or Login to submit your own content and comments.

Articles : Questionable Privacy Policy? Learn what not to do with the Federal Trade Commission

by PowerNetworkerVerified SafeNetworking [9.58:5442] on 28-Jul-10 1:16pm

Likes (0) Post this page to Twitter. Optionally highlight text before clicking this button. Post this page to LinkedIn. Optionally highlight text before clicking this button. send a message Message

Under the Federal Trade Commission Act, the FTC has the authority to take enforcement actions for the use of "unfair trade practices." In 2004, the FTC used the fairness principle to enforce privacy law for the first time by launching a case against the Gateway Learning company, owner of the popular "Hooked on Phonics" product line.

FTC and Fair Information Practices

The Federal Trade Commission developed a set of guidelines to govern the collection, use, maintenance, and disclosure of personal information in order to protect personal privacy. While the principles in themselves are not law, they have been incorporated into many privacy laws which allow the principles to be enforced. The Gateway Learning Company was found to be in violation of the first two principles, notice and consent.

The Fair Information Practice Principles require:

  • Notice to the individual regarding the privacy policies of the organization including how information is used and any disclosure to third parties. Notice must also be provided to the individual for any alteration in the privacy policies.

  • Consent from the individual regarding the use of their information for secondary uses and its disclosure to third parties.


Allegations

The FTC brought the following allegations against the Gateway Learning Company:

  • That they violated their own privacy policies by renting personally identifiable information (PII) collected from customers to third parties without the customer's consent.

  • That they violated their own privacy policies by renting personal information (age/gender) about children under the age of 13 to third parties without the customer's consent.

  • They committed unfair trade practices by retroactively applying a new privacy policy to information collected under the old privacy policy.

  • They committed unfair trade practices by failing to provide adequate notice to consumers regarding privacy policy changes.


The Privacy Policies in Question

The original privacy policy stated:
...

Read the rest of this article, FTC Enforcement: Gateway Learning, on the CIPPguide.

----------------------------
Jon-Michael C. Brook
MBA,CISSP,GCIA,GSEC,CCNP, Six Sigma Greenbelt, MCSE
http://www.linkedin.com/in/jcbrook
http://www.ecademy.com/user/jonmichaelbrook
Information Privacy web site
-----------------------------
Copyright 2010 - All Rights Reserved
or Login to submit your own content and comments.
view this person's profile

UK users (and holders of UK data) - The Data Protection Act 1998

Likes (0) by Maurice Watts, the MarketerBlackStarVerified SafeNetworking [37.34:98] on 29-Jul-10 9:23am : Reply
In the UK our provisions are enshrined in law as follows:-

The Data Protection Act 1998

What fewer folk realise is that if an organisation operating in the UK holds data on UK subjects it cannot export that data to a non UK site unless it can provide the same levels of security and protection that the data has in the UK.

Organisations holding data must by also register with the Information Commissioner and define what data will be held, how, why, and for what purposes it will be held, and for how long.

Now one might imagine this to be not that important but organisations such as Microsoft, HP, Samsung, Symantec and many others typically hold registration and warranty data outside the UK.

In fact the moment there is a non UK call centre involved it has to be the case and so, many banks including HSBC and Barclays for example also come under the act in this way.

The UK arms and executives can be prosecuted for breaches. UK data must, after all, have originated here and the act of passing it on may in itself be a breach.

I'm not an expert on the detail but as far as I'm aware there is no requirement for the consent of the data subject. (There is however legislation to do with distance selling and the various Post,, Telephone,, e-mail, and other preference schemes that enforces opt outs from being sent stuff). There is also the right (with a few government exceptions) for the subject to receive (in exchange for a fee of about £10) any and all data held on them including telephone and video recordings.

However only Data that meets the purposes and uses stated on the application may be held. It must be accurate, be appropriate for purpose, only held for as long as necessary for purpose, must be accurate and so on.

Marketers, Directors and line managers ignore this at their peril. Penalties include fines of several thousand pounds and jail time too.

Finally data as defined here (my paraphrase) as "Any information by which a subject may be identified, held in any organised system" - so paper as well as electronic. In one case a list of Car registrations with the names of their users held in a filing cabinet was apparently held to come within the scope of the act. Some small clubs do have exemptions but its pretty much all pervasive.

If you do operate in the UK, and are not up to speed, I'd check it out!

Regards -
 Maurice

 Melville Marketing

Checkout my new Book "Haiku From a Celtic Heart"and the Haiku Ringtone!
[ reply to this comment ]