FTC v. CartManager

The FTC obtained a settlement from CartManager. CartManager operates shopping cart functionality as a service for third party website customers. CartManager used personal information from the shopping carts in conflict with customers’ privacy policies presented to users.

We have seen this conundrum before (the Pharmatrak litigation comes most immediately to mind), where websites publish privacy policies that appear to bind third party service providers. This can put service providers like CartManager in a bind. First, each customer may have an individualized privacy policy, forcing the service provider to build its technology so that it can develop custom rules for each customer. Second, customers often change their privacy policies without notifying their service providers, leaving service providers exposed to any unannounced privacy policy changes. Third, service providers often want to evolve their business model, and usually that evolution takes them towards monetizing personal information they have obtained.

To deal with these problems, service providers can require customers to include specific service provider-favorable language in the customers’ privacy policies. DoubleClick has historically done this (not sure if they still do); DART customers have been required to include language in their privacy policy giving DoubleClick the right to collect information necessary to make DART work.

Website customers often resist customizing their privacy policies in response to vendor requests. This can be an administrative hassle (especially where there are several/dozens of vendors who want to include language in the privacy policy), and there’s a risk that a privacy policy modification in the future will delete or modify the required language, a problematic breach of the vendor’s contract.

An unexpected change like that appears to leave the service provider at risk of an FTC enforcement action. While I’m sure some service providers engage in egregious behavior, I also hope the FTC will be tolerant if a service provider gets screwed by customers whose privacy policies were outside of the provider’s control.