Thinking about updating your privacy policy? Consider how to get consumer buy-in as part of the process. Your organization may be in the process of revamping its privacy practices, and as a result its external privacy policy, to keep up with the European General Data Protection Regulation (GDPR) and Federal Trade Commission (FTC) rules. This is good practice, but your organization should also consider how to publish the revised policies externally and internally, and whether consumer consent is appropriate.

Background

Over the years, the FTC has flagged companies who have not obtained the appropriate consent to use of consumer data, such as its enforcement action against Gateway Learning Corp. involving retroactive material changes to the company’s privacy policy. As a result, companies began to more diligently notify and give consumers an opportunity to consent to a revised policy. The method of consent – implied, express or via an opt-out – depends on the nature of the changes. Certain industries are receiving more scrutiny: as we’ve previously covered, the FTC is watching the connected device industry closely. The FTC has issued advice covering the privacy practices tied to smart toys and Internet of Things devices throughout the home, including televisions.

What's New?

That was then, this is now. In 2017, we are in the era of the incoming GDPR, which increases the need for organizations to be even more diligent about the method of consent for a revised privacy policy. Specifically, the GDPR offers strong consumer protection provisions and requires consent in a variety of instances, in particular if a company uses data for a purpose beyond the scope it was originally collected. The GDPR is in effect in May 2018. Penalties for noncompliance include up to €20 million or four percent of global annual turnover.

Tech and connected device makers seem to have the biggest challenge with GDPR compliance since these companies often update their systems and offerings to provide a better experience for end-users. But these updates may require the company to use the data in a manner that was not initially contemplated by the privacy policy. The tech industry saw this recently, when sound system Sonos drew the ire of data professionals and triggered consumer complaints online after announcing their new privacy policy. The company shared that it is shifting its policies to prepare for voice-enabled Sonos products and “future Sonos experiences,” and is requiring existing customers to acknowledge the privacy policy or experience decreased functionality of their product, or even eventually a non-functioning system.

Certainly the new offerings of Sonos sound desirable and likely will be met with applause. It is a familiar scenario for device makers: in an effort to stay relevant, these companies must continue to offer innovative features to end-users that expand the scope of the initial use. But, the problem is that the advanced functionality may not have been contemplated months prior when a privacy policy was drafted and may put a company in the crosshairs of a regulator if they force end-users to agree to a new privacy policy or lose functionality.

One solution is to implement a “privacy by design” attitude internally, where you ensure that privacy officers are present during all faces of a product lifecycle. This is certainly a concept that has been touted by the FTC for many years, and is also an integral part of GDPR compliance.

As the smart technology field becomes increasingly crowded, the competition and interest in valuable consumer information continues to surge. Companies expanding the scope of their data collection, use, and storage must allow for adequate consumer options even as devices become more complex. Device designers may also consider taking steps to separate core product features from data collection activities, allowing for varied levels of consumer data requirements.