The FCC’s ruling interprets two subsections of the TCPA. The first subsection — 47 U.S.C. § 227(b) — includes several restrictions, including a general prohibition on making calls to landline or mobile telephones using a prerecorded message without  the recipient’s prior express consent. Section 227(b)(3) allows individuals or companies to bring private lawsuits “based on a violation of this subsection” or the FCC’s implementing regulations.

A separate portion of the TCPA — 47 U.S.C. § 227(c) — authorizes the FCC to set up a national Do Not Call registry, which the FCC did in coordination with the Federal Trade Commission several years ago. Section 227(c)(5) authorizes private lawsuits by individuals who receive “more than one telephone call within any 12-month period by or on behalf of the same entity” in violation of the Do Not Call rules.

Last week’s declaratory ruling came in response to questions referred to the FCC by two federal courts in two separate TCPA-based lawsuits.

In accordance with the federal courts’ referrals, the parties in both cases petitioned the FCC to interpret the relevant TCPA provisions and regulations and determine whether sellers like DISH could be liable for unlawful telemarketing calls made by dealers or other third parties.

The FCC concluded that a seller is not always liable for calls made by third parties for the seller’s benefit, but that sellers may be held vicariously liable for the conduct of third-party telemarketers in some circumstances. Specifically, the FCC concluded that, at a minimum, federal common law principles of agency law allow a seller to be held vicariously liable under either statutory provision if the telemarketer acts as the seller’s agent or has “apparent authority” to do so, or if the seller ratifies the telemarketer’s conduct.

The FCC provided “illustrative examples” of situations in which sellers might be vicariously liable for telemarketers’ conduct, such as situations in which:

• the seller approves, writes, or reviews telemarketing scripts;
• the seller gives telemarketers access to customer information or the seller’s internal systems;
• the seller authorizes telemarketers to use the seller’s trade name, trademark and service mark;
• the seller “knew (or reasonably should have known) that the telemarketer was violating the TCPA on the seller’s behalf and the seller failed to take effective steps within its  power to force the telemarketer to cease that conduct.”

In a partial dissent, Commissioner Ajit Pai argued that the majority incorrectly interpreted the two TCPA provisions at issue to incorporate the same standard of vicarious liability, even though the provisions’ language differs. Pai argued that, given the language of the TCPA’s do-not-call provision, “the Commission should give meaning to [the words] ‘on behalf of’ and impose third-party liability for do-not-call violations whenever a telemarketer initiates a call on a seller’s behalf, even if that telemarketer is not under the seller’s control.”

The majority decision left open the possibility that the FCC could in the future interpret the TCPA to allow “a broader standard of vicarious liability for do-not-call violations,” but said the agency could not establish such a broad standard in a declaratory ruling, given the FCC’s existing precedent.

The FCC also recently released a Small Entity Compliance Guide outlining changes to the TCPA rules that were adopted by the FCC in early 2012 and that began taking effect last fall. Among other changes, the revised rules require all prerecorded telemarketing calls to include an automated, interactive opt-out mechanism throughout the duration of the call, as well as a toll-free telephone number that can be contacted to opt out when a prerecorded telemarketing message is left on voicemail. That rule took effect in January. As of October 16, 2013, prior express written consent will be required to transmit prerecorded or autodialed telemarketing calls to wireless numbers, and the established business relationship exception will no longer apply to prerecorded telemarketing calls to residential lines.

The letters were sent to US companies and foreign companies that the FTC claims direct their apps to children in the US.  The letters focus on the collection of persistent identifiers and photographs, videos, and audio containing a child’s image or voice.  The FTC did not identify the companies receiving the letters, but made templates of the different versions available on its website, including a letter to:  (1) US companies with apps that collect persistent identifiers; (2) US companies with  aps that collect videos, images, or audio of kids; (3) foreign companies with apps that collect persistent identifiers; and (4) foreign companies with apps that collect videos, images, or audio of kids.

The letters suggest that the FTC could continue to focus attention on kid-directed mobile apps once the revised COPPA Rule takes effect.  In February 2012 and December 2012, the FTC released reports analyzing hundreds of kid-directed mobile apps and concluding that many app developers could be doing more to provide clear and complete notice of their privacy practices.  And earlier this year the FTC entered into a consent decree with mobile app developer Path for alleged COPPA violations.  

Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app. The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004. 

On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.

Harris has stated that she plans to police mobile app privacy using CalOPPA. Her office released a set of best practices for mobile app privacy policies in January, a month before the Federal Trade Commission released its own mobile app guidelines. But considering federal regulators’ interest in the issue, it is debatable whether, like the Delta case, such matters are better left for enforcement at the Federal level.

Delta added a prominent link to its privacy policy on the home screen of the Fly Delta App not long after the filing of the suit and has had a public privacy policy on its main Web site all along.

• collects or modifies a user’s personal information without express notification and user consent;
• accesses a network without express notification or consent, causing unauthorized bandwidth use, monetary loss, information disclosure, or other negative consequences;
• affects the smart device’s normal operations or the safe operation of the telecommunications network;
• contains content restricted by PRC law (e.g., obscene, anti-government, or hate speech); or
• infringes a user’s personal information, safety, legitimate rights or interests, or prejudices the security of network information.

Notably, the regulation focuses only on “pre-installed apps” and not, as in a previous draft version, “pre-installed apps” and “[applications] provided by other means.”  This revision may reduce the likelihood that regulation would apply to apps installed post-sale, e.g., apps delivered via app stores, although we understand that MIIT is also currently drafting regulations targeting mobile app stores.  An earlier draft contained a provision, absent in the final regulation, that would have extended the app restrictions described above to certain unnamed “partners” of smart device manufacturers.  This revision clarifies that the regulation applies only to smart device manufacturers applying for or in possession of a network access license for the products they manufacture.

The new regulation emerges following increased national attention on consumer personal information disclosures.  Most notably, China’s annual consumer affairs show -- the “March 15 Consumer Rights Day Gala” produced by state-run CCTV -- contained two pieces describing the potential risks of online personal information disclosure.  At the close of one such segment highlighting the privacy risks of Android-based applications, the host informed viewers that “our country is already in the process of formulating related laws and regulations targeting the mobile internet.”  The mobile device regulation discussed here appears to be the first of these new regulations.

The regulation will become effective November 1, 2013. 

Readers interested in how other jurisdictions are addressing this and related issues may wish to review our summary of a recent European Union opinion covering app developers, smart device manufacturers, and app stores.

Links

Notice Regarding Strengthening the Management of Network Access for Mobile Smart Terminals [Chinese]

New Data Privacy Rules in China Target Mobile Smart Device Manufacturers and Online Content Providers (June 2012 Covington E-Alert)

March 15 Consumer Rights Day Gala Full Video [Chinese]

(For Android segment click “安桌系统手机应用软件严重窃取用户资料” on the right hand menu.)

1. Internal Privacy and Data Security Principles:  By specifying how the company collects, uses, discloses, and protects personal data of its customers and employees, internal privacy and data security policies can help companies identify who needs access to confidential data, how this data should be secured, and procedures for effectively deleting or destroying data once it is no longer needed by the company. 
2. Internet Access and Use Policies:  Many companies implemented employee policies in the 90s governing how employees may access and use the Internet and the company’s computer networks.  However, these policies should be updated as new technologies that may increase the disclosure of confidential company information, such as peer-to-peer programs and third-party mobile applications, emerge.   
3. Social Media Policies:  Social media policies typically govern how employees may use social media for work purposes, and, in some cases, set forth guidelines for employee use of personal social media accounts as well.  While these policies help to remind employees that they should be cautious when using social media to avoid the disclosure of confidential or proprietary company information, employers need to ensure that these policies are consistent with federal labor laws and state laws restricting an employer’s ability to request access to an employee’s personal online accounts.
4. Robust Protections in Service Provider Agreements:  Confidentiality clauses and nondisclosure agreements with service providers are common and important.  But robust privacy and data security provisions can provide additional protection and mitigate the risk of a breach, especially where the service provider will handle your customer’s personal information.   
5. Bring Your Own Device (“BYOD”) Policies:  Employers increasingly are allowing employees to use their personal smartphones, tablets, and other devices to access work e-mail accounts and the employer’s computer network.  While both employers and employees can benefit from this approach, companies need to make sure that their bring-your-own-device policies provide employees adequate notice and allow employers to implement appropriate data security measures, such as remote wiping tools.

This week the Article 29 Working Party released its Opinion 2/2013 on apps on smart devices (WP 202), a 30-page report on mobile app privacy and data protection considerations. This development follows on the Working Party’s Statement on the draft General Data Protection Regulation on 27 February 2013 (which we previously discussed here). 

The report sets out several sets of prescriptive, but non-binding, recommendations that target app developers, app stores, OS and device manufacturers, and other third party participants in app ecosystems, such as advertisers and network operators that bundle apps with devices. 

This short post sets out a summary of some of the report’s less conventional prescriptions and recommendations, which could present participants in the European digital/mobile ecosystem with significant compliance challenges.

Of particular concern to app developers targeting the European marketplace will be its recommendations that app makers must ensure that:

• new user consent to data collection must be specific, informed and granular - and the precise purpose of the collection must be set out in “well-defined” and “comprehensible” terms, and in the case of third party purposes such as analytics and advertising, “comprehensive”;
• any deviation from the specified purposes in new versions of an app must be subject to renewed user consent;
• third parties with whom data will be shared must be specifically, not generically, described;
• developers must adopt a ‘privacy by design’ approach to internal planning, development and QA processes;
• apps must only collect data that is strictly necessary to perform the desired functionality;
• users must be allowed to access, rectify, erase and object to data processing, and be informed of those mechanisms;
• apps must only retain data for a “reasonable retention period”, and accounts should expire after a predefined inactivity period, following which a user should be given an opportunity to retrieve their data, which must otherwise be deleted or irreversibly anonymised (and on the back of this prescription, they recommend that users be given tools to alter the length of these periods); and
• when dealing with under-age users, app developers must exercise particular care and adherence to the data minimisation principle, and refrain from processing their data for behavioural advertising purposes.

App stores

The Working Party considers that app stores must enforce app makers’ obligations to fully inform potential users prior to their installation of the app, and must publish detailed information on the data protection checks they perform when an app is submitted for distribution through the store. 

OS and device manufacturers

The report also places a burden upon on OS and device manufacturers to:

• employ “privacy by design” principles, and prevent secret monitoring of users;
• ensure that an app’s default settings render it compliant with EU data protection law;
• offer developers granular, not wholesale, access to data, sensors and services; and
• provide effective means to avoid tracking by third parties - and this protection must be enabled by default.

The report recommends that they put in place APIs to allow users to send data deletion requests to local or remote user data stores. 

Third parties

The Working Party goes on to state that third parties must, for example:

• refrain from circumventing privacy measures such as “Do Not Track” browser tools; and
• specifically avoid delivering ads outside the context of the app - so must not, for example, place icons on mobile desktops or redirect browser home pages. 

Network operators and other telcos, if they bundle apps with the devices they distribute with contracts or sell through their stores, must obtain valid consent from users for those pre-installed apps.  They must also “take on board relevant responsibilities when contributing to determining certain features of the device and of the OS, e.g. when limiting the user's access to certain configuration parameters or filtering fix releases (security and functional ones) provided by the device and OS manufacturers”, hinting that the Working Party has reservations at the practice of withholding certain OS updates from older phones. 

Summary 

App makers are left in a difficult position.  On the one hand, implementation of these features, such as discarding data after predefined retention periods, could be technically challenging; they will at the very least add to codebase and QA complexity, and will be difficult to implement without creating a less straightforward user experience.  The report also makes it clear that developers must audit and understand the functionality of any third party software libraries that they rely upon, to fully ensure that all gathering and processing of user data by their app will be compliant with EU law. 

On the other hand, this detailed report is a sure sign that data protection and privacy regulators are becoming more experienced in the domain, more certain in their expectations, and more precise with the standards they are seeking to impose - the risks and costs of noncompliance may well be on the rise.

The guidelines—titled “.com Disclosures:  How to Make Effective Disclosures in Digital Advertising”—update prior guidance known as “Dot Com Disclosures,” which was released in 2000.  The updated guidelines emphasize that consumer protection laws apply to commercial activities across all mediums, including on computers, mobile devices, and tablets.

• The disclosure must be clear and conspicuous regardless of the device or platform.  If an ad would be unfair, deceptive, or otherwise unlawful without a disclosure, but the disclosure cannot be made clearly and conspicuously on a particular device or platform, then the ad should not run at all on that device or platform.
• Proximity and placement.  In evaluating whether a disclosure is likely to be clear and conspicuous, advertisers should consider the placement of the disclosure in the ad and its proximity to the relevant claim.  Whereas the 2000 guidance defined “proximity” to mean “near, and when possible, on the same screen,” the updated guidance advises that disclosures should be “as close as possible” to the relevant claim.  It also states a preference that advertisements be designed so that “scrolling” is not necessary to see the disclosure.  In self-evaluating their ads, advertisers should adopt the perspective of a “reasonable consumer.” 
• Prominence.  It is the advertiser’s responsibility to draw attention to the required disclosures.  According to the updated guidelines, size matters, colors count, and graphics help.  Repetition—but not too much repetition so as to clutter the ad—may make a consumer more likely to notice and understand a disclosure.
• Hyperlinks.  The updated guidance suggests that advertisers label hyperlinks as specifically as possible.  Like the prior guidelines, the updated guidelines stress that disclosures that are an integral part of a claim —such as general cost information or certain health and safety information, not be communicated through a hyperlink.
• Pop-ups and technological limitations.  Pop-up disclosures should be avoided, because these may be blocked by certain technologies or devices.  The fact that some browsers and devices may not optimally support certain techniques for displaying disclosures also should be considered.  (For example, it should be taken into account that some mobile devices currently will not support Adobe Flash Player).
• Multimedia campaigns.  Disclosures should mirror the medium in which a claim is made.  Specifically, audio claims should contain audio disclosures at a volume and cadence sufficient for a reasonable consumer to hear and understand.  Written claims should contain written disclosures, not solely in an audio or video clip.  Video disclosures should be of a sufficient duration.  Additionally, all disclosures should be in language that it is simple, straightforward, and understandable to the reasonable consumer.

Prior to updating its guidance, the FTC held three public comment periods and hosted a day-long public workshop in May 2012, described here and here. 

The FTC staff report makes clear that these guidelines provide only suggestions for practices that may increase the likelihood that a disclosure is clear and conspicuous; they are not intended to provide a safe harbor from potential liability.

 In drafting the bill, Johnson and his Web-based initiative, AppRights, held meetings with members of the Internet community, public-interest groups, app developers, and other industry stakeholders. AppRights stated: “Over the coming days, we will release helpful clarifications of the updated provisions of the APPS Act so that everyone is on the same page." It is not yet clear when the bill will be introduced to Congress as possible legislation.

During Thursday’s meeting, participants considered the latest draft of the proposed code of conduct, which is intended to enhance transparency about apps’ data collection and third-party sharing practices. During the meeting, the participants failed to reach a consensus on what data practices need to be disclosed and how the information should be displayed. There was also disagreement as to which practices required heightened disclosure.

There was some progress, however, as the stakeholders agreed that the final draft should contain flexibility, clarifying that the “shall” and “must” language in the latest draft indicated requirements, while the use of “should” indicated best practices that companies should strive to achieve if possible.

The group will reconvene for its ninth meeting on January 31.

According to the FTC’s complaint, Filiquarian Publishing LLC, Choice Level LLC, and their CEO, Joshua Linsk, designed and marketed mobile applications that enabled users to search criminal records databases.  The companies marketed the applications for employment purposes as a tool to use in screening potential employees.  Indeed, one advertisement for the applications offered “Are you hiring somebody and wanting to quickly find out if they have a record?  Then Texas Criminal Record Search is the perfect application for you.”  The FTC alleged that the companies were operating as consumer reporting agencies in providing the criminal records reports for employment purposes and that the companies failed to comply with the FCRA.  The applications included disclaimers that the applications were not compliant with the FCRA and not to be used for FCRA permissible purposes; however, the FTC viewed these disclaimers as insufficient to insulate the companies from liability since the companies actively marketed the applications for employment purposes. 

The consent order, among other provisions, prohibits the companies from providing consumer reports to individuals if the companies do not have a reason to believe the individuals have a permissible purpose under the FCRA.  The order also prohibits the companies from failing to maintain reasonable procedures to assure maximum possible accuracy with respect to the consumer reports provided by the companies to consumers.  The companies are required to submit periodic reports to the FTC demonstrating compliance with the consent order.

As the report explains, “[t]he basic approach . . . is to minimize surprises to users from unexpected privacy practices.”  A practice is “unexpected” when it’s not “related to an app’s basic functionality” or when it involves “sensitive information.”  Minimizing surprises means limiting the collection and retention of data that is unrelated to the app’s core functionality; giving users “enhanced notice” (i.e., notice beyond what is provided in the developer’s general privacy policy) of unexpected practices; and giving users control over those practices.  (These concepts, if not the precise terminology, will be familiar to those who have read the FTC’s March 2012 report, which recommended that companies provide consumers with robust notice and meaningful choices for practices that were “inconsistent with the context” of a particular transaction or with the company’s relationship with the consumer.)

The report goes onto make a number of specific recommendations that build on these basic propositions.  After the jump, we discuss a few that struck us as particularly noteworthy.

• An app’s privacy policy should be available before the app is downloaded.  The report notes that the best way to accomplish this is to make the policy available from the app platform (i.e., on the promotion page).  FTC staff also urged developers to take this step in the recent report, “Mobile Apps for Kids: Disclosures Still Not Making the Grade.”  A more novel recommendation in this area was for ad networks, which were urged to provide links to their privacy policies to app developers so that the developers can make the policies available to users “before they download and/or activate the app.”  This practice seems less likely to be seen as consistent with industry practice or expectations. 

• Make the app’s “general” privacy policy “readily accessible from within the app.”  The report makes clear that a privacy policy is “readily accessible” if its linked from the controls/settings page.  The report also recommends hosting the privacy policy in the browser, in order to facilitate updates in case the developer’s practices change. 

• Include key privacy disclosures in the general privacy statement.  The report lists several disclosures that should be made in the privacy policy.  Several of these reflect familiar requirements in the California Online Privacy Protection Act (“CalOPPA”), but others are less familiar.  For example, the report recommends disclosing the “uses and retention period for each type or category of personally identifiable data collected” as well as “[w]hether your app, or a third party, collects payment information for in-app purchases.”  The privacy policy should also describe—and provide links to the privacy policies from—third parties with whom personally identifiable data may be shared.  

• Provide “enhanced measures” if the app collects “sensitive information” or “personally identifiable data” that are “not needed for basic functionality.  The report defines “personally identifiable data” and “sensitive information” more broadly than these terms are usually defined.  “Personally identifiable data” is “any data linked to a person or persistently linked to a mobile device,” while “sensitive information” is “personally identifiable data about which users are likely to be concerned,” including “precise geo-location data; financial and medical information; passwords; stored information such as contacts, photos and videos; and children’s information.”  Where the app collects this kind of information for purposes other than basic functionality, the report recommends either (1) providing a “special notice,” (i.e., an alert that appears at the time the data is collected) or (2) a combination of “short privacy statement” (i.e., a statement that highlights the “unexpected practices”) and privacy controls that enable the person to make choices about those unexpected practices. 

Security and Accountability

• Use encryption for personally identifiable data in transit—and in storage.  Encrypting certain types of PII in transit has become a common practice thanks to encryption requirements in Massachusetts and Nevada laws, while encryption of stored data, however, is significantly less common.  Given the breadth of the term “personally identifiable data,” many companies may have difficulty complying with this recommendation as it applies to both transmission and storage.  The recommendation that ad networks use encryption for the transmission of permanent unique device identifiers seems particularly unlikely to be adopted.

• Put someone in charge of the general privacy policy.  The report recommends making someone in the organization responsible for reviewing the privacy policy when practices change; maintaining archived versions of the policy; and acting as a point of contact for privacy questions and comments.  Of all the report’s recommendations, this one may be the most important: having a person commit a least some of his or her time to thinking about privacy issues can improve a company’s practices dramatically.  The privacy profession has exploded over the past decade, and this endorsement from General Harris signals the value that such professionals have to offer. 

The report has already drawn criticism from ad industry groups, which have faulted the report for proposing “unworkable” solutions that could create confusion in the industry. 

As we have noted elsewhere, Harris has made mobile privacy a key priority for her office.   Most recently, she sued Delta Airlines for allegedly failing to comply with the California Online Privacy Protection Act, which requires online service providers to post a privacy policy containing certain elements and to comply with the policy.   

The FCC also made recommendations that touch on the role of in-app privacy disclosures ―a topic that has received attention recently from state regulators and the Federal Trade Commission.  Specifically, the FCC recommends that users understand app permissions before accepting them.  The FCC says, “You should be cautious about granting applications access to personal information on your phone or otherwise letting the application have access to perform functions on your phone.  Make sure to also check the privacy settings for each app before installing.” 

While the FCC has not been as active as the FTC and others on mobile privacy issues that do not affect the telephone portion of the mobile service, the FCC’s announcement demonstrates that it continues to see a role for itself in helping “consumers understand and combat cyber threats and mobile device theft.”  Earlier this year, the FCC partnered with mobile operators to launch their “PROTECTS Initiative” which was designed to combat mobile device theft and trafficking. 

Staff found the results of the second report "disappointing," concluding that many apps do not contain privacy disclosures that fully explain how the app collects, uses, and discloses children's data.  Among other things, the report focused on disclosures related to advertising, links to social media, and in-app purchases. 

Announcing the release of the report, Jessica Rich, Associate Director, FTC Division of Financial Practices, expressed concern that a number of the apps disclosed device identifiers to third parties, including ad networks and analytics companies.  She emphasized that the staff made no findings about how these third parties used the device identifiers, but noted that the FTC's proposed revisions to the Children's Online Privacy Protection Act (COPPA) Rule would treat this information as "personal information" for purposes of COPPA, unless the data is used to support internal operations.  (Ms. Rich declined to comment on the timing of the release of a final COPPA Rule; other FTC staff previously have suggested the final Rule might come in the next few weeks or early next year.) 

Ms. Rich also stated that the Commission is investigating whether the apps violate laws such as COPPA or Section 5 of the FTC Act.  At the same time, she emphasized that the issues raised in the second report are widespread and that the report is focused on identifying industry best practices.  She encouraged industry to accelerate self-regulatory efforts to improve mobile app disclosures.  In particular, she applauded recent efforts to develop icons and similar mechanisms to shorten privacy policies for mobile apps. 

Interestingly, Harris also alleges that Delta “fail[ed] to comply with the provisions of its privacy policy,” which itself is a violation of CalOPPA.  This allegation is somewhat puzzling given that the core assertion of the suit is that Delta has failed to maintain any privacy policy at all in its app.  But it appears possible that Harris will argue Delta has failed to comply with its website privacy policy, which, the complaint notes, does not disclose certain categories of PII that are being collected through the app (e.g., location information). 

Also noteworthy are allegations that the “Fly Delta app is not the primary commercial activity of Delta,” and that “CalOPPA does not relate to rates, routes or services of any air carrier.”  These allegations anticipate a preemption challenge by Delta pursuant to the Airline Deregulation Act.  Delta would appear to have a strong argument that the suit is, indeed, preempted.  As noted in the complaint, the app enables people to search for and book flights.  Thus, the Attorney General’s argument that the app is not related to the “routes and services” of Delta would seem to face an uphill battle.

The one-count complaint seeks recovery under Cal. Bus. & Prof. Code § 17200, alleging that the violations of CalOPPA are “unfair” acts.  In addition to injunctive relief, Harris seeks a $2,500 per-violation civil penalty.

In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”

The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change.  In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company's relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).

There Are Benefits of Tracking

The experts all agreed that there are obvious benefits of data collection. The aggregation of data can be used to provide data security, offer effective personalization for consumers, and aid in the development of new products and services.

Consumers Can Also Be Harmed by Tracking

Conversely, everyone agreed that the more data that is collected, the greater the risk for harm from certain uses of the data. This harm is often recognized is economic in nature, but some participants pointed out that harm can also be reputational. Where consensus broke down was over the question of whether the data collection, itself, is a form of harm.

Most Consumers Don’t Understand Data Collection

Consumers, in general, have little understanding about how much of their personal data is collected online—let alone who is collecting it, how they are doing it, and why it is being done. Because so much of the data collection happens behind the scenes, it is hard to say that consumers are making informed decisions about the web-based products they use in their everyday lives, even when they are provided with notice and choice.

The Need for Technology-Neutral Regulation

Although the FTC moderators were interested in DPI—a technology that can be used by Internet service providers and other companies to inspect the content of packets as they travel over the Internet—the experts emphatically stated that regulators should not demonize technology, but instead, regulate certain uses. Panelists explained that by focusing on specific technologies, such as DPI or cookies, regulators miss the complexity of the issues. Because technology is ever changing, there will always be an alternative way of collecting large amounts of data. Since there is no single choke point, participants suggested that regulators examine the harmful uses of data that need to be prevented and policed against

Although a recent study showed that app developers increasingly are transparent about their data practices, many still are struggling to find ways to disclose material information to users in the limited space available on mobile devices.  As we noted last week, regulators and industry groups currently are working on different approaches intended to address this issue.  One potential approach--which the FTC and Attorney General Harris support--is the development of privacy “nutrition labels” that would present essential terms in much the same way that the food industry presents nutrition information on packages.  Industry groups, on the other hand, seem more focused on developing privacy icons that would work similarly to the now-ubiquitous AdChoices Icon.

Attorney General Harris has made mobile privacy a top priority for her office.  Earlier this year, she announced an agreement with leading providers of mobile app marketplaces — including Amazon, Apple, and Google — under which those companies committed to require app developers to post privacy policies within their apps in accordance with the OPPA.  Shortly thereafter, Harris launched a “Privacy Enforcement and Protection Unit” that would focus on the enforcement of California’s privacy laws. 

1. The Westfax Petition asks the FCC to clarify whether “efaxes,” which are facsimile messages that are converted to e-mail, are subject to the facsimile advertising rules under the TCPA and the Junk Fact Prevention Act of 2005.
2. The iHire Petition asks the FCC to declare that a third party faxing resumes of individual job applicants in response to help wanted postings is not an “advertisement” subject to the TCPA and, therefore, is exempt from the requirement to include an opt-out provision on the first page of the fax.
3. The 3G Collect LLC Petition asks the FCC to declare that operator service providers are not subject to the TCPA prohibition on prerecorded calls to wireless phones when connecting collect callers to telephone numbers assigned to wireless telephones. 
4. The Revolution Messaging Petition asks the FCC to clarify that certain internet-to-phone text messaging technology is an “automatic telephone dialing system” within the meaning of the TCPA and thus is subject to related FCC rules.

1.  The distinction between informational and telemarketing calls was further defined.  The 9th Circuit held that calls intended to impart information about a customer rewards program could be construed as “dual purpose” calls subject to federal and state telemarketing restrictions.  See Chesbro v. Best Buy Co., Inc.

2.  Effective dates were announced for the new requirements on autodialed and prerecorded calls that were adopted by the FCC in February 2012. 

• Effective immediately:  all prerecorded “heath care” messages subject to HIPAA transmitted to residential lines are exempt from the FCC’s consent, identification, time-of-day, opt-out, and call abandonment requirements.
• Effective November 15, 2012:  the FCC’s three percent call abandonment rate must be calculated on a 30-day basis for every telemarketing calling campaign.  (It is possible that the FCC will consider delaying this effective date to January 14, 2013, to align it with the interactive opt-out requirement discussed below.)
• Effective January 14, 2013:  all prerecorded telemarketing calls must include an automated, interactive opt-out mechanism throughout the duration of the call, as well as a toll-free telephone number that can be contacted to opt out when a prerecorded telemarketing message is left on voicemail or an answering machine. 
• Effective October 16, 2013:  prior express written consent is required to transmit prerecorded or autodialed telemarketing calls to wireless numbers, and the established business relationship exception no longer applies to prerecorded telemarketing calls to residential lines.

• Cargo Airline Association asks the FCC to declare that delivery notifications to package recipients are exempt from the TCPA’s requirement to obtain prior express consent before making autodialed or prerecorded calls to a wireless telephone number.
• Communications Innovators asks the FCC to clarify that predictive dialers that are not used for telemarketing purposes and do not have the current ability to generate and dial random or sequential numbers are not “automatic telephone dialing systems” as defined by the TCPA and related FCC rules.
• CallAssistant, LLC asks the FCC to clarify whether prerecorded call segments that are supervised by a live representative are subject to the general prohibition on prerecorded calls to residential lines absent prior express consent or some other exemption.

4.  A new Do Not Call Registry was created for public safety numbers.  The FCC released a Report and Order establishing a Public Safety Answering Point (PSAP) Do-Not-Call Registry.  Once effective, the new rules will prohibits the use of automatic dialing or prerecorded calling equipment to place non-emergency calls to telephone numbers registered on a new PSAP Do Not Call Registry.  Further details about the establishment and operation of this new Registry are expected.  Once the new Registry is in place, entities that use automatic dialing or prerecorded call equipment will need to ensure that they do not place calls to designated PSAP numbers.

5.  The FTC hosted a “Robocall Summit.”  The FTC hosted a Robocall Summit, at which the state of telephone technology associated with prerecorded calls -- and associated legal implications -- was discussed.  No new rules or compliance initiatives were announced, but the event suggests that compliance with prerecorded call requirements remains a high regulatory priority.

Truth-in-Advertising Standards

• Tell the truth about what the application can do.  The guide directs developers to consider their product from the perspective of average users and not software engineers or application experts.  If the developer makes objective claims about the application, the developer must have solid proof to support the claims.
• Disclose key information clearly and conspicuously.  Developers must provide key disclosures in a manner that is “big enough and clear enough that users actually notice them and understand what they say.” 

Privacy Principles

• Build privacy considerations into the application from the start.  In selecting the default settings for an application, developers should incorporate privacy protections into their practices, limit the information collected, securely store information collected, and safely dispose of information no longer needed. 
• Be transparent about data practices.  Developers should explain what information the application collects from users or their devices and how the information is used.
• Offer choices that are easy to find and easy to use.  Developers should give users tools that offer choices in how to use the application, such as privacy settings, opt-outs, or other ways for users to control how their personal information is collected and used. 
• Honor privacy promises.  Developers must adhere to assurances made to users in privacy policies and obtain users’ affirmative consent for any material changes to privacy practices.  
• Protect kids’ privacy.  Applications that are designed for children or that collect information from children may be subject to additional requirements under the Children’s Online Privacy Protection Act (COPPA). 
• Collect sensitive information only with consent.  Developers should obtain users’ affirmative consent before collecting any sensitive data, such as medical, financial, or precise geolocation information. 
• Keep user data secure.  Developers must take reasonable steps to keep sensitive data secure and adhere to data security promises made to users.