Again, AI Does Not Change The Law: FTC Guidance on Unfair and Deceptive Practices Involving Privacy Policies

A February 13, 2024 Federal Trade Commission blog post titled AI (and other) Companies: Quietly Changing Your Terms of Service Could Be Unfair or Deceptive follows previous posts promoting its larger initiative to oversee the growing use of AI. In this post, the FTC reminds companies developing AI products to be cautious whenever changing their privacy policies and to ensure that the changes are not made in unfair or deceptive ways.

Companies developing AI potentially face a conflict between their need for data and protecting their customers’ privacy. There is a powerful business incentive to change the terms of existing privacy policies so that companies are less restricted in how they can use their customers’ data. But doing so might elicit backlash from customers concerned about their privacy. To avoid this fallout, the FTC notes that companies might be tempted to change their privacy policies surreptitiously. Of particular concern to the FTC is the scenario wherein a company might entice customers with privacy commitments, but then later revise those commitments without alerting customers.

The FTC guidance is clear: a company which reneges on its privacy commitments risks violating the law, particularly the Federal Trade Commission Act. The Act prohibits unfair or deceptive acts that affect commerce. The FTC cautions that it may be an unfair or deceptive practice for a company to alter its privacy policy in favor of more permissive data practices and to inform users only through retroactive amendment of its policies. To avoid enforcement risk, companies must ensure that any change to their privacy policies is explicitly noticed to affected parties and not retroactively applied.

The FTC has sued companies for unfair and deceptive conduct when amending their privacy policies. For instance, in June 2023, the FTC brought an enforcement action against a genetics testing company, alleging the company retroactively altered its privacy policy without properly informing its customers or obtaining their consent. In a settlement, the company was required to pay a $75,000 fine, destroy all consumer DNA samples that it had retained for more than 180 days, and not share any of its collected health data with third parties. These kinds of FTC enforcement actions are not new. Nearly two decades ago, the FTC first charged a company with deceptive and unfair practices for changing its privacy policy without notifying consumers or getting their consent. The settlement in that action required that the company refrain from sharing any customer information it had collected, refrain from ever applying changes to its privacy policy retroactively, and forfeit the proceeds it earned from retaining customers’ information.    

The FTC’s February 13, 2024 post reiterates existing guidance: AI has changed the technological landscape, not the law. Any changes to a company’s privacy commitments to enable it to develop and use AI must be affirmatively communicated to both new and existing customers and not applied retroactively. The FTC intends to bring actions against companies that engage in unfair or deceptive practices, regardless of the technology behind those practices.