FTC Spreading Its Privacy NetFTC Spreading Its Privacy Net

The online-only privacy policy may become a thing of the past if the Federal Trade Commission can get companies doing business in both the online and offline worlds to adopt its thinking.

Speaking recently to the Promotion Marketing Association, Howard Beales, director of the FTC's bureau of consumer protection, stressed that unless an online privacy policy specifically states that it pertains only to consumer data gathered through a Web site, that policy should extend to data collected offline as well.

Beales says the comments simply reflect the FTC's newly stated position that just because a policy is published online, it shouldn't pertain only to online interactions. But the clear statement that online and offline are one and the same in regard to privacy was welcomed by privacy advocates, and it could send ripples through companies that have looked upon their online and offline business practices as separate beasts. "It raises the bar for companies," says Mary Culnan, professor of management and information technology at Bentley College in Waltham, Mass. Culnan says that while the debate surrounding online consumer privacy was started in order to spur consumer confidence in E-commerce, it was always hoped that the practices would spill over into the offline world.

However, many companies have not melded their online and offline privacy practices, and Culnan expects those companies to buy themselves time by simply ensuring their online privacy policies contain a Web-only clause. But Beales says that most companies develop privacy policies out of a desire to conduct business fairly, and since consumers want privacy protection on and off the Web, he expects companies to move toward offering blanket protection of data. In fact, many companies--such as Southwest Airlines Co. and Toys "R" Us Inc.--already have Web-only privacy policies. A Southwest spokeswoman says the company policy of never sharing consumer data does extend to offline channels, and a Toys "R" Us spokeswoman says the retailer is undergoing an extensive internal review of both its online and offline privacy policies.

Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center, says Beales' comments represent a significant step toward redefining what constitutes a privacy violation, but he's skeptical as to whether they will result in more FTC actions against offending companies. Hoofnagle says that while businesses claim the FTC has been aggressive in pursuing privacy violations, it has actually been too conservative, depending on material violations to take action when it should come down on companies that post misleading policies. Beales says the relatively low number of cases the FTC has pursued has not been for lack of effort. "We are looking hard for cases," he says. "They're not always easy to find."