Last month, users of Facebook raised a loud ruckus when the social networking site changed its terms of service . This spawned debate over who owns user-generated content in the online social media world, but there was a far more important legal issue at play. While users j oining Facebook after the change in the policy may have given some form of informed consent in the process of joining, existing users were given inadequate notice and their consent was not sought or received. Facebook had violated federal law against unfair or deceptive trade practice, since a business may not unilaterally alter its policies and use previously collected data in a manner that is materially different from the terms under which the data was originally collected.

The Federal Trade Commission (FTC) set the boundaries in a Sept. 10, 2004 case against Gateway Learning Corporation ( FTC Docket No. C - 4120 ). The company began renting personal information collected on its Web site to direct marketing firms. This was in violation of its stated privacy policy – that the company “do[es] not sell, rent or loan” personal information, including that of consumers’ children to third parties – and conducted, according to the FTC, “without seeking or receiving any form of consent from such consumers.” Two months later, the company revised its posted privacy policy, noting, “From time to time, we may provide your name, address... to reputable companies... If you do not want us to share this information with these companies, please write to us.”

A side from revising the posted privacy policy (and adding an opt out for data sharing), the company took no other measures to share this revised policy with its consumers and continued to rent data collected before that policy revision to third parties. One month after that revision, the company suspended rental of consumer data to third parties and revised its policy again to emphasize compliance with COPPA.

The FTC found the company liable for false or misleading statements to consumers and unfair trade practices because the company, “posted a revised privacy policy containing material changes to its practices that were inconsistent with... [its] original promise to consumers.”

More recently, the Ninth Circuit Court concluded on July 23, 2007 ( Douglas v. US District Court ex rel Talk America, No. 06 - 75424 ) that, “Parties to a contract have no obligation to check the terms on a periodic basis to learn whether they have been changed by the other side.”

In response to the Douglas case, law professor Eric Goldman suggested a way to change the terms of a contract/policy effectively and legally.

“Include a provision in the initial contract saying that the Web site can amend the terms unilaterally after providing notice to users. Ideally this is coupled with a bona fide right to reject the terms, but this would involve giving the users an ability to terminate the contract. Even if not, merely giving notice would appear to satisfy the Ninth Circuit here, at least with respect to unconscionable amended provisions.”

Of course, figuring out how to notify people is key – mass e-mails may get flagged as spam or phishing, and notifying respondents upon their return to your Web site may not help if they never return or do so infrequently. Professor Goldman recommends an approach used by eBay, which lets users configure in advance how they wish to be notified of changes.

MRA urges researchers working on their contracts and privacy policies to build language into your privacy policy and any other kinds of contracts delineating how data will be used and how consent will be secured from respondents or parties to the contract – especially in case the terms need to be changed.

Disclaimer: The information provided in this article is for guidance and informational p urposes only. It is not intended to be a substitute for legal advice. MRA advises all parties to consult with private legal counsel regarding the interpretation and application of an y laws to y our business.