Archives

FTC Enforcement : Gateway Learning

Under the Federal Trade Commission Act, the FTC has the authority to take enforcement actions for the use of “unfair trade practices.” In 2004, the FTC used the fairness principle to enforce privacy law for the first time by launching a case against the Gateway Learning company, owner of the popular “Hooked on Phonics” product line.

FTC and Fair Information Practices

The Federal Trade Commission developed a set of guidelines to govern the collection, use, maintenance, and disclosure of personal information in order to protect personal privacy. While the principles in themselves are not law, they have been incorporated into many privacy laws which allow the principles to be enforced. The Gateway Learning Company was found to be in violation of the first two principles, notice and consent.

The Fair Information Practice Principles require:

  • Notice to the individual regarding the privacy policies of the organization including how information is used and any disclosure to third parties. Notice must also be provided to the individual for any alteration in the privacy policies.
  • Consent from the individual regarding the use of their information for secondary uses and its disclosure to third parties.

Allegations

The FTC brought the following allegations against the Gateway Learning Company:

  • That they violated their own privacy policies by renting personally identifiable information (PII) collected from customers to third parties without the customer’s consent.
  • That they violated their own privacy policies by renting personal information (age/gender) about children under the age of 13 to third parties without the customer’s consent.
  • They committed unfair trade practices by retroactively applying a new privacy policy to information collected under the old privacy policy.
  • They committed unfair trade practices by failing to provide adequate notice to consumers regarding privacy policy changes.

The Privacy Policies in Question

The original privacy policy stated:

We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive a customer’s explicit consent. We do share information with third parties that help us run our operations or provide services to customers (e.g., credit card processing and shipping companies), but only to the extent necessary to provide these services.

It also stated the following regarding children’s personal information:

The Site does not sell products for purchase by children; we sell children’s products for purchase by adults. Children under 13 years of age may not submit personal information without the consent of their parents. We do not provide any personally identifiable information about children under 13 years of age to any third party for any purpose whatsoever.

We may in the future offer products to be used by children online, some of which may require you to enter additional information such as a child’s age, gender or reading ability in order to deliver a quality experience. A child’s participation in such a program will be entirely at your discretion. Again, no personally identifiable information about children under 13 years of age will be shared with any third party for an purpose whatsoever.

It also stated the following regarding changes to the privacy policy:

If at some future time there is a material change to our information usage practices that affect your personally identifiable information, we will notify you of the relevant changes on this Site or by email. You will then be able to opt-out of this information usage by sending an email to: webmaster@hop.com. You should also check this privacy policy for changes.

In April, 2003 the Gateway Learning Company violated its privacy policies by disclosing, name, address, telephone numbers, purchasing history, and the names and ages and genders of the customer’s children with telemarketers and direct mail marketers.

On June 20, 2003 a new privacy policy was placed in effect:

The new privacy policy did not alter its policies regarding the use of children’s personal information or providing notice regarding changes to the policy. It did however change the policies regarding sharing information with third parties.

From time to time, we may provide your name, address, and phone number (not you e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at webmaster@hop.com with the word do-no-share in the subject line.

Despite their stated privacy policies, no email was sent or special notices posted to the website to alert customers to a change in the policies.

On July 17, 2003 another revised policy was posted:

The new policy changed the process for opting out of third party disclosures.

From time to time, we may provide your name, address, and phone number (not you e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at do-not-rent@hop.com with your full name in the subject line. Please be sure to include your first name, last name, address, city, state, zip code and phone number to ensure we can process your request. We will process your request promptly. Please be aware that  you may receive another contact before your name removal takes effect. We regret any inconvenience this may cause.

The new policy also changed its statement regarding children’s privacy.

The Site is not targeted to children, and we not knowingly collect personally-identifiable information from children under the age of 13 on this site. We do not sell products for purchase by children; we sell children’s products for purchase by adults. This site is entirely aimed at adults.

FTC Consent Agreement

After investigations, the FTC found the Gateway Learning Corporation to have used unfair and deceptive trade practices and brought enforcement actions against the company. The Consent Agreement was the settlement reached to resolve the issue.

Bar on Misrepresentation

The bar on misrepresentation reinforces the rules regarding the Fair Information Practice principles which the company had violated. Under the agreement, Gateway Learning was banned from:

  • Misrepresenting the use of collected information including whether it is sold, rent, or loaned to third parties
  • Misrepresenting whether information about children under the age of 13 will be disclosed to third parties
  • Misrepresenting how customers will be notified by changes to privacy policies
  • Misrepresenting how the company will collect, use or disclose information

Ban on Disclosure of Personal Information to Third Parties

The ban on disclosure reinforced the protection of privacy for consumers whose personal information was collected prior to June 20, 2003 when the privacy policy was changed. The ban requires:

  • Express, affirmative (opt-in) consent of the individual prior to the disclosure of any information to third parties
  • The new privacy policies may not be applies to information collected prior to the June 20, 2003 policy change without the express affirmative consent of the individual.

Maintenance of Relevant Documents

This part of the agreement set up a way to ensure compliance for a period of 5 years. Under this provision, Gateway Learning must provide the FTC with the following documents:

  • A copy of each different privacy statement or communication including the date, full text, URL and graphics
  • A copy of the document sent to consumers to obtain their express affirmative consent and any documents provided by customers confirming their consent
  • All invoices, communications and documents that relate to the disclosure of personally identifiable information to third parties.

Delivery of Order

This part of the agreement dealt with the administrative task of ensuring enforcement in the work force.  The Gateway Learning companies was required to deliver a copy of the FTC agreement to all present and future employees with managerial responsibility related to the subject matter of the order.

Reporting

This part of the agreement requires Gateway Learning to notify the FTC 30 days before a corporate change which might affect compliance with the order. It also required Gateway Learning to file a report with the FTC setting forth their compliance within 60 days of service of the order and periodically after that, as requested.

Duration

Unless otherwise indicated, the order terminates after 20 years. Each violation of the final order may result in a civil penalty of up to $11,000

Fine

Gateway Learning was fined $4,608 which was the total profits received from the renting of personal information.

In Conclusion:

The Gateway Learning Case holds a significant place in privacy law because it demonstrated that the Federal Trade Commission is willing to pursue and enforce privacy violations. Since the Gateway Learning Case the FTC has continued to enforce privacy issues, especially any violations of the Children’s Online Privacy Protection Act which protects the personal information of children.

Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>