The FTC published guidance warning companies that “[i]t may be unfair or deceptive for a company to adopt more permissive data practices—for example, to start sharing consumers’ data with third parties or using that data for artificial intelligence (AI) training—and only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or privacy policy.” In other words, the long-standing practice of simply updating the privacy policy may not provide sufficient notice to consumers depending on the nature of the changes.
As companies turn to leverage consumer data to power AI systems, the FTC signaled that such practices constitute material changes to its data practices. These changes require companies to square new business goals with existing privacy commitments. The FTC made clear that companies cannot simply do away with existing privacy commitments by changing its privacy policies and terms to apply retroactively; instead, businesses must inform consumers before adopting permissive data practices such as using personal data for AI training. Therefore, companies seeking to share data with AI developers or process data in-house in ways that aren’t reflected in current privacy policies and terms should update both and notify consumers of such updates as a pre-requisite to taking on new processing activities such as AI.
However, although the announcement focused on the use of data to train AI, the FTC’s warning went noticeably broader by specifically referencing sharing personal data with third parties.
It is worth noting that the FTC’s stance is generally in line with some state privacy laws that require notification to consumers of any material change in their privacy policies. For example, under the Colorado Privacy Act, certain types of changes require notice to consumers beyond simply updating the privacy policy—even if the policy states that changes are effective upon posting. Similarly, if the change constitutes a secondary use, affirmative consent may be required.
Given the changing landscape, companies should be particularly diligent in assessing what type of notice must be given—and when it must be given—before engaging in a new processing activity with data that has already been collected. Or as the FTC punnily puts it, “there’s nothing intelligent about obtaining artificial consent.”