Inside Privacy - Updates on Developments in Global Privacy & Data Security

Earlier today, members of Congress and regulators gathered for a symposium on “The Impact of Media on the Health & Well-Being of Children.”   Participants included Congressman Edward Markey (D-MA), Congresswoman Debbie Wasserman Schultz (D-FL), Senator Richard Blumenthal (D-CT), Jon Leibowitz, Chairman, Federal Trade Commission, and Mignon Clyburn, Commissioner, Federal Communications Commission, as well as researchers and members of the public interest community.  In response to a question, Chairman Leibowitz informed the audience that the FTC expects to issue a revised Children’s Online Privacy Protection Act (“COPPA”) Rule by “the end of the year and hopefully sooner.” 

During their remarks, Congressmen Markey and Wasserman Shultz each expressed support for the Do Not Track Kids Act of 2011 (H.R. 1895), which we have blogged about here.  The bill would expand privacy protections for minors under the age of 18, including a prohibition on the use of personal information for targeted marketing to minors and a requirement that website operators provide “eraser buttons” to enable the deletion of personal information shared publicly by minors.  Senator Blumenthal also indicated that he was supportive of the legislative proposal, which he described as “common sensical,” although he stated that there likely would be substantial concern among advertisers and other stakeholders about implementation issues.

Continue Reading

The FTC has decided not to pursue an enforcement action against Clearwater Aquarium for alleged violations of the Children's Online Privacy Protection ("COPPA") Rule. 

In February 2012, the Children's Advertising Review Unit ("CARU") referred the Clearwater Aquarium's website to the FTC for review under COPPA after the Aquarium reportedly did not respond to CARU's inquiry.  CARU claimed that the site featured a “Kidzone” where visitors could sign up for an e-newsletter by entering their first and last names, mailing and email addresses, and cellphone numbers.  CARU was concerned that the Aquarium collected personally identifiable information from children under the age of thirteen without first obtaining parental consent and that the Aquarium's privacy policy -- which stated that it did not collect information from children under 18 without parental consent -- did not accurately reflect its actual privacy practices.

After reviewing the website, the FTC concluded "that the information collection practices that had triggered CARU's inquiry had been remedied."  The FTC declined to take any further action, instead referring the matter back to CARU. 

CARU, a division of the Council of Better Business Bureaus, is a self-regulatory body that monitors websites for compliance with COPPA.  Although CARU's self-regulatory program is completely voluntary, CARU may refer cases to the FTC if companies refuse to respond to inquiry letters.  The FTC reviews CARU's case referrals to determine whether enforcement action is appropriate.  Although the FTC has initiated enforcement actions in response to CARU referrals in the past, the Clearwater Aquarium case is a reminder that the FTC may decide no further action is necessary.  

In the face of calls by the FTC for improved mobile privacy protections, as well as interest by members of Congress, mobile advertising companies are actively working on privacy initiatives.  Yesterday, a group of companies in the mobile advertising industry announced that they are working to create an industry standard for anonymous mobile device identification.  The Companies include Velti PLC, Jumptap, RadiumOne, mdotm, StrikeAd, Smaato, Adfonic and SAY Media.  This standard would replace the need to use unique device ID numbers.

Also this week, TrustE announced the creation of a tool to provide consumers with a single source of information about the information being collected from them both online and through mobile apps.  The TrustED Mobile Ads tool would allow consumers to opt out of receiving mobile ads through this unified platform.

These industry self-regulatory efforts come at a time when the FTC and members of Congress have expressed concern about consumer privacy in the mobile ecosystem.  As we previously reported, last month’s FTC report called for improved mobile privacy protections and urged the mobile industry to develop standards to address data collection, transfer, use, and disposal in the mobile context.  The topic will be addressed at a workshop that the FTC is hosting May 30, 2012.

Companies often view privacy and data security as legal or compliance issues, but a number of recent surveys show that there is also a business case for building privacy and data security into products and services.  For example: 

• According to TRUSTe, 88% of U.S. adults report that they avoid doing business with companies that do not protect users’ privacy online.  
• In a Forrester survey of 37,000 U.S. and Canadian online adults, 44% said that they had not completed an online transaction because of something they read in a privacy policy. 
• A recent Edelman survey found that almost half (48%) of adults report that data security is one of the top three factors they consider when purchasing smartphones.  Data security is important for more people than the phone’s style, design, warranty, or size. 
• Marketers still have a ways to go in convincing consumers about the benefits of targeted advertising.  According to a Pew Research Center survey, only 28% of American Internet users say that they are okay with targeted advertising because it means they see advertisements and get information about things they are interested in.  Over two-thirds (68%) disapprove of the practice because they do not like having their online behavior tracked and analyzed.

Dr. Ann Cavoukian and other proponents of privacy by design have long advocated that “Privacy is good for business.”  The surveys above provide further evidence that privacy and data security protections can result in commercial gains, enhanced ROI, and competitive advantage.

Last week, Judge Ware of the Northern District of California denied a motion to amend his November 2011 dismissal, with prejudice, in In re Facebook Privacy Litigation, a case in which plaintiffs had argued that Facebook improperly transmitted users’ personal information, including User ID numbers or usernames, to third party advertisers.

In his most recent Order, Judge Ware reaffirmed his prior holding that plaintiffs had not stated a claim under the Stored Communications Act (“SCA”) based on an exception to the statute that allows a service provider to divulge the contents of a communication to, or with the lawful consent of, “an addressee or intended recipient” of the communication.

Continue Reading

The FTC staff released a report today calling for participants in the mobile app ecosystem -- including app developers, app stores, and third parties who collect data through mobile apps -- to provide better privacy notices to parents about mobile apps directed to children, and warning that over the next six months, staff will be conducting additional reviews "to determine whether there are COPPA violations and whether enforcement is appropriate."

The report is based on the staff's survey of apps offered in the Android Market and the Apple App store. Staff focused on "the types of apps offered to children; the age range of the intended audience; the disclosures provided to users about the apps’ data collection and sharing practices; the availability of interactive features, such as connecting with social media; and the app store ratings and parental controls offered for these systems."

Notably, the report stated that the FTC expects the whole app ecosystem to "play an active role in providing key information to parents who download apps." Specifically, the report outlined the following:  

• App developers should provide parents information about (1) what information an app collects, (2) how the information will be used, and (3) with whom the information will be shared, using short disclosures or icons that are easy to find and understand on the small screen of a mobile device. App developers also should alert parents if the app connects with social media, or allows targeted advertising to occur through the app.
• Third parties that collect information through apps should disclose their privacy practices, whether through a link on the app promotion page or another easily accessible method.
• App stores should provide a more consistent way for developers to display information regarding their app’s data collection practices and interactive features. The FTC stated, for example, that app stores could provide a designated space for developers to disclose this information and standardized icons to signal specific features, such as connections with social media services. In addition, the FTC emphasized that app stores should be enforcing developer agreements that require developers to disclose the information their apps collect.

The report expressed a preference for disclosures that are provided prior to the parent's purchase of the app, noting that "[i]nformation provided to parents after downloading an app is, in staff’s view, less useful in the parent’s decision-making since, by then, the child may already be using the app and the parent already could have been charged a fee."

In addition, the report focused on disclosures involving in-app purchases, interactive features, and targeted advertising.  The report states that the FTC is considering whether additional protections are needed with respect to in-app purchase capabilities in apps for children.  It emphasized that "confusing and hard-to-find disclosures do not give parents the control that they need in this area." Staff believe that the presence of social features within an app is highly relevant to parents selecting apps for their children, and that such functionality should be disclosed prior to download.  And the report states that "parents need clear, easy-to-read, and consistent disclosures regarding the advertising that their children may view on apps, especially when that advertising is personalized based on the child’s in-app activities.”

As we have blogged about here and here, the FTC currently is reviewing its rules implementing the Children’s Online Privacy Protection Act, which governs the online collection, use, and disclosure of personal information from children under the age of 13.  

Today, the Federal Communications Commission adopted new rules that strengthen its restrictions on autodialed or prerecorded telemarketing calls.  The FCC billed the new rules as an effort to maintain consistency with the Federal Trade Commission’s telemarketing sales rule, which also governs telemarketing calls, and to give consumers control over the calls that they receive.

Under the new rules, companies will need to obtain prior express written consent from consumers before making prerecorded or autodialed telemarketing calls to consumers.  The FCC’s rule changes also eliminate the “established business relationship” exemption in its existing rule, which allows these calls to residential “landline” phones without consent.  The new restrictions will require written consent even for companies that have done business with the call recipient in the past. 

One area of dispute over the new rules related to whether the “written” consent requirement could be satisfied electronically and what steps were necessary to make the consent effective.  Consistent with the FTC’s approach, the FCC concluded that “written” consent can be provided electronically, such as through a website form.  However it is provided, though, the FCC requires “clear and conspicuous disclosure” about what the consumer is consenting to and an “unambiguous” agreement to receive calls at a phone number designated in the consent document.  Like the FTC, the FCC also warned that consents would not be effective if the consent is a condition of purchasing goods or services.

An additional change to maintain consistency with the FTC’s rule is a requirement that telemarketing calls that use a prerecorded voice include an interactive “opt-out” mechanism, which would allow the call recipient to opt out of future calls by pressing a button.  Finally, the FCC imposed new restrictions on so-called “call abandonment,” which occurs when there is no live telemarketer available to take an autodialed call.

Although the FCC’s rule changes have a broad impact on the telemarketing business, they do not impact non-telemarketing calls, even if they are made using an autodialer or include a prerecorded voice.  As a result, prior written consent is not required for autodialed calls that do not advertise a product or service, including calls by nonprofits or for political purposes.  Also, the new restrictions do not apply to informational calls that may be commercial in nature, such as calls from an airline informing passengers that their flights have been delayed or calls from a bank informing a customer of fraudulent charges to her account, and exclude certain health care-related calls that are regulated under HIPAA, which already imposes a written consent requirement.

The new FCC rules will not be effective until they are approved by the Office of Management and Budget.  Once that happens, companies will have a year to obtain prior written consent to covered telemarketing calls and to stop covered calls to consumers with whom they have established business relationships.  The other rule changes have shorter timetables:  the interactive opt-out requirement will go into effect after 90 days, and the abandonment restrictions after 30 days.

Yesterday, the FTC announced that it has settled charges against Upromise, Inc., a company that enables consumers to receive rebates when shopping at partner merchants.  (The rebates are placed in college savings accounts—hence Upromise’s name.)  According to the Commission’s complaint, Upromise offered online users a toolbar feature, which, when downloaded, would highlight Upromise’s partners in search engine results.  The toolbar feature also enabled users to choose to receive tailored advertising.  In connection with this aspect of the toolbar, the FTC alleged that Upromise (through an unnamed service provider) collected the names of all websites a user visited and all links clicked, as well as information that users entered into some webpages (which, in some cases, included credit card and financial account numbers, security codes, expirations dates and Social Security numbers). 

The Commission charged that the scope and frequency of the data collection was much broader than Upromise represented in its privacy statement.  The FTC contended that despite using a filter intended to limit the collection of PII, Upromise sometimes collected sensitive information, such as PIN numbers and security codes.  Finally, the FTC alleged that Upromise collected this information by causing the user’s browser to transmit it in clear text, which left it vulnerable to interception—particularly when users were connected to the Internet through unsecured wireless networks.  The FTC stated that by engaging in these practices, Upromise failed to adequately disclose the extent of its data collection and also “failed to provide reasonable and appropriate security for [the] consumer information” that was collected. 

Notably, the Commission described these alleged shortcomings in terms of Upromise’s failure to integrate privacy protections into the design and implementation of the toolbar feature (i.e., its failure to sufficiently adhere to the principle of “privacy by design,” which the Commission described in its December 2010 preliminary staff report).  For example, the complaint faulted Upromise for not testing the ad-tailoring feature or monitoring its collection of information after implementation to ensure that the collection was consistent with Upromise’s policies.  The complaint also alleged that Upromise had failed to ensure that employees responsible for creating and operating the feature received adequate training about security risks and Upromise's privacy and security policies.  Similarly, the Commission alleged that Upromise did not take appropriate steps to ensure that its service provider implemented the feature in a manner that was consistent with Upromise’s policies and the contractual provisions designed to protect consumer information. 

As in recent FTC settlements involving privacy and data security issues, the Upromise consent decree (among other things) would require the company to implement privacy by design in the form of a comprehensive information security program and obtain third-party audits for 20 years. 

As we previously discussed here, the House of Representatives is considering a bill to amend the Telephone Consumer Protection Act (“TCPA”). The bill, known as the Mobile Informational Call Act of 2011 (H.R. 3035), has bipartisan and industry support but also has drawn opposition from some consumer groups and state attorneys general.

The merits of the bill were debated at a November 4 hearing. Witnesses from the financial services, cargo transport, and wireless carrier industries testified that the bill is needed so that they can harness technology to more efficiently deliver information such as package notifications, fraud alerts, and flight changes to consumers' cellphones without the threat of unnecessary litigation. A consumer advocacy group expressed concern that the amendments could subject consumers to certain types of calls on their mobile phones even if the consumers asked not to be called. Indiana Attorney General Greg Zoeller criticized H.R. 3035’s preemption provision, testifying that the bill would hinder enforcement of state consumer protection laws.

On Wednesday, 54 state and territorial attorneys general issued a letter urging Congress to reject the bill. The letter criticized certain provisions in the bill, such as the state preemption provision, and called for greater -- rather than fewer -- restrictions for calls to mobile phones.

Last week, a federal judge denied a motion to dismiss a putative class action brought under the Telephone Consumer Protection Act (TCPA) against Citibank concerning its transmission of text messages.  The case -- Ryabyshchuk v. Citibank N.A., -- is notable because one of the issues it addresses is whether an entity that transmits a text message to confirm a consumer’s opt out request has transmitted the message without the consumer’s prior express consent.  The Mobile Marketing Association’s Guidelines for text message campaigns advises that such confirmation messages should be sent.  In the ruling, Judge Irma Gonzalez of the Southern District of California held that Citibank could be liable for two messages: the first that allegedly inviting the applicant to call to discuss a credit card application, and the second that allegedly confirmed the consumer’s request to opt out of receiving future messages.  The consumer sought to opt out of receiving future messages after receiving the first text message from Citibank.

Continue Reading

The group that develops technical standards and guidelines for the World Wide Web released a set of draft standards on Monday that are intended to allow consumers to limit and control how they are tracked online.

The standards, developed by the World Wide Web Consortium (known as the “W3C”), would allow consumers to set a “Do-Not-Track” preference using their browser or other tools.  The proposal effectively sets up an “opt-out” mechanism for online tracking because no preference is transmitted until the user affirmatively selects a setting.  The standard states that, absent laws, rules or other requirements to the contrary, servers may interpret the lack of an expressed preference “as they find most appropriate for the given user, particularly when considered in light of the user’s privacy expectations and cultural circumstances.”  Once set by the user, the Do-Not-Track preference would be transmitted to any website the user visits; the standard requires website servers that have implemented the standard to send a response signal indicating whether the website respects the tracking preference.  Users would be able to affirmatively allow tracking, block all tracking, or refuse tracking generally but allow tracking on certain sites.

Continue Reading

Earlier this week, the industry self-regulatory program set up by online advertisers to deal with reported privacy problems released decisions in its first six compliance cases.  The Online Internet-Based Advertising Accountability Program, which was established in August, determines whether reported businesses are complying with the self-regulatory principles for online behavioral advertising.  The Better Business Bureau oversees the program.

The Accountability Program initiated formal enforcement efforts against six companies in connection with the companies’ opt-out mechanisms.  Four of the companies offered consumers the ability to opt out of the collection and use of data for online behavioral advertising through opt-out cookies that were set to expire more quickly than the five-year time frame that is called for by the industry standard.  In the other two cases, the opt-out mechanisms offered by the companies were inaccessible to consumers due to missing buttons or links.  Each company voluntarily modified its practices to comply with the self-regulatory principles. 

These self-regulatory efforts come at a time when both Congress and the FTC are considering whether self-regulation is adequate to deal with consumer privacy challenges.   Representatives from the Accountability Program have said that companies that do not respond and comply with its enforcement efforts may be referred to the FTC. 

On October 27, 2011, Senator John D. Rockefeller, chairman of the Senate Commerce, Science, and Transportation Committee, sent letters to Visa and Mastercard requesting information regarding the companies’ data collection and aggregation practices and proposals.  An October 25, 2011, Wall Street Journal article outlined various initiatives from the two companies pertaining to online behavioral advertising. 

Senator Rockefeller’s letters pose questions about the companies’ current data collection practices, anonymization of data sold to third-parties, plans to combine purchasing data with data from other sources, and compliance with the Gramm-Leach-Bliley Act.  The letters require responses by November 30, 2011. 

Online behavioral advertising proposals that rely on financial data remain a hot topic to be closely monitored.  Such proposals potentially implicate the Gramm-Leach-Bliley Act among other statutes and regulations. 

Last month, as we previously reported, the Federal Trade Commission (FTC) announced that it will host a December workshop to explore potential privacy and security implications raised by the increasing use of facial recognition technology.  Yesterday, Senator John D. Rockefeller IV (D-W.Va.), chairman of the Commerce, Science, and Transportation Committee sent a letter to the FTC commending the agency for its examination of this emerging technology and requesting a report following the workshop.  Senator Rockefeller indicated that the report should include potential legislative approaches to protect consumer privacy as facial recognition technology proliferates.

New uses for facial recognition technology are being deployed in both the public and private sectors.  The Federal Bureau of Investigations is working to activate a nationwide facial recognition service, Next Generation Identification, which will be available to law enforcement authorities in select states by January 2012.  And, as Senator Rockefeller noted in his letter, "facial recognition technology is already being put to use in a broad range of commercial areas," including real-time scanning to identify the demographic features of crowds or of individuals standing next to advertising displays, as well as scanning of photographs users upload to an online service to identify the individuals depicted in them.

The FTC workshop is scheduled for December 8, 2011, and Senator Rockefeller has requested that the FTC provide a preliminary report to the Senate Committee on Commerce, Science, and Transportation by February 8, 2012.

A federal district court in Michigan recently held that the federal CAN-SPAM Act preempts Michigan’s anti-spam law.  Unlike the federal law, Michigan’s statute offers individuals who receive unsolicited commercial email, or “spam,” a private cause of action.  The decision, by Judge Janet T. Neff of the Western District of Michigan in Hafke v. Rossdale Group, LLC, is one of only a few court opinions construing the scope of state laws preempted by the federal CAN-SPAM Act.

The federal Controlling the Assault of Non-Solicited Pornography And Marketing Act (or CAN-SPAM Act), enacted in 2003, regulates the transmission of spam email.  For violations meeting specified criteria, it provides for criminal penalties and permits civil enforcement by the Federal Trade Commission and other federal agencies, Internet Service Providers, and state attorneys general.  It does not, however, permit individuals who have received unwanted email to bring suit. 

Therefore, those who have wished to bring suit for receiving unwanted spam have looked to states’ anti-spam laws, such as that of Michigan.  However, CAN-SPAM contains an express “preemption” provision, meaning it specifies the circumstances under which states may or may not regulate the same subject matter as the federal statute.  CAN-SPAM states that it supersedes state law “that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception.”  It also states that it does not preempt state laws “that are not specific to electronic mail” or those that “relate to acts of fraud or computer crime.”

In Hafke, the court had to interpret whether CAN-SPAM preempted the Michigan anti-spam law.  To reach a decision, the judge first reviewed the handful of prior cases on the scope of CAN-SPAM’s preemption.  Those cases, relying on CAN-SPAM’s preservation of state laws that prohibit “falsity or deception,” have differentiated state laws regulating “base error” from state laws regulating tortious conduct or material misrepresentations -- the courts have held that CAN-SPAM preempts the first kind of laws but not the second.  Building on those decisions, the judge held that because the Michigan law does not by its text require falsity or deception and because the plaintiff alleged only “technical” violations, CAN-SPAM barred the plaintiff’s claim.

The House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade held the latest in its series of hearings on Internet privacy Wednesday morning. The hearing — titled “Protecting Children’s Privacy in an Electronic World” — focused on the Federal Trade Commission’s proposed updates to the regulations implementing the Children’s Online Privacy Protection Act (COPPA), which generally bars website operators from collecting or disclosing personal information from children under 13 without first obtaining parental consent. Lawmakers and witnesses also discussed whether Congress should enact additional legislation, particularly to protect teenagers. Click the jump to see a summary of some of the key issues addressed at the hearing and in witness’ prepared statements.

Continue Reading

The representatives of IAB Europe and EASA, European advertising and marketing industry associations, met with the Article 29 Working Party, a group of European data protection authorities, on 14 September 2011 to discuss the industry’s self-regulatory code on Online Behavioural Advertising.  As we blogged here, the Article 29 Working Party had previously voiced concerns over some of the aspects of the code in its letter to the Online Behavioural Advertising Industry published in August.  These concerns were reiterated during the meeting, as the Working Party emphasized that consent for the use of cookies on user’s equipment (a requirement under the new ePrivacy Directive) cannot be implied from the user’s inaction or silence.  As the Working Party had stressed in its recent opinion, only statements or actions can constitute valid consent.

The Working Party explained that the code should be amended to provide compliance with European and national legal requirements after the industry admitted that the code was mainly intended to provide a level playing field.  The chairman of the Working Party was concerned that companies might wrongly consider the code as a “safe haven” when it in fact falls short of legal requirements.

The industry representatives were also invited to address the privacy concerns raised by the Working Party in its August letter.  The Working Party would take the industry’s answers into account when it prepares its official opinion on the Code  - to be finalized by the end of the year.

Resolving the FTC's first complaint against a mobile app developer under the Children's Online Privacy Protection Act ("COPPA"), W3 Innovations, LLC, a developer of children's games for the iPhone and iPod touch, has agreed to pay $50,000 to settle allegations that it collected and disclosed the personal information of thousands of children under the age of 13 without first providing parents notice of their children's privacy practices or obtaining parental consent.

The FTC alleged that several of the mobile apps operated by W3 Innovations, including the Emily's Girl World app, Emily's Dress Up app, Emily's Dress Up & Shop app, and Emily's Runway High Fashion app, are directed to children under the age of 13.  In addition to collecting and maintaining children’s email addresses, the FTC claimed that the defendants also allowed children to publicly post personal information, including their full names, on message boards in violation of COPPA.

The settlement provides industry guidance on a few of the issues that the FTC raised as part of its 2010 COPPA Rule review and is a reminder that the FTC may decide to resolve some of these issues through enforcement actions rather than through the rulemaking process.  For example, the FTC's 2010 Notice of Inquiry on COPPA asked for comment on how the definition of "Internet" applies to mobile communications.  The FTC's complaint clarifies that the FTC believes COPPA is broad enough to cover mobile applications.  The complaint also clearly defined the term "online service" for the first time, stating that W3 Innovations' mobile apps are "online services" covered by the COPPA rule because they "send and receive information via the Internet." 

As we blogged about here, the FTC has told industry to expect more enforcement actions against mobile app developers under Section 5 of the FTC Act.  This settlement suggests that the FTC also plans to use its enforcement authority under COPPA to help ensure that mobile app developers fulfill their obligations to protect children's privacy.  

This week, Stanford Security Lab reported preliminary results from a platform it has been developing, a chief application of which is to detect various forms of third-party tracking in an automated manner.  According to researcher Jonathan Mayer’s release, which emphasizes that these are “preliminary findings from experimental software,” Stanford’s system has detected that over half of the companies tested that belong to the self-regulatory Network Advertising Initiative (“NAI”) group leave tracking cookies on users’ computers even after a user opts out of online behavioral targeting.  Importantly, though, NAI member companies are required by the NAI guidelines only to allow and abide by requests to opt out of behavioral ad targeting, and the guidelines do not contain commitments with respect to tracking.   This distinction between targeting and tracking has been the subject of increasing attention, including from the Federal Trade Commission.    

The preliminary study results also reportedly show that at least eight NAI members—including prominent networks such as 24/7 Real Media and Audience Science—commit in their privacy policies to stop tracking users following an opt-out request, but nonetheless leave tracking cookies in place.  Although the media and, increasingly, plaintiffs’ counsel can be quick to latch onto these types of reports, it will be critical to closely examine each company’s privacy policy language in the context of the company’s actual practices.

Continue Reading

Among the numerous federal privacy and data security bills that have been introduced in Congress over the last four months, Senator Franken's "Location Privacy Protection Act" (S. 1223) focuses specifically on the collection of geolocation data by covered entities through mobile devices.  The bill would prohibit entities that offer or provide services to certain mobile devices from collecting and disclosing a consumer’s geolocation information, unless the company has obtained the consumer’s express consent.

“Geolocation information” is defined to include any information that (1) concerns the location of an electronic communications device that is generated or derived from the consumer’s use of the device and (2) may be used to identify or approximate the location of the device.  The term does not include, however, any temporarily assigned network address or IP address.  

The legislation would be enforced by the U.S. Attorney General, state attorneys general, and private individuals (who would have the right to bring private lawsuits).

Sen. Franken has shown a strong interest in mobile privacy issues.  As we blogged here in May, Sen. Franken has requested that Apple and Google require all applications available in the Apple App Store and the Android App Market to have “clear and understandable” privacy policies.

by Rob Sherman and Allison Ray

The FTC’s recent announcement [PDF] that it will update its decade-old guidance on online advertising—known as Dot Com Disclosures [PDF]—has inspired animated industry discussion.

In its request for comments, the FTC highlighted that forums for online advertising that we take for granted today -- such as social media and mobile apps -- didn't exist when the Disclosures were released in 2000, and so the guidelines will need to be updated to address these new forms of communication.  (Eric Robinson discusses this point in his post at the Citizen Media Law Project,)  For companies that place or distribute online advertising, these changes may have a particularly significant impact, particuarly since they will need to be framed in a way that is flexible enough to account for changes in the industry and technology that we haven't yet seen. 

When they were first released, the FTC intended the Dot Com Disclosures to import traditional advertising disclosure rules into the online context. The guidelines set a performance standard for disclosures rather than a technical checklist, allowing marketers some flexibility in creating disclosures as long as disclosures met a “clear and conspicuous” standard. Both the FTC and industry commenters noted the danger of creating overly rigid rules at a time when consumer understandings and the internet itself were constantly transforming.

Continue Reading

Lindsey Tonsager, an associate in Covington's Privacy & Data Security Group, will be speaking on recent developments in the areas of children's privacy and social networking at the upcoming Privacy & Data Protection USA conference.  The conference will be held at Loyola University in Chicago on Tuesday, May 24, 2011.  Government officials, business executives, sales and marketing directors, and legal experts will gather to discuss how data protection and compliance issues impact European and US companies today and key trends for the future.  More information about the conference, including an agenda and registration information, is available here. 

In a recent order, Judge Henderson of the District Court for the Northern District of California denied NebuAd Inc.’s motion to dismiss in Valentine v. NebuAd Inc., No. C08-05113 TEH, finding that plaintiffs had sufficient statutory standing to assert claims under the California Invasion of Privacy Act ("CIPA") and the California Computer Crime Law ("CCCL") and that these claims were not preempted by the federal Electronic Communications Privacy Act ("ECPA").

With respect to standing, the Court found that the California Legislature did not intend to limit the right of action under CIPA and CCCL to in-state plaintiffs, and, thus, the out-of-state plaintiffs in this action could bring suit again a California defendant (NebuAd).  (Notably, this analysis pertained to standing under these specific California statutes, not the Article III constitutional standing that was at issue in the recent RockYou decision, which we wrote about here).  On the preemption issue, the Court rejected the Central District of California’s holding in Bunnell v. Motion Picture Ass’n of Am. that ECPA preempted a CIPA claim.  Instead, the Court said it was more persuaded by the California Supreme Court’s contrary holdings that ECPA does not preempt CIPA in People v. Conklin and Kearney v. Salomon Smith Barney.

Continue Reading

As we have previously posted, California State Senator Alan Lowenthal has introduced do-not-track legislation with the support of Consumer Watchdog and other public advocacy groups.  Most recently, the California Senate Judiciary Committee has scheduled a May 3, 2011 hearing on the bill.  

SB 761 directs the California attorney general to adopt regulations requiring companies that collect online data to allow consumers to opt out of the collection or use of their personal information – including online tracking.  The attorney general would be authorized to include an access requirement so that consumers could access personal information collected about them.  The legislation contemplates that the attorney general could exempt from the requirements of SB 761 commonly accepted practices such as providing a requested service, fulfilling basic business functions, or complying with legal requirements. 

InsidePrivacy will keep you informed of further meaningful developments with respect to this bill and other privacy legislation moving at the federal and state levels.

I attended the ABA's Antitrust Law Spring Meeting the last two days.  What struck me the most was the increased prominence of data and privacy as factors in analysis of markets and competition in antitrust law.  This was the topic in the Chairman's Showcase session on Thursday.  Julie Brill, the FTC Commissioner, perhaps made the point the best.  She explained that if privacy is becoming a competitive differentiator (e.g., consumers are persuaded to use one service over another because the chosen service has better privacy practices), then privacy is clearly a non-price factor in competition law analysis.  Commissioner Brill provided an overview of the FTC's report on consumer privacy and emphasized three parts of the report: privacy by design, transparency and choice.  She also emphasized that the FTC was focused on the fact that technical approaches to privacy solutions could impact competition in the market.  However, her view was that standards bodies would mitigate against this concern.  Ken Anderson, Assistant Commissioner for Privacy in Ontario provided an explanation of privacy by design.  Much of the information from his presentation is readily available in a useful video presentation at  www.privacybydesign.ca. 

HP demonstrated an automated tool that it is testing as part of its privacy by design implementation which looked impressive. The HP "Accountablity Model Tool" sends records and reports to the HP privacy office as products are developed.  Google introduced the audience to the "data liberation front" which enables users to extract their data from Google products - see www.dataliberation.org.

Continue Reading

Earlier this week, the Federal Trade Commission announced that it has reached a settlement with Chitika, Inc., an ad network that tracks a user’s online activities in order to deliver advertising targeted to the individual user's interests.  In its complaint, the FTC claimed that Chitika made statements that (1) users could opt out of targeted advertising by clicking on an "Opt-Out" button and (2) users who clicked on the button "are currently opted out." The FTC also alleged that Chitika's cookie-based opt-out mechanism lasted only 10 days, and that Chitika did not inform users about the duration of the opt-out.  The FTC claimed that Chitika's statements constituted a representation that Chitika's opt-out will last for a "reasonable period of time," and that because 10 days is not a reasonable period, its statements were deceptive. 

As part of the settlement, Chitika must include a hyperlink in every targeted ad that takes consumers to a clear opt-out mechanism.  User opt outs must be effective for at least five years. 

The settlement may help inform industry's ongoing development of innovative opt-out tools for consumers to control whether information is used for targeted advertising.  The Consent Order not only suggests that five years is a "reasonable" period of time for a user's opt-out selection to last, but it also reaffirms that cookie-based opt-out methods are an acceptable means for allowing consumers to opt out of targeted adverting.   Importantly, the Consent Decree carves out from the five-year effective period scenarios where a user deletes his or her cookies or takes deliberate action to disable the mechanism. 

Since the 2009 amendments to Article 5(3) of the ePrivacy Directive (2002/58/EC) regarding cookies and consent, there has been considerable debate over what web sites and ad networks must do in order to deploy cookies lawfully, and over what constitutes informed consent from users (e.g., opt-in versus opt-out).  For a flavour, see the Article 29 Working Party Opinion 2/2010 on online behavioural advertising, strong opposition to this opinion from industry (pointing out that an opt-in consent regime for cookies would seriously disrupt online services), and even comments from the rapporteur for the Directive, Alexander Alvaro, trying to clear up what is required. 

Member States have until May of this year to implement these changes to the Directive in national law.  Following early indications that the UK would reject an opt-in system for cookies and simply copy the wording of the Directive leaving it to the UK Information Commissioner (“ICO”) to adjust to changes in usage and technology, the ICO today issued a warning to businesses and other organisations that run websites in the UK that they are going to have to “wake-up” to the fact that changes are being made soon. 

Although it is still not clear exactly what they are going to have to “wake up” to, industry may take some solace from the ICO's statement that “changes must not have a detrimental impact on consumers nor cause an unnecessary burden on UK businesses,” and that “one option being considered is to allow consent to the use of cookies to be given via browser settings.”   Ed Vaizey, Minister for Culture, Communications and the Creative Industries, also said that the Government does not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.

It therefore remains to be seen how the law will be implemented and enforced in the UK (as well as in the other Member States).  The Internet Advertising Bureau has issued a reaction to the ICO statement, expressing concern about confusion for consumers and businesses following the ICO's warning, and emphasising that industry is working hard with the UK Government, the ICO and other stakeholders on potential solutions to help meet the informed consent provisions of the law.

On March 1, the scope of the UK's Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing ("CAP Code") was significantly expanded to apply to a variety of new technologies, including online social networks, online video advertisements, viral advertisements, in-game advertisements, and advertisements transmitted via web widgets, and online sales promotions and prize promotions.  The Code regulates non-broadcast marketing communications in the UK, and includes rules intended to prevent misleading or deceptive advertising, as well as to protect vulnerable classes, including children. 

Going forward, advertisements and other marketing communications by or from companies, organizations or sole traders on their own websites, or in other non-paid-for space online under their control, that are directly connected with the supply or transfer of goods, services, opportunities and gifts will fall under the Code. 

The CAP Code underpins the UK's self-regulatory framework for regulating marketing and promotional communications over non-broadcast mediums, and the Committee of Advertising Practice (CAP) and the UK's Advertising Standards Authority (ASA) oversee its application and enforcement, with backstop enforcement provided by the UK's Office of Fair Trading. 

For the fourth time in the past two months, Apple has been sued for allegedly violating the privacy of iPad and iPhone users.  Like the previous three suits (two of which we discussed in this post), Rodimer v. Apple, Inc. [PDF] alleges that Apple transmitted "personal information," including Unique Device IDs ("UDIDs") to application developers, who, in turn, shared the information with mobile advertising networks.  The complaint, filed this past Tuesday in California federal court, names a number of application developers--including The New York Times Co., Pandora Media, and National Public Radio--as well as several mobile advertising firms. 

Although the 92-page complaint is long on detail, it may come up short at the motion-to-dismiss stage given that it does not appear to allege sufficiently that the defendants' acts caused any injury to the plaintiffs.  The closest the complaint comes to alleging injury is its discussion of the lead plaintiff's "belief" that after accessing certain applications on his iPhone, the device's UDID was transmitted to application developers and their advertising affiliates. 

The complaint goes on to allege that the lead plaintiff "believes" that the transmission of the UDID "permitted one or more objects within his mobile device" to be used to facilitate the tracking of his online activities and geolocation so that the device could be sent targeted advertisements.  It appears that the sole basis for this belief is that the iPhone at some point began to operate "more slowly," leading the plaintiff to believe that the "Defendants [had] used his bandwith." 

These vague allegations of harm may be insufficient to establish standing to sue in federal court.  A recent dismissal [PDF] of a privacy suit by the U.S. District Court for the Central District of California on standing grounds suggests that plaintiffs alleging the kind of speculative harm that the Rodimer plaintiffs assert may be unable to maintain their suits.     

Ringleader Digital -- an online advertising firm specializing in the mobile market -- has agreed to settle two putative class actions that were filed against it last fall.  The plaintiffs alleged that Ringleader violated the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as various state privacy and consumer protection laws, by using HTML5 software to track users' online activities.  Under the proposed settlement agreement [PDF], Ringleader will pay $30,000 to the named plaintiffs in both actions and $670,000 in attorneys' fees.  The proposed agreement also provides for significant injunctive relief.

This is the second notable settlement of a privacy litigation in the past three months.  As we discussed in a previous post, online marketing firms Quantcast and Clearspring settled several privacy suits arising from the alleged use of "Flash cookies" to track users' browsing activities for advertising purposes.  As with the Quantcast/Clearspring settlement, the settlement announced in the Ringleader cases is somewhat surprising given the strong defenses Ringleader appeared to have to the asserted claims and the limited release obtained.  Eric Bosset, Simon Frankel, Mali Friedman, and I recently published an article in the Intellectual Property & Technology Law Journal that details some of those defenses.        

Continue Reading

The Washington Post has published an article describing a relatively new arena for behavioral advertising: your online bank statement.  Participating banks serve marketing to their customers based on the customer's spending history.  These promotions may be particularly valuable to advertisers because they are targeted based on how a customer actually spends his or her money and because customers can take advantage of advertised discounts without printing out coupons -- if you click the associated link, the advertiser will recognize your debit card the next time it is swiped. 

The banks and their advertising partners have defended against privacy concerns by pointing out that customers may opt out and noting that, because the ad software runs on the bank's server, customer data need not leave the bank's secure network.  The federal banking regulators have not yet chimed in on this practice.  The FTC's recent draft report on consumer privacy suggests that the FTC is inclined to treat financial information as sensitive information, subject to an opt-in consent requirement for data practices that are not "commonly accepted."  The draft report does not define financial information.

Earlier this week, Comcast -- the largest cable operator in the U.S. -- stated in a filing to the Federal Communications Commission that it would commit to limit interactive advertising in children's programming as a condition of obtaining approval of its acquisition of NBC Universal.  Specifically, as long as they have control over the program's advertising, Comcast and NBCU will not insert interactive advertising into broadcast and cable programming that targets an audience of children 12 years old and younger.  Comcast defined "interactive advertising" to mean:

advertising for commercial products that is primarily targeted to children 12 and under and includes: interactive, overlap pop-up advertising; telescoping; long-form advertising (but does not include enabling the consumer to 'telescope' to additional linear or on demand programs); voting or polling requests that promote a product or service or gain information about consumer commercial preferences; T-Commerce that enables a consumer to purchase advertised products using a remote; and branded, interactive gaming which promotes a product.

In 2004, the FCC released a Notice of Proposed Rulemaking on interactive advertising, but the Commission hasn't taken any further action to adopt any new rules in this area.  In its Notice, the FCC tentatively concluded that it should prohibit interactivity during children's programming that connects viewers to commercial matter unless parents opt in to such services.  As noted by FCC staff during a recent ABA program on marketing to minors, however, industry and even some consumer groups have urged that requiring opt-in consent for interactive advertising in children's programming might not be the right approach.   As technology improves and interactive advertising becomes more widely used, marketers should pay attention to this ongoing proceeding.    

The Office of Fair Trading, the UK's answer to the FTC, has established its position on paid-for plugging on social media websites.  According to an announcement issued last month by the OFT relating to an enforcement action pursued against a small UK media firm, online advertising and marketing that fails to disclose that it contains paid-for promotions or commentary on particular products is misleading to the public and potentially violatory behavior under UK consumer protection laws.  This applies not only to traditional marketing, but to commentary about services and products published on web blogs and microblogs such as Twitter. 

There is some anticipation that the OFT will launch a crackdown on celebrities who are given financial incentives to "tweet" about their favorite products.  When questioned, though, a spokeperson for the OFT was tight-lipped about its enforcement approach going forward.  Importantly, no concrete guidelines on appropriate behaviour have been developed in the UK yet.  The FTC, however, released guidance more than a year ago on product testimonials and celebrity endorsements.  For more information, please refer to Covington & Burling's client e-alert discussing these guidelines.

Last week, iPhone and iPad App users filed two separate class action complaints against Apple and iOS App developers in the Northern District of California.  (The complaints are currently captioned Freeman v. Apple, Inc. and Lalo v. Apple, Inc.)  In both, the plaintiffs charge the defendant App developers with accessing and sharing personal information, including Unique Device IDs (“UDIDs”) and geolocation information, without prior consent in violation of the Computer Fraud and Abuse Act and California law.  The Lalo plaintiffs also allege violations of the Electronic Communications Privacy Act.  The complaints were filed shortly after the publication of a Wall Street Journal report (that we previously reported on here) that looked at 101 popular iPhone and Android Apps and found that many of them transmit UDID and geolocation information to third party advertising networks without obtaining permission from users.   

Regulators in the U.S. and abroad have expressed concern about the collection and use of geolocation information.  Most recently, the Federal Trade Commission’s recent draft report on consumer privacy indicated that precise geolocation data is sensitive information and that the Commission supports affirmative express consent where companies collect such data.

Last week, the FTC filed a complaint against an Internet-based enterprise that allegedly caused hundreds of thousands of consumers to pay millions of dollars in unauthorized credit card charges.  According to the complaint, the defendants’ websites advertise the availability of government grants to pay personal expenses and offer “free” information at no risk.  The websites ask consumers to provide credit or debit card numbers to pay a small shipping and handling fee, but consumers are charged large one-time fees of up to $129.95 and monthly recurring fees of up to $59.95 for the grant services. 

The FTC also has accused the defendants of posting deceptive positive reviews and testimonials.  The FTC has asked for the court to order refunds for affected consumers and for disgorgement of all ill-gotten payments, among other relief.

In an interview with ClickZ, the FTC's incoming chief technologist, Edward Felten, provides insight into the scope of the Commission's proposed "Do Not Track" mechanism and how compliance could be enforced.  Felten makes three key points:  

• The proposed mechanism applies only to third-party tracking for behavioral advertising.  It would not apply to a publisher's use of a service provider for website analytics -- that is, unless the analytics provider makes further use of the data it collects.
• It makes sense to first offer a Do Not Track mechanism in the traditional web context while continuing to examine its feasibility for other technology platforms (including mobile and gaming devices).
• The FTC's enforcement role will depend on whether Do Not Track is created by self-regulation or legislation.  If the former, the FTC's role may simply be to prevent companies from misrepresenting their compliance with the system.  But if Do Not Track becomes law, the FTC may be in the position of investigating improper tracking.

The Do Not Track mechanism is part of the FTC's recently-proposed framework for privacy protection. You can read our summary of the framework here.  The Commission has invited comments on its proposal, which are due by January 31, 2011.   

Just days after the Wall Street Journal reported that a number of popular mobile phone applications have been transmitting information about users to third parties without consent, the Mobile Marketing Association has announced a plan to create privacy guidelines for mobile advertising.  The Journal's article had quoted an MMA official as saying that "[i]n the world of mobile, there is no anonymity."  

The MMA's announcement comes amid increasing scrutiny of the data practices of entities in the mobile advertising ecosystem. Earlier this year, a well-publicized study by researchers at Penn State, Duke, and Intel Labs found, among other things, that certain Android applications transmitted user location information to advertisers without first notifying the user of the transmission or obtaining consent.  In addition, two lawsuits have been filed against Ringleader Digital, a mobile ad network, for allegedly using HTML5 software to track users without their knowledge or consent.  The Journal's coverage of the privacy issues relating to applications will likely lead to more suits, just as many of its recent articles have spurred litigation.       

The State of Vermont is petitioning the Supreme Court to review a Court of Appeals decision holding that the State’s prescription confidentiality law is unconstitutional.

The law at issue prohibits regulated entities from selling or using records containing prescriber-identifiable information—i.e., information linking prescribers to prescriptions for particular drugs—for marketing or promoting prescription drugs, unless the prescriber consents.

The Court of Appeals for the Second Circuit ruled that the law is an impermissible restriction on commercial speech under the First Amendment, reversing and remanding the district court.  This ruling is being compared to two First Circuit decisions upholding prescription confidentiality laws in Maine and New Hampshire.

In its petition, Vermont points to other States that have considered legislation to restrict the commercial use of prescriber-identifiable data, and urges the Supreme Court to weigh in to provide States and other regulators with “guidance as to the scope of their ability to allow individual Americans to control access to and use of their information.”

The Federal Trade Commission is asking for comments on whether to strengthen its rules requiring telemarketers to disclose their identities via caller ID.  The FTC’s notice [PDF] suggests that the agency is taking aim at what it perceives to be deceptive identification disclosure practices. 

The FTC currently requires telemarketers to disclose their telephone number and, when technically feasible, their names.  In its request for comments, the FTC suggests that some telemarketers have chosen to show numbers only tangentially related to them or to show misleading terms like “Warranty Alert” in the name field.

Rather than propose specific rule changes in response to these concerns, the FTC asks for feedback on how the caller ID requirement should be altered.  For instance, the FTC asks whether it should more carefully define the required identifications made and whether the agency should now require all telemarketers to disclose their names regardless of their service providers’ capabilities.  While most of the questions in the notice focus specifically on caller ID, nonetheless the agency also implied that it might consider broader changes to its rules governing telemarketing practices.

The FTC’s inquiry is ongoing as the Federal Communications Commission considers changes to its rules regarding telemarketers’ disclosure of caller identification information during “robocalls."   The FCC, like the FTC, has proposed changes that could impose tougher requirements on companies that market by telephone.

Comments on the FTC's inquiry are due January 28, 2011.