1. Home
  2. |Insights
  3. |Again, AI Does Not Change The Law: FTC Guidance on Unfair and Deceptive Practices Involving Privacy Policies

Again, AI Does Not Change The Law: FTC Guidance on Unfair and Deceptive Practices Involving Privacy Policies

Client Alert | 3 min read | 02.22.24

A February 13, 2024 Federal Trade Commission blog post titled AI (and other) Companies: Quietly Changing Your Terms of Service Could Be Unfair or Deceptive follows previous posts promoting its larger initiative to oversee the growing use of AI. In this post, the FTC reminds companies developing AI products to be cautious whenever changing their privacy policies and to ensure that the changes are not made in unfair or deceptive ways.

Companies developing AI potentially face a conflict between their need for data and protecting their customers’ privacy. There is a powerful business incentive to change the terms of existing privacy policies so that companies are less restricted in how they can use their customers’ data. But doing so might elicit backlash from customers concerned about their privacy. To avoid this fallout, the FTC notes that companies might be tempted to change their privacy policies surreptitiously. Of particular concern to the FTC is the scenario wherein a company might entice customers with privacy commitments, but then later revise those commitments without alerting customers.

The FTC guidance is clear: a company which reneges on its privacy commitments risks violating the law, particularly the Federal Trade Commission Act. The Act prohibits unfair or deceptive acts that affect commerce. The FTC cautions that it may be an unfair or deceptive practice for a company to alter its privacy policy in favor of more permissive data practices and to inform users only through retroactive amendment of its policies. To avoid enforcement risk, companies must ensure that any change to their privacy policies is explicitly noticed to affected parties and not retroactively applied.

The FTC has sued companies for unfair and deceptive conduct when amending their privacy policies. For instance, in June 2023, the FTC brought an enforcement action against a genetics testing company, alleging the company retroactively altered its privacy policy without properly informing its customers or obtaining their consent. In a settlement, the company was required to pay a $75,000 fine, destroy all consumer DNA samples that it had retained for more than 180 days, and not share any of its collected health data with third parties. These kinds of FTC enforcement actions are not new. Nearly two decades ago, the FTC first charged a company with deceptive and unfair practices for changing its privacy policy without notifying consumers or getting their consent. The settlement in that action required that the company refrain from sharing any customer information it had collected, refrain from ever applying changes to its privacy policy retroactively, and forfeit the proceeds it earned from retaining customers’ information.    

The FTC’s February 13, 2024 post reiterates existing guidance: AI has changed the technological landscape, not the law. Any changes to a company’s privacy commitments to enable it to develop and use AI must be affirmatively communicated to both new and existing customers and not applied retroactively. The FTC intends to bring actions against companies that engage in unfair or deceptive practices, regardless of the technology behind those practices.

Insights

Client Alert | 1 min read | 11.04.24

OFCCP Invites Federal Contractors to Object to Production of their “Type 2 EEO-1 Reports” in Response to New FOIA Request

On October 29, 2024, the Office of Federal Contract Compliance Programs (“ ”) published a notice in the Federal Register that it received two requests under the Freedom of Information Act (“ ”) for 2021 Type 2 EEO-1 Reports filed by federal contractors. The two requests came from the University of Utah and a non-profit organization named “As You Sow.” The notified federal contractors that the information might be protected from disclosure under Exemption 4, which protects disclosure of confidential commercial information, and requested that any entities that filed these reports and object to their disclosure submit objections by December 9, 2024. Objectors are strongly encouraged to use the portal. Alternatively, contractors may also submit written objections via email at OFCCPSubmitterResponse@dol.gov, or by mail. ...