It is fairly standard language in privacy policies: “This privacy policy may be amended or updated from time to time, so please check back regularly for updates.” It sends the message that the company can change its data practices and policies without ever notifying the end-user. It tells the end-user that the burden is on them to check back. And it signals that the end user has no control. While the end-user may have agreed to turn over their data when the company’s practices and policies were very conservative, the company can change those practices and policies the very next day without the end-user ever knowing. I mean, let’s face it, how often do you read a privacy policy in the first place, let alone “check back” with it to see if it’s been updated?
Recently the Federal Trade Commission (FTC) issued a warning in its Technology Blog titled: “AI (and other) Companies: Quietly Changing Your Terms of Service Could Be Unfair or Deceptive.” The post states, inter alia: “It may be unfair or deceptive for a company to adopt more permissive data practices—for example, to start sharing consumers’ data with third parties or using that data for AI training—and to only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or privacy policy.”
The post goes on to explain several past examples of the FTC challenging companies for engaging in unfair and deceptive trade practices after they liberalized their privacy policy and practices after consumers agreed to more restrictive terms, without notifying consumers. It then summarizes: “Even though the technological landscape has changed between 2004 and today, particularly with the advent of consumer-facing AI products, the facts remain the same: A business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting users’ data. Especially given that certain features of digital markets can make it more difficult for users to easily switch between services, users may lack resource once a firm has used attractive privacy commitments to lure them to the product only to turn around and then back out of those commitments.”
The take-away: if you want to use, share, or otherwise process data in a new way, you need to provide actual notice to end-users before you do it. The FTC warns that it will “continue to bring actions against companies that engage in unfair or deceptive practices—including those that try to switch up the “rules of the game” on consumers by surreptitiously re-writing their privacy policies or terms or service to allow themselves free rein to user consumer data for product development.”
So, if your privacy policy or terms of service advise end-users to “check back” for updates, you may want to update those policies. The order of things is to notify first, then change your data practices—not the other way around.