You didn't even notice! Elements of effective online privacy policies.

• Author: Grannis, Amanda
• Position: II. Exploring the Elements of Effective Legal Notice B. FDA Labeling Rules 3. Symbolic Visual Cues through Conclusion, with footnotes, p. 1139-1170

3. Symbolic Visual Cues

   The FDA endorses the use of symbolic cues on OTC labels as a means of conveying information. (255) For example, the FDA affirms that bullet points could be used to introduce "chunks" of information without distracting or confusing consumers. (256) By separating drug facts into discrete chunks, bullets on OTC drug labels convey key information without overwhelming consumers. (257) An FDA guidance document explains how bullets may be used on drug labels. (258) The guidance document states that drug labels should list separate statements under bullets, rather than consolidating the statements into longer paragraphs. (259) For example, instead of presenting user directions in a large block of text, the guidance document states that phrases such as "shake well" and "children under 2 years: ask a doctor" may be positioned under bullets in an easier to read format. (260)

   The FDA permits, but does not require, OTC drug manufacturers to communicate drug information through pictograms. (261) The FDA defines a "pictogram" as "a pictorial representation of some object used to symbolize information." (262) The FDA also provides for the use of pictograms outside of the OTC drug context. (263) For instance, the Administration requires that powdered infant formula manufacturers display pictures to represent the three-step process involved in safely preparing and using the product. (264) It determined that pictures, rather than words, would enhance the clarity of the preparation instructions. (265) The FDA further recognized that many caregivers and health professionals might not be able to speak or read English. (266) Showing the product directions via images would reach a wider audience and help ensure that consumers could properly dilute the formula regardless of reading level. (267)

   C. FTC Enforcement Actions

   Like the FDA, the FTC exercises its administrative authority to regulate notice in the commercial domain. (268) FTC enforcement actions have shaped the contours of U.S. privacy law, and inform legal standards of notice in the present digital age. (269) While identifying the different categories of FTC Section 5 privacy actions, this Note relies on the typology of underlying privacy harms developed by the Fordham Law Center for Law and Information Policy (CLIP). (270) CLIP has categorized FTC actions according to the most frequently asserted privacy harms in FTC complaints (271) and classified FTC actions as relating to four distinct privacy harms: (1) unauthorized disclosure of personal information, discussed in Part II.C.1; (272) (2) surreptitious collection of personal information, discussed in Part II.C.2; (273) (3) failure to secure personal information, discussed in Part II.C.3; (274) and (4) unlawful retention of personal information, discussed in Part II.C.4. (275)

1. Unauthorized Disclosure of Personal Information

   Under the "unauthorized disclosure" class of FTC actions, websites disclose users' personal information to third parties without first notifying users or obtaining their consent. (276) An unauthorized disclosure occurs either when a consumer is not notified that his or her data is shared with a third party, or when a consumer is misled about how or for what purposes his or her data is collected. (277) The FTC Complaint for In re GeoCities, demonstrates the privacy harms that may result from unauthorized disclosures. (278) In this action, the FTC determined that GeoCities committed a "deceptive practice" because it misrepresented its data collection and sharing practices to consumers. (279)

   GeoCities hosted different web pages that provided its members with personal home pages, email addresses, and online children's clubs. (280) The GeoCities membership form collected "mandatory" information, including first and last name, zip code, e-mail address, gender, date of birth, and "optional" information, such as education level, income, marital status, occupation, and interests. (281) Geocities users could also opt to receive "special offers" from other companies. (282) Though the Geocities privacy statement claimed, "[w]e assure you ... we will NEVER give your personal information to anyone without your permission," the company actually disclosed, rented, and sold users' personally identifiable information to third party advertisers for the purposes of targeted advertising. (283) The shared information also included data that GeoCities collected from children. (284) The FTC determined that by failing to notify members regarding how it collected and shared personal data with advertisers, GeoCities committed a Section 5 deceptive practice. (285) Beyond its failure to disclose the nature of its data collection and sharing, GeoCites actively misled consumers with its privacy statements, which stated that personal data would not be transmitted to third parties without users' consent. (286)

   The FTC has also filed complaints against companies that failed to apprise consumers of how personal data was appropriated. (287) In In re Facebook, Inc., the FTC filed a complaint against Facebook for failing to disclose how it used its members' personal profile information. (288) According to the FTC complaint, Facebook claimed that it never shared users' personal data with advertisers without their consent, (289) but stated that it only shared "aggregate and anonymous data" with advertisers so that Facebook's advertisers could generate more effective advertisements. (290)

   The FTC also found that Facebook failed to notify consumers of material privacy policy changes that increased the visibility of users' personal information to third parties. (291) Under its new privacy policy, Facebook retroactively applied changes to members' accounts without their consent and disclosed parts of Facebook profiles that were formerly under privacy settings. (292) As with GeoCities, the FTC determined that this lack of disclosure constituted a Section 5 deceptive practice. (293) By failing to disclose its practices, Facebook promoted false expectations of privacy among its members. (294)

2. Surreptitious Collection of Personal Information

   The FTC has also filed complaints against companies for failing to inform consumers when and how they collect personal data. (295) Sometimes, websites that surreptitiously collect personal data partially disclose their collection practices to users. (296) However, such disclosures may be inadequate when websites fail to notify users of the true scope of the information they collect, or how they acquire that information. (297) For example, in In re Upromise, Inc., Upromise, an online service that offered college savings to members, clandestinely collected users' data through its downloadable "Turbosaver Toolbar. (298) Upromise stated to users that the Toolbar collected information about websites that they visited in order to present savings opportunities tailored to their interests. (299)

   The FTC determined that the Toolbar's data collection practices went beyond the scope of what Upromise disclosed to users. (300) The FTC found that the Toolbar collected users' passwords and usernames, information about every website they visited, and the links that they clicked. (301) The Toolbar also collected information from users' interactions on secured webpages such as banks and online retailers. (302) As a result, the Toolbar gathered users' financial account numbers, credit card numbers, social security numbers, and security codes. (303) The FTC found that without special software, or technical expertise, consumers had no means of discovering Upromise's true data collection practices. (304) The FTC concluded that Upromise's data collection constituted an unfair practice. (305) The true nature of Upromise's collection practices, which included gathering sensitive financial data, actually put users at risk for identity theft and other consumer harms. (306)

   In a later enforcement action, In re ScanScout, the FTC articulated concrete standards for enhancing consumer notice of data collection practices. (307) The FTC initially filed the complaint against the video advertising network ScanScout due to its use of HTTP cookies. (308) ScanScout stated that consumers could "opt-out" of receiving cookies by changing their browser settings. (309) Nonetheless, flash cookies, which were stored in a unique location on consumers' computers, could not be deleted in this way. (310) The FTC determined that ScanScout violated Section 5 for making false and misleading statements to consumers. (311)

   In the ScanScout decision and order, the FTC described how consumers should be apprised of the choice to opt-out of data collection practices. (312) The FTC ordered ScanScout to place a "clear and prominent notice" on its homepage that disclosed that it collected consumer data through targeted advertising. (313) Next to the disclosure, the FTC required ScanScout to include a link that consumers could click on to opt-out of the data collection. (314) The order provided that the link should lead consumers directly to a "clearly and prominently disclosed mechanism" that consumers could use to prevent future data collection. (315)

   In the order, the FTC included a definition of "clearly and prominently." (316) It determined that "clear and prominent" disclosures are in a "type, size, and location sufficiently noticeable for an ordinary consumer to comprehend and read." (317) According to the FTC, the statements should also be in a print that "contrasts highly with the background on which they appear." (318) Additionally, the FTC stated that "in all instances," required disclosures must be presented in an "understandable language and syntax," not contradicted by any other statements. (319) By requiring ScanScout to be direct about its targeted advertising practices, the FTC sought to prevent future privacy harms caused by covert collections of consumer data.

3. Failure to Secure Personal Information

   A...