At one point or another, we have all heard the warning "don't make promises you can't keep." Recent enforcement actions by the Federal Trade Commission (FTC) demonstrate that organizations must heed this warning as they decide what confidentiality assurances they should make to consumers in their online privacy policies.

With an uptick in identity theft and data breaches, consumers have become more wary about who they share their personal data with. As a result, organizations, especially those that collect or process sensitive personal information about consumers, often attempt to assuage consumers' concerns about sharing their sensitive personal information by including reassuring privacy promises in their online privacy policies. Such promises may include, for example, statements that they are "certified" by well-known regulatory agencies and assurances that consumers' personal information is used and shared for "limited purposes" only. However, in reality, many organizations share a vast amount of consumers' personal information with third-party advertising companies and platforms and use tracking technologies in order to target consumers. Such sharing can be problematic if the consumers are not notified of, and have not consented to, such sharing or targeting.

As further explained below, the FTC recently made news in connection with settlement agreements reached with two organizations that it considered as having betrayed consumers' trust by violating the promises of confidentiality in their privacy policies. The significant civil penalties to be imposed against these two organizations, signals to other organizations that the FTC does not take broken privacy promises lightly. There are several lessons to be learnt from the FTC's recent settlements, which should serve as a cautionary reminder for companies to revisit their privacy policies.