That sentence or a statement similar to one in the following slide resides on millions of websites.
- Are you informed when the policy changes?
- If they agree to inform, how do they?
I checked privacy policies displayed on 30 websites, trying to find a common thread. The next slide is typical of what I found.
You may have read about Connect Cloud, a service introduced by Cisco. It’s all over tech news, and not because of being a neat idea. More so on how Cisco handled the introduction and why users of certain high-end Linksys routers were not able to gain access to their routers. Oops.
“We may update this Privacy Statement at any time, so please review it frequently. If we change our Privacy Statement, we will post the revised version here, with an updated revision date. If we make significant changes to our Privacy Statement, we may also notify you by other means prior to the changes taking effect, such as sending an email or posting a notice on our website.”
“Frequently”…”significant changes”…”may also notify” Should a 1000-word addition be considered significant?
On July 5th, Brett Wingo wrote an ancillary statement about Connect Cloud, further addressing customer concerns. Way at the bottom of the post, I found this:
“UPDATE July 6, 2012 10:15am: Corrected Cisco Connect Cloud Terms of Service, End User License Agreement and Privacy Supplement are now available.”
Finally, mention of the elusive 1000-plus-word privacy supplement.
What experts think
I now want to get back to what I mentioned in the Takeaway with a focus on the Connect Cloud example. Is Cisco doing enough? Or should Cisco directly contact the people who entrusted the company with their private information?
Cranor: If a company is going to change the way they handle data they already collected from someone, I think it would be pretty unfair for them to do that without notifying the person. Ideally, they should have informed consent from every person whose data is going to be shared or used in new ways retroactively.
For new data collection, the main reason to notify existing customers is that if they are likely to assume that the policy in place when they first became a customer is still the policy unless they are given other information. If new data is collected only when the customer visits the website, posting a notice on the website in a location that customers will be likely to see it seems like an acceptable approach.
Soltani: The Connect Cloud thing was quite interesting. There’s actually a great deal of debate as to whether or not companies can retroactively change their privacy policies without notifying customers. The FTC has given some guidance in this regard, for example, looking at XY magazine and the sale of customer information:
Paul Ohm also had an interesting framing of this topic this year at the “Privacy Law Scholars” conference, involving the concept of Privacy Lurch — a change in policy makes the product different.