Providing Notice of Privacy Policy Changes: Lessons from the FTC's Genetic Testing Case

When can you change your privacy policy and should you provide notice? The FTC recently took action against a genetic testing firm concerning, in part, this issue. The original complaint addressed this and other issues, such as privacy misrepresentations made online, including through FAQs.

Key Takeaways

1. Companies making material changes to a privacy policy--which includes new categories of third parties that the company shares information with--should take additional steps to notify customers or obtain their consent. This is especially the case if the company makes claims about the importance of personal information to a customer, and then takes actions seemingly contrary to past assurances. For context, the material change here was to allow broader sharing of consumer data; the entity allegedly posted the updated policy without providing any other notice.

2. The FTC looks at all statements regarding privacy, not just the privacy policy. Be sure that your privacy activities are examined in the context of all of your privacy disclosures, including anything on a website, advertisement, mobile app, etc., in addition to the privacy policy itself.

https://www.ftc.gov/news-events/news/press-releases/2023/09/ftc-finalizes-order-1h[…]otect-privacy-security-dna-data-unfairly?utm_source=govdelivery