Privacy / Data Protection

The Federal Trade Commission and Consumer Privacy in the Coming Decade

Author(s): Chris Jay Hoofnagle and Deirdre K. Mulligan
Year: 2007

Abstract:  The large majority of consumers believe that the term “privacy policy” describes a baseline level of information practices that protect their privacy. In short, “privacy,” like “free” before it, has taken on a normative meaning in the marketplace. When consumers see the term “privacy policy,” they believe that their personal information will be protected in specific ways; in particular, they assume that a website that advertises a privacy policy will not share their personal information. Of course, this is not the case. Privacy policies today come in all different flavors. Some companies make affirmative commitments not to share the personal information of their consumers. In other cases, however, privacy policies simply inform consumers that unless they “opt out” of sharing certain information, the company will communicate their personal information to other commercial entities. Given that consumers today associate the term “privacy policy” with specific practices that afford a normative level of privacy protection, the use of the term by a website that does not adhere to these base line practices can mislead consumers to expect privacy that, in reality, does not exist. This is not to suggest that companies intend to mislead consumers, but rather that consumers today associate certain practices with “privacy policy” just as they associate certain terms and conditions with the word “free.”

Because the term “privacy policy” has taken on a specific meaning in the marketplace and connotes a particular level of protection to consumers, the Federal Trade Commission (“FTC”) should regulate the use of the term “privacy policy” to ensure that companies using the term deliver a set of protections that meet consumers’ expectations and that the term “privacy policy” does not mislead consumers during marketplace transactions.