This article discusses how the FTC (still very proactive in the privacy area) reacted in a recent case involving Gateway Learning Corporation, which inadvertently ignored a promise in its Web site privacy policy not to share consumers’ information, and then tried to amend the policy to accommodate the unauthorized sharing.

A recent privacy action brought by the FTC (www.ftc.gov) shows that corrective amendments to an online privacy policy (permitting information-sharing with third parties) provide little protection if the original private policy was not followed. The case involved Gateway Learning Corporation, the company that produces the “Hooked on Phonics” learning programs. Gateway entered into a consent agreement effective September 2004, to settle the FTC’s charges that it had both “rented” consumers’ personal information to telemarketers and then “failed” to give consumers opt-out rights when it later amended its privacy policy to permit the rentals to occur. The settlement with the FTC prohibits Gateway from retroactively making material changes to its privacy policy prior to the time the policy was amended to permit third-party disclosures (June 20, 2003) unless Gateway gets express affirmative consumer consent, i.e., opt-in from the consumers. Gateway was also barred from making “deceptive” claims about how it would use consumer information and fined $4,600. The principal provisions of the FTC order have a twenty-year term.

Background

Gateway Learning Corporation’s well-known product, “Hooked on Phonics,” has been purchased and used by thousands of families since its introduction. Since 2000, Gateway began marketing “Hooked on Phonics” from its Web site (www.hop.com), from which it collected personally identifiable information from parents such as name, address, e-mail address, and the age and gender of their children. The www.hop.com Web site had a privacy policy with three very powerful statements on protection of consumer information.

• First, the statement said, “We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive customer’s explicit consent.” (Emphasis supplied)
• Second, it said it would not provide personally identifiable information about children under the age of 13 for “any purpose whatsoever.”
• Finally, the privacy policy addressed future changes, saying that if the privacy policy changed to allow sharing consumers’ personally identifiable information, consumers would be given the right to “opt out” of having such information shared.

In April of 2003, Gateway (without obtaining its consumers’ consent) began a program of renting to a telemarketing firm, for a fee, personal information provided by some of its consumers. The information included names, addresses, and telephone numbers of the consumers as well as information on the age ranges and gender of their children.

Some two months after the rental program began, Gateway amended its online privacy policy by eliminating one of its most powerful protections, i.e., “we do not sell, rent or loan…” and substituted a more ambivalent statement saying Gateway would “from time to time” provide consumers’ personal information to “reputable companies.” None of Gateway’s consumers were, according to the FTC, specifically notified about the change or provided opt-out rights. On July 1, 2003, Gateway decided to suspend the practice of renting information it collected online.

After termination of the third-party rental arrangement, Gateway made yet another change to its online privacy policy. On July 17, 2003, it added an amendment saying that for consumers who did not want personal information shared with third parties, opt-out rights “were available” but advised that consumers could still be contacted by companies until their names were actually placed on the “do not disclose” list.

The FTC filed a complaint in 2004, charging that Gateway had “expressly or by implication” represented that it would not sell consumer information unless it received explicit consent from its consumers and that it had promised not to provide information to third parties about children for any purpose. The FTC said that in “truth and fact information was rented to third parties without explicit consent and information about children was also provided.”

Also, the FTC’s complaint focused on the revised privacy policy provision allowing consumer information to be sold to reputable companies. This provision was “retroactively applied,” said the FTC to information that Gateway had already collected from consumers and shared. The FTC noted that the retroactive language was inconsistent with Gateway’s original promise and the revisions were not outweighed by the countervailing benefits and were not “reasonably avoidable” by consumers. These practices were viewed as unfair and deceptive by the FTC. The case was settled by a consent agreement between Gateway and the FTC that was announced on September 9, 2004.

In the settlement, Gateway was required to cease misrepresenting how it uses consumer information. More importantly, Gateway was also required to obtain an affirmative opt-in from any consumers from whom it collected information prior to June 30, 2003 (the date of its revised policy posting), if it disclosed a consumer’s personally identifiable information to third parties or amends its privacy policy. This requirement has a twenty-year duration.

The Impact of Gateway

The Gateway case represents another in a growing line of privacy cases in which the FTC has used its unfair and deceptive acts or practices authority to enforce failed online privacy promises. In the earlier cases, the FTC found unfair and deceptive practices for broadly delivered promises on the security of consumers’ online information (Eli Lilly and Tower Records), the accuracy of privacy statements (Microsoft), and promises that information involving children would not be sold under any circumstances (Toysmart). The Gateway case reinforces that the FTC will continue to act when it finds a failure to honor promises broadly delivered to consumers and that well-intentioned remedial action will not protect against failed promises delivered prior to the remediation.

Conclusion and Comment

Although details are not provided, the insignificant fees received by Gateway for the renting of names, a little over $4,600, suggests that the sharing program was isolated and perhaps undertaken without the knowledge of Gateway’s senior management. Yet the practice conflicted directly with a clearly stated privacy principle on Gateway’s www.hop.com Web site and imposed twenty years’ worth of oversight and reporting to the FTC by Gateway. The case dramatically illustrates the need to focus on privacy policies at every level of a business dealing with consumers. Failure to do so can have profound effects.

A final cautionary point is that privacy statements where children may be part of the audience require extra sensitivity and caution and will most certainly receive extra attention from the FTC.