Inside Privacy - Updates on Developments in Global Privacy & Data Security

The Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising continues to gather steam.  Last month, after the Program garnered favorable mention in the FTC’s final privacy report, a representative of the Interactive Advertising Bureau (one of the DAA’s participating organizations) announced that the Program’s Advertising Option Icon is now being served in more than one trillion online ads per month.

An announcement yesterday by the IAB suggests another milestone for the Program may be on the horizon: expansion into online streaming video.  The IAB revealed that its new suite of technical specifications and protocols for the serving of in-stream ads will enable the Icon to be served in or around such ads, allowing entities that collect behavioral data from video viewers to meet any obligations they may have under the DAA’s transparency and consumer control principles. 

The IAB’s announcement comes amid increasing demands by regulators and consumer advocates for improved disclosures and choices with respect to the collection of consumer data in certain contexts.  The FTC’s report urged companies to make appropriate disclosures — “outside of a privacy policy or other legal document” —  regarding data collection that is “inconsistent” with the context of a particular transaction or a customer’s relationship with the company.  The report noted that the Icon itself provides an example of an effective notice and choice mechanism.  Its expansion into online video advertising — an area where the FTC has recently shown some interest — should be viewed favorably by the Commission. 

Last week, Judge Ware of the Northern District of California denied a motion to amend his November 2011 dismissal, with prejudice, in In re Facebook Privacy Litigation, a case in which plaintiffs had argued that Facebook improperly transmitted users’ personal information, including User ID numbers or usernames, to third party advertisers.

In his most recent Order, Judge Ware reaffirmed his prior holding that plaintiffs had not stated a claim under the Stored Communications Act (“SCA”) based on an exception to the statute that allows a service provider to divulge the contents of a communication to, or with the lawful consent of, “an addressee or intended recipient” of the communication.

Continue Reading

The FTC staff released a report today calling for participants in the mobile app ecosystem -- including app developers, app stores, and third parties who collect data through mobile apps -- to provide better privacy notices to parents about mobile apps directed to children, and warning that over the next six months, staff will be conducting additional reviews "to determine whether there are COPPA violations and whether enforcement is appropriate."

The report is based on the staff's survey of apps offered in the Android Market and the Apple App store. Staff focused on "the types of apps offered to children; the age range of the intended audience; the disclosures provided to users about the apps’ data collection and sharing practices; the availability of interactive features, such as connecting with social media; and the app store ratings and parental controls offered for these systems."

Notably, the report stated that the FTC expects the whole app ecosystem to "play an active role in providing key information to parents who download apps." Specifically, the report outlined the following:  

• App developers should provide parents information about (1) what information an app collects, (2) how the information will be used, and (3) with whom the information will be shared, using short disclosures or icons that are easy to find and understand on the small screen of a mobile device. App developers also should alert parents if the app connects with social media, or allows targeted advertising to occur through the app.
• Third parties that collect information through apps should disclose their privacy practices, whether through a link on the app promotion page or another easily accessible method.
• App stores should provide a more consistent way for developers to display information regarding their app’s data collection practices and interactive features. The FTC stated, for example, that app stores could provide a designated space for developers to disclose this information and standardized icons to signal specific features, such as connections with social media services. In addition, the FTC emphasized that app stores should be enforcing developer agreements that require developers to disclose the information their apps collect.

The report expressed a preference for disclosures that are provided prior to the parent's purchase of the app, noting that "[i]nformation provided to parents after downloading an app is, in staff’s view, less useful in the parent’s decision-making since, by then, the child may already be using the app and the parent already could have been charged a fee."

In addition, the report focused on disclosures involving in-app purchases, interactive features, and targeted advertising.  The report states that the FTC is considering whether additional protections are needed with respect to in-app purchase capabilities in apps for children.  It emphasized that "confusing and hard-to-find disclosures do not give parents the control that they need in this area." Staff believe that the presence of social features within an app is highly relevant to parents selecting apps for their children, and that such functionality should be disclosed prior to download.  And the report states that "parents need clear, easy-to-read, and consistent disclosures regarding the advertising that their children may view on apps, especially when that advertising is personalized based on the child’s in-app activities.”

As we have blogged about here and here, the FTC currently is reviewing its rules implementing the Children’s Online Privacy Protection Act, which governs the online collection, use, and disclosure of personal information from children under the age of 13.  

Earlier today, the House of Representatives approved an amendment to the Video Privacy Protection Act (VPPA) (H.R. 2471) that would clarify certain ambiguities in the 1988 law in light of technological changes in the marketplace.  In his remarks on the House floor, Rep. Bob Goodlatte (R-VA) – the primary author of H.R. 2471– explained that the amendment will facilitate the sharing of video usage information on social media networks. 

During a debate on the legislation, Rep. Melvin Watt (D-NC) opposed the bill as he did in the committee markup, expressing concern about the adequacy of one-time consent to the sharing of information on dynamic social media sites.  He emphasized the sensitivity of video usage information and expressed concerns about whether Congress has given sufficient thought to the impact of H.R. 2471 on state video privacy laws.  Rep. Watt also questioned the propriety of Congress acting in light of a number of pending private law suits under the VPPA.  Rep. John Conyers, Jr. (D-MI) lent his support to H.R. 2471, but stated that he would have preferred the bill require consumers to renew their consent periodically.

Under the VPPA, which was passed long before the Internet was widely available, “video tape service providers” generally are not permitted to share a consumer’s video usage information without “the informed, written consent of the consumer given at the time the disclosure is sought.”  If enacted into law, H.R. 2471 would clarify this limitation in the context of online distribution in the following ways:

Continue Reading

The group that develops technical standards and guidelines for the World Wide Web released a set of draft standards on Monday that are intended to allow consumers to limit and control how they are tracked online.

The standards, developed by the World Wide Web Consortium (known as the “W3C”), would allow consumers to set a “Do-Not-Track” preference using their browser or other tools.  The proposal effectively sets up an “opt-out” mechanism for online tracking because no preference is transmitted until the user affirmatively selects a setting.  The standard states that, absent laws, rules or other requirements to the contrary, servers may interpret the lack of an expressed preference “as they find most appropriate for the given user, particularly when considered in light of the user’s privacy expectations and cultural circumstances.”  Once set by the user, the Do-Not-Track preference would be transmitted to any website the user visits; the standard requires website servers that have implemented the standard to send a response signal indicating whether the website respects the tracking preference.  Users would be able to affirmatively allow tracking, block all tracking, or refuse tracking generally but allow tracking on certain sites.

Continue Reading

Earlier this week, the industry self-regulatory program set up by online advertisers to deal with reported privacy problems released decisions in its first six compliance cases.  The Online Internet-Based Advertising Accountability Program, which was established in August, determines whether reported businesses are complying with the self-regulatory principles for online behavioral advertising.  The Better Business Bureau oversees the program.

The Accountability Program initiated formal enforcement efforts against six companies in connection with the companies’ opt-out mechanisms.  Four of the companies offered consumers the ability to opt out of the collection and use of data for online behavioral advertising through opt-out cookies that were set to expire more quickly than the five-year time frame that is called for by the industry standard.  In the other two cases, the opt-out mechanisms offered by the companies were inaccessible to consumers due to missing buttons or links.  Each company voluntarily modified its practices to comply with the self-regulatory principles. 

These self-regulatory efforts come at a time when both Congress and the FTC are considering whether self-regulation is adequate to deal with consumer privacy challenges.   Representatives from the Accountability Program have said that companies that do not respond and comply with its enforcement efforts may be referred to the FTC. 

Yesterday, the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing entitled , “Understanding Consumer Attitudes About Privacy.”  The hearing featured a single panel with a mix of industry representatives and consumer privacy advocates, including representatives from Intuit, Microsoft, the Digital Advertising Alliance, Evidon, and the World Privacy Forum. 

A primary focus of the hearing was the efficacy of industry self-regulatory initiatives and other efforts to provide consumers with information and choices about managing their online privacy.  In particular, members expressed interest in the “About Ads” self-regulatory principles for online behavioral advertising and other company-specific efforts to provide consumers with notice and choice. 

Continue Reading

The representatives of IAB Europe and EASA, European advertising and marketing industry associations, met with the Article 29 Working Party, a group of European data protection authorities, on 14 September 2011 to discuss the industry’s self-regulatory code on Online Behavioural Advertising.  As we blogged here, the Article 29 Working Party had previously voiced concerns over some of the aspects of the code in its letter to the Online Behavioural Advertising Industry published in August.  These concerns were reiterated during the meeting, as the Working Party emphasized that consent for the use of cookies on user’s equipment (a requirement under the new ePrivacy Directive) cannot be implied from the user’s inaction or silence.  As the Working Party had stressed in its recent opinion, only statements or actions can constitute valid consent.

The Working Party explained that the code should be amended to provide compliance with European and national legal requirements after the industry admitted that the code was mainly intended to provide a level playing field.  The chairman of the Working Party was concerned that companies might wrongly consider the code as a “safe haven” when it in fact falls short of legal requirements.

The industry representatives were also invited to address the privacy concerns raised by the Working Party in its August letter.  The Working Party would take the industry’s answers into account when it prepares its official opinion on the Code  - to be finalized by the end of the year.

Last week, the Supreme Court issued its much anticipated decision in the Brown v. Entertainment Merchant's Association case.  Justice Scalia, writing for Justices Kennedy, Ginsburg, Sotomayor, and Kagan, held that a California law restricting the sale or rental of violent video games to minors, and mandating “18” labels for such games, violates the First Amendment.

The decision is not only a resounding victory for the entertainment software industry, but its views on the protection of minors under the First Amendment could have a profound impact on future legislative efforts as well.  In his dissent, Justice Thomas argued that the First Amendment does not include the right to speak to minors without obtaining the prior consent of their parents or guardians.  This approach supports many of the children's privacy laws that are on the books today.  The majority soundly rejected this approach, however, stating that laws that prevent children from hearing or saying anything without their parents' prior consent “do not enforce parental authority over children's speech and religion; they impose governmental authority, subject only to a parental veto.”  

In a recent order, Judge Henderson of the District Court for the Northern District of California denied NebuAd Inc.’s motion to dismiss in Valentine v. NebuAd Inc., No. C08-05113 TEH, finding that plaintiffs had sufficient statutory standing to assert claims under the California Invasion of Privacy Act ("CIPA") and the California Computer Crime Law ("CCCL") and that these claims were not preempted by the federal Electronic Communications Privacy Act ("ECPA").

With respect to standing, the Court found that the California Legislature did not intend to limit the right of action under CIPA and CCCL to in-state plaintiffs, and, thus, the out-of-state plaintiffs in this action could bring suit again a California defendant (NebuAd).  (Notably, this analysis pertained to standing under these specific California statutes, not the Article III constitutional standing that was at issue in the recent RockYou decision, which we wrote about here).  On the preemption issue, the Court rejected the Central District of California’s holding in Bunnell v. Motion Picture Ass’n of Am. that ECPA preempted a CIPA claim.  Instead, the Court said it was more persuaded by the California Supreme Court’s contrary holdings that ECPA does not preempt CIPA in People v. Conklin and Kearney v. Salomon Smith Barney.

Continue Reading

Earlier this week, the Federal Trade Commission announced that it has reached a settlement with Chitika, Inc., an ad network that tracks a user’s online activities in order to deliver advertising targeted to the individual user's interests.  In its complaint, the FTC claimed that Chitika made statements that (1) users could opt out of targeted advertising by clicking on an "Opt-Out" button and (2) users who clicked on the button "are currently opted out." The FTC also alleged that Chitika's cookie-based opt-out mechanism lasted only 10 days, and that Chitika did not inform users about the duration of the opt-out.  The FTC claimed that Chitika's statements constituted a representation that Chitika's opt-out will last for a "reasonable period of time," and that because 10 days is not a reasonable period, its statements were deceptive. 

As part of the settlement, Chitika must include a hyperlink in every targeted ad that takes consumers to a clear opt-out mechanism.  User opt outs must be effective for at least five years. 

The settlement may help inform industry's ongoing development of innovative opt-out tools for consumers to control whether information is used for targeted advertising.  The Consent Order not only suggests that five years is a "reasonable" period of time for a user's opt-out selection to last, but it also reaffirms that cookie-based opt-out methods are an acceptable means for allowing consumers to opt out of targeted adverting.   Importantly, the Consent Decree carves out from the five-year effective period scenarios where a user deletes his or her cookies or takes deliberate action to disable the mechanism. 

A former intern at the controversial company RapLeaf has launched a new privacy manager site called SelectOut, which helps users opt out of behavioral advertisements online.  As of the end of January, SelectOut had already facilitated 50,000 opt outs.  

SelectOut offers similar features to the opt-out features available at AboutAds.info, a site sponsored by the Internet advertising industry.  Sites like AboutAds and SelectOut, as well as the new developed "do not track" features for leading browsers, show a hopeful trend towards the development of kinds of win-win technological features that benefit consumers while maximizing choice.  

We have previously reported on the Federal Trade Commission’s December 2010 preliminary staff report, “Protecting Consumer Privacy In An Era of Rapid Change.”  With the February 18, 2011 extended deadline to comment on the report quickly approaching, the Berkeley Center for Law & Technology held a roundtable on Browser Privacy Mechanisms last week. 

Participants included spokespersons from the FTC, privacy groups such as the Center for Democracy & Technology and Electronic Frontier Foundation, representatives from Microsoft, Google, and Mozilla, and leading academics and technologists.

FTC Commissioner Julie Brill noted that although most of the buzz around the preliminary staff report has focused on Do Not Track, the report has three principle components—Privacy By Design, Choice, and Transparency.  She commented that although industry has been slow to deal with these issues in the past, the response this time appears to be much stronger and more focused.  As of the roundtable, the FTC already had received more than 200 comments and expects the Commission’s server to be tested by the volume of comments anticipated on the deadline. 

Brill also outlined the five components by which FTC will judge a choice mechanism offered to consumers (whether through a self-regulatory mechanism or congressional action).

Continue Reading

The Washington Post has published an article describing a relatively new arena for behavioral advertising: your online bank statement.  Participating banks serve marketing to their customers based on the customer's spending history.  These promotions may be particularly valuable to advertisers because they are targeted based on how a customer actually spends his or her money and because customers can take advantage of advertised discounts without printing out coupons -- if you click the associated link, the advertiser will recognize your debit card the next time it is swiped. 

The banks and their advertising partners have defended against privacy concerns by pointing out that customers may opt out and noting that, because the ad software runs on the bank's server, customer data need not leave the bank's secure network.  The federal banking regulators have not yet chimed in on this practice.  The FTC's recent draft report on consumer privacy suggests that the FTC is inclined to treat financial information as sensitive information, subject to an opt-in consent requirement for data practices that are not "commonly accepted."  The draft report does not define financial information.

After much mulling, the Canadian Parliament passed, on December 16, Bill C-28, the Fighting Internet and Wireless Spam Act, which creates a new regime for businesses engaged in online marketing.  The legislation regulates commercial “electronic messages,” a term defined broadly to include e-mail, instant messaging, text messages, and messages on “any similar account” -- a catch-all category that potentially could include messages on Facebook and Twitter.  The law also provides a new private right of action, modeled on the CAN-SPAM Act in the United States.

No date has been set for the legislation to come into force.  The federal cabinet will establish implementation timelines. 

The United States District Court for the District of Montana has dismissed [PDF] several class action claims against the Internet service provider Bresnan Communications arising out of its partnership with the controversial (and now defunct) online advertising firm NebuAd. 

Bresnan subscribers alleged that the ISP allowed NebuAd to test a system to profile subscribers’ online activity using deep packet inspection ("DPI") for the purpose of serving targeted ads.  The system allegedly enabled NebuAd to (1) intercept and read essentially all subscriber communications transmitted over Bresnan's network and (2) set cookies by forcing users' browsers to send requests to a NebuAd server.  The plaintiffs pleaded claims under the Wiretap Act and the Computer Fraud and Abuse Act ("CFAA") as well as several state law claims.  The court dismissed the Wiretap Act and a state law claim, finding that the plaintiffs had impliedly consented to any interception and had no reasonable expectation of privacy in the contents of their communications.  The court pointed to statements in Bresnan's privacy notice and subscriber agreement that disclosed the possibility of tracking. 

Continue Reading

The Department of Commerce's request for comments on its "green paper" regarding Internet privacy was just published in the Federal Register.  Comments on the paper are due January 28, 2011.

More information and Covington's analysis of the green paper are available in our earlier post.

Just two days after the Director of the FTC's Bureau of Consumer Protection announced that the agency would not tolerate an "arms race" aimed at developing technologies that subvert user choice regarding online tracking, two firms accused of employing such technologies agreed to settle lawsuits against them.  Quantcast and Clearspring--which provide web analytics and certain functionality to consumer-facing websites--were named in several class action complaints this summer.  The suits alleged that the companies used "Flash cookies" (i.e., local shared objects stored in the memory of Adobe's Flash Player plug-in) to track user activity on websites where Quantcast and Clearspring provide their services.  The publishers of some of those sites were also named in the suits.  

Although the use of traditional "HTTP" cookies for tracking has become so commonplace as to be relatively uncontroversial, Flash cookies have been criticized because they are unaffected by browser privacy settings.  Moreover, as noted by researchers at UC-Berkeley, Flash cookies can be used to re-create or "respawn" browser cookies after a user deletes the latter.  The plaintiffs in the Quantcast and Clearspring cases seized on these distinctive qualities in asserting that the defendants used Flash cookies to "circumvent" users' privacy settings.  The complaints included claims under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and various state laws.

Continue Reading