Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

Why You Should Delete Your Privacy Policy

By Ken Magill
Yet another company has just been smoked for a sloppy promise in its privacy policy.
The company did nothing substantively wrong. It exposed no one’s personal information. It doesn’t even collect personally identifiable information.
It simply made one misstatement in its privacy policy and will now be subject to 20 years of needless federal government oversight and audits.
The Federal Trade Commission recently filed a complaint against Nomi Technologies, a company that places sensors in some New York bricks-and-mortar retail locations that anonymously track signals from people’s mobile devices.
According to the complaint: “Nomi uses the information it collects to provide analytics reports to its clients about aggregate customer traffic patterns such as: 
“A. the percentage of consumers merely passing by the store versus entering the store; 
“B. the average duration of consumers’ visits; “
“C. types of mobile devices used by consumers visiting a location; 
“D. the percentage of repeat customers within a given time period; and 
“E. the number of customers that have also visited another location within the client’s chain.”
Useful information, no?
So what heinous crime did Nomi commit that warranted the FTC—a group whose staff ironically has no idea how trade actually works—marshaling its vast, sloth-like resources?
Nomi promised in its privacy policy that it would allow consumers to opt out of its service on its website and in retail locations using it. 
However, according to the FTC, neither Nomi nor its clients disclosed to consumers in the retail locations the service was being used. What is more, consumers were not given the promised opportunity to opt out of Nomi’s service in the stores, according to the FTC.
In May, the FTC published a consent order subjecting Nomi to 20 years of government oversight.
“The odd aspect of this complaint and consent order is that Nomi did not track or maintain information that would allow the individual consumers to be identified,” wrote attorney Elizabeth G. Litten in a blog post. “The media access control (MAC) address broadcast by consumers' mobile devices as they passed by or entered the stores was cryptographically ‘hashed’ before it was collected, creating a unique identifier that allowed Nomi to track the device without tracking the consumer him/herself.”
“Odd” is certainly one way to put it. “Infuriating” would be another.
Litten continued: “As dissenting Commissioner Maureen Ohlhausen points out, Nomi, as ‘a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out.’ The majority, however, focuses on the fact that the opt out was partially inaccurate, then leaps to the conclusion that the inaccuracy was deceptive under Section 5 of the FTC Act, without pausing to reflect on the fact that the privacy policy and opt out process may not have been required by law in the first place.”
Translation: The majority at the FTC is far more concerned with expending the resources American taxpayers finance on trivial nonsense than actually protecting consumers.
This isn’t the first time the FTC has brought an enforcement action over a misstatement in a privacy policy. See here.
The FTC clearly has way too many people without enough serious work to do.
To make matters worse, privacy policies aren’t even required by law.
Consider this from the U.S. Small Business Administration: “In general, your online and offline privacy policy is your company’s pledge to your customers about how you will collect, use, share, and protect the consumer data you collect from them. While not required by law, the FTC prohibits deceptive practices.”
As constructed, that second sentence actually says the FTC is not required by law, but we know what the illiterates at the Small Business Administration mean. Privacy policies are not required by law.
Elsewhere, the SBA more clearly states: “While not required by law (although the Federal Trade Commission prohibits any deceptive practices), creating a privacy policy is important if you want people to buy your products.”
No. It. Is. Not.
Creating a privacy policy isn’t remotely important if you want people to buy your products. The average consumer can’t be bothered to read privacy policies. The vast majority of people have better things to do with their time. 
Actually, everyone has better things to do with their time. Some consumer freaks and FTC bureaucrats just don’t realize it.
Why in the world would any company publish a legal document not required by law that can only come into meaningful play when government officials use it to bludgeon the company?
Creating a privacy policy is only important if you feel some insatiable desire to lay a minefield that has the potential to explode on your company for as long as it exists.
Want to invite 20 years of government oversight and audits? Have a privacy policy. Odds are it won’t explode in your face. But it might.
Want to protect your company from the possibility of a crippling government enforcement action and two decades of audits over a single misstatement? Don’t have a privacy policy. And if you do have one, delete it. Now.

Show: Newest | Oldest

Post a Comment
Your Name:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.