Whatever the case, the now-acknowledged program takes data collection to a scope beyond what many users likely expected and possibly beyond what some companies’ terms of service allow. There’s a fine distinction between providing government officials private data when compelled to by a legal document like a court order and helping them to circumvent traditional legal channels. “If they say [they] only ever give up your data when compelled to do so by the government, but then it turns out they actually turn over your data routinely whenever the government says hello, then there might be a claim you could bring under the [Federal Trade Commission] Act,” says Andy Sellars, a staff attorney for the Digital Media Law Project based at Harvard University.

Such a contradiction could qualify as a deceptive trade practice under FTC rules. Companies have gotten in trouble for violating their own privacy policies before. In 2011, Google was forced to revamp its privacy policy and face regular independent privacy audits for 20 years because of “deceptive tactics” used in the rollout of failed social network Google Buzz. The company was hit with a $22.5 million penalty last year for misrepresenting privacy assurances to users of the Safari Internet browser. Microsoft and Facebook have also run afoul of the FTC for making false promises in their privacy policies. Still, the FTC has never levied a punishment that truly impacted a tech giant’s bottom line—that $22.5 million Google fine, the largest ever obtained by the FTC, is equivalent to the revenue the company generates in about four hours.