“By clicking here, you agree to our privacy policy.”

That sentence or a statement similar to one in the following slide resides on millions of websites.

Don’t worry; this is not a “you need to read and understand the privacy policy,” sermon. Instead, mull over the following:

  • What happens if the privacy policy changes?
  • Are you informed when the policy changes?
  • If they agree to inform, how do they?

I checked privacy policies displayed on 30 websites, trying to find a common thread. The next slide is typical of what I found.

Not one company committed to directly informing individuals. Meaning, it’s the responsibility of the individual to check the website for changes to the privacy policy.

Perfect example

You may have read about Connect Cloud, a service introduced by Cisco. It’s all over tech news, and not because of being a neat idea. More so on how Cisco handled the introduction and why users of certain high-end Linksys routers were not able to gain access to their routers. Oops.

What tended to escape media outlets and was not mentioned in the June 29th explanation written by Brett Wingo, Vice-President of Cisco Home Networking, was the addition of over 1000 words to the Cisco Privacy Policy. Cisco’s policy was one of the 30 I checked. This is what it says regarding changes:

“We may update this Privacy Statement at any time, so please review it frequently. If we change our Privacy Statement, we will post the revised version here, with an updated revision date. If we make significant changes to our Privacy Statement, we may also notify you by other means prior to the changes taking effect, such as sending an email or posting a notice on our website.”

“Frequently”…”significant changes”…”may also notify”  Should a 1000-word addition be considered significant?

On July 5th, Brett Wingo wrote an ancillary statement about Connect Cloud, further addressing customer concerns. Way at the bottom of the post, I found this:

“UPDATE July 6, 2012 10:15am: Corrected Cisco Connect Cloud Terms of Service, End User License Agreement and Privacy Supplement are now available.”

Finally, mention of the elusive 1000-plus-word privacy supplement.

Mistakes happen

Cisco, to their credit, is apologizing, calling facets of the Connect-Cloud rollout a mistake. Everyone makes mistakes; I know I do. So that’s not a “big deal” to me. I am concerned about what I’m reading on forums and hearing from user groups. No one knew about the changes to Cisco’s Privacy Policy.

I’m curious: Have you or anyone you know received direct notification from Cisco about Connect Cloud and the addition of the Connect Cloud supplement to the Cisco Privacy Policy?

What experts think

I now want to get back to what I mentioned in the Takeaway with a focus on the Connect Cloud example. Is Cisco doing enough? Or should Cisco directly contact the people who entrusted the company with their private information?

I asked several security experts what they thought. Dr. Lorrie Cranor and Ashkan Soltani were kind enough to respond. First, Lorrie:

Cranor: If a company is going to change the way they handle data they already collected from someone, I think it would be pretty unfair for them to do that without notifying the person. Ideally, they should have informed consent from every person whose data is going to be shared or used in new ways retroactively.

For new data collection, the main reason to notify existing customers is that if they are likely to assume that the policy in place when they first became a customer is still the policy unless they are given other information. If new data is collected only when the customer visits the website, posting a notice on the website in a location that customers will be likely to see it seems like an acceptable approach.

Soltani: The Connect Cloud thing was quite interesting. There’s actually a great deal of debate as to whether or not companies can retroactively change their privacy policies without notifying customers. The FTC has given some guidance in this regard, for example, looking at XY magazine and the sale of customer information:

Paul Ohm also had an interesting framing of this topic this year at the “Privacy Law Scholars” conference, involving the concept of Privacy Lurch — a change in policy makes the product different.

Final thoughts

It’s not just Cisco. Within the first sentence or two, every privacy policy I checked warns the reader of the company’s right to update their privacy statement at any time. My question then becomes how often is “frequently” or is there a better way?