significance of data privacy, particularly regarding sensitive personal information, the FTC is committed to safeguarding and preserving the trust between consumers and companies to support the seamless operation of commerce.
Recently, the FTC has undertaken enforcement actions against companies that modified their privacy practices permitting more extensive use and sharing of consumers’ personal information. These actions target companies that failed to either provide adequate notice to consumers of changes to their privacy policies or obtain consent from consumers who had previously agreed to, or had been informed of, prior and more restrictive privacy policies.
For example, in June 2023, the FTC took formal action against the genetic testing company 1Health.io Inc. (“1Health.io”), formerly known as Vitagene, Inc. The FTC’s complaint alleged that unlawful consumer deception occurred where 1Health.io retroactively and surreptitiously changed its privacy policy leaving sensitive genetic and health data unsecured. Specifically, upon comparing the old policy with the new one, the FTC found that 1Health.io reduced consumer protections by broadening the range of third parties with whom consumer information could be shared and by expanding the purposes for which the information could be disclosed. The FTC complaint alleged that 1Health.io revised its privacy and data protection policies without notifying consumers or obtaining their consent, despite these consumers having provided their information under a previous, materially more restrictive policy. The parties reached a settlement agreement, requiring 1Health.io to pay a $75,000 fine and to ensure that third-party recipients of personal data disclosed under the new policy delete the information.
Companies intending to materially amend their privacy policies are required to either obtain explicit consent from consumers or provide clear and conspicuous notice prior to the implementation of such changes. The notice must be presented in a manner that is both prominent and understandable, allowing a reasonable person to understand the nature of the changes and their implications for personal data. Additionally, companies must ensure that their privacy policies comply with applicable state and federal regulations, as well as relevant international privacy laws.
How Does AI Affect Privacy Policies?
In February 2024, the FTC issued a statement addressing the implications of AI technology amid companies’ persistent competitive pressures related to the collection, handling and dissemination of consumer data. The FTC’s statement served as a warning against surreptitious and retroactive modification of companies’ privacy policies for financial gain, which could result in formal investigations and proceedings. Additionally, the FTC emphasized that its enforcement authority, as outlined above, applies equally to AI-related practices, concluding glibly, “Ultimately, there’s nothing intelligent about obtaining artificial consent.”
How Can Companies Avoid Privacy Policy Missteps?
Drafting a privacy policy necessitates a thorough assessment of a company’s practices regarding information collection, storage, processing, and disclosure. Ideally, this involves an “information mapping” exercise to assess the intake and flow of all data types within the organization, including data classified as personal information under applicable privacy laws.
The above-described diligence effort should produce an accurate document that a company can confidently use as a foundational basis for its privacy policy. A privacy policy developed from a thorough diligence process will establish a baseline that should not require reinvention going forward. However, it is not a “set it and forget it” proposition. As a company’s business evolves such that changes the type of data it collects and its processing and dissemination of data, the privacy policy should be updated accordingly, and consumers should be informed of its evolving practices.
The processing of consumer data using third-party AI technology likely constitutes a material change to privacy practices that warrants an update to the privacy policy. Before dismissing the notion that the consumer data your company analyzes using AI tools is not “personal information,” consider that the legal definitions of personal information are continually expanding. These definitions now include consumer data types that even indirectly or potentially identify individuals, such as Internet Protocol addresses. For example, California, a leader in privacy legislation, now considers inferences drawn from personal information used to create consumer profiles reflecting their preferences as personal information.
Conclusion
The bottom line is that companies need to consider both potential legal liabilities and reputational harm that could arise from practices perceived as “bait and switch” in their privacy policies. The usage of AI technology is an inflection point for companies to consider reviewing or instituting a privacy policy. The evolving landscape of AI, coupled with increasing FTC action, underscore the need for regular, thoughtful review of privacy practices and their alignment with consumer-facing privacy statements.
This advisory was prepared by Portia Keady and Francesca Oliveira in Nutter’s Corporate Department, and Patrick Concannon in Nutter's Intellectual Property Department. For more information, please contact the authors or your Nutter attorney at 617.439.2000.
This advisory is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.