self-regulation

Last week, a group of privacy experts, including regulators and representatives of the automobile and consumer electronics industries, spoke at a Continuing Legal Education Program hosted by the Federal Communications Bar Association.  The panel discussed, among other things, the relatively new set of privacy principles that has been developed for vehicle technologies and services, which is scheduled to take effect in January 2016.  This post summarizes those principles and the panelists’ comments.
Continue Reading Connected Cars and Other Web-Connected Devices

Last week, TRUSTe, Inc. (“TRUSTe”) settled Federal Trade Commission (“FTC”) charges that it misrepresented its certification programs and non-profit status to consumers.  TRUSTe offers clients Certified Privacy Seals, representing to consumers that the website, software, data processing service, or mobile application is compliant with the relevant TRUSTe program.  These programs include specifications related to transparency of company practices, verification of privacy practices, and consumer choice regarding the collection and use of consumer personal information.

The FTC’s complaint alleges that TRUSTe represents that it annually recertifies all companies displaying the Certified Privacy Seal to ensure ongoing compliance with the program requirements, however, from 2006 until January 2013, TRUSTe did not do so in over 1,000 instances.  According to the complaint, prior to its transition to a for-profit entity in July 2008, TRUSTe required its clients’ privacy policies to include a statement that “TRUSTe is an independent, non-profit organization.”  The FTC also alleges that TRUSTe recertified clients who failed to update references to the company’s for-profit status.
Continue Reading FTC Alleges TRUSTe’s Certified Privacy Seals Misled Consumers

The International Association of Privacy Professionals hosted its annual Privacy Academy, at which one panel, “Data Brokers Demystified,” specifically focused on regulation of the data-broker industry.  The panelists included Janis Kestenbaum from the Federal Trade Commission, Jennifer Glasgow from Acxiom, and Pam Dixon from the World Privacy Forum.  Emilio Cividanes from Venable also participated.

Major Conclusions of the FTC Report (Janis Kestenbaum)

  • Data brokers operate with a fundamental lack of transparency.  They engage in extensive collection of information about nearly every US consumer, profiles of which are composed of billions of data elements.
  • Much data collection occurs without consumer awareness and uses a wide variety of online and offline sources, such as social networks, blogs, individual purchases and transactions with retailers, state and federal governments, events requiring registration, and magazine subscriptions.
  • The practice of “onboarding”–where offline data is onboarded onto an online cookie and is used to market to consumers online–is increasingly common.
  • Some data collected is sensitive, but even non-sensitive data is sometimes used to make “sensitive inferences” about (for example) health status, income, education, ethnicity, religion, and political ideology.  Consumers are often segmented into “clusters” based on these inferred characteristics.
  • For regulators, some of these clusters are concerning.  For example, one cluster is entitled “Urban Scramble” and contains high concentrations of low-income ethnic minorities.
  • Congress should create a centralized portal where consumers can go online and access individual data brokers’ websites to opt out and access and correct their information.  For consumer-facing entities, like retailers, consumers must be given some kind of choice before data is sold to a data broker, and when that data is sensitive, the choice should be in the form of an opt in.
    Continue Reading IAPP Privacy Academy: “Data Brokers Demystified”

This week, the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing to discuss the Location Privacy Protection Act of 2014, a bill reintroduced in March by Senator Al Franken (D-MN).  Most concerned with the potential for misuse and abuse of location data for purposes of stalking and perpetrating domestic violence, Senator Franken, who chairs the Subcommittee on Privacy, made clear at the hearing his view that, “Stalking apps must be shut down.”  Franken clarified, however, that his bill is not only intended to protect victims of stalking, but provides basic privacy safeguards for sensitive location information pertaining to all consumers.  Most critically, Senator Franken suggested that because location data lacks sufficient legislative protection, some of the most popular apps used widely by average consumers have been found to disclose users’ precise location to third parties without obtaining user permission.  Further, he noted that in light of stalking apps that are deceptively labeled as something else, such as “parental monitoring,” it is necessary to create a law with basic rules for any service that collects location information.

The witnesses representing law enforcement, federal agencies, and consumer-advocacy and anti-domestic violence groups gave testimony sharing Senator Franken’s concerns, and also suggested that industry self-regulation in this area so far has not been consistent or transparent.  Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection, for example, noted that broadly speaking, while many industry groups and individual companies purport to adopt the opt-in model as a best practice, enforcement has shown that the standard is in fact not complied with on a regular basis. 

In response, witnesses representing industry largely rejected the notion that legislation like Senator Franken’s is needed at this time.  Expressing particular worry that laws and regulations are inflexible and can quickly become outdated in the face of rapidly evolving technologies, Lou Mastria, Executive Director of the Digital Advertising Association (“DAA”), testified that innovation is better served by self-regulation, which can adapt to new business models because it is more “nimble” than government regulation, as subcommittee ranking member Senator Jeff Flake (R-AZ) phrased it.  Mr. Mastria pointed to the DAA’s Self-Regulatory Principles as an effective framework for self-regulation.  Sally Greenberg, Executive Director of the National Consumers League, however, contested the usefulness of DAA’s code, calling it weak, “full of holes,” and “late to the game,” especially in the face of her view that there is “monumental evidence that self-regulation is not working.”Continue Reading Senate Subcommittee Examines “Stalking Apps” Bill

With the ongoing public dialogue concerning the intersection of technological innovation, national security, and privacy that followed Edward Snowden’s revelations of classified information last year, it is no surprise that privacy and security were top themes at SXSW Interactive this year.  The following summarizes key points made about privacy throughout the Interactive conference, which ended

The Digital Advertising Alliance (“DAA”) recently released a guidance document titled Application of Self-Regulatory Principles to the Mobile Environment (“Mobile Guidance”).  The Mobile Guidance does not purport to establish new principles, but rather to explain how the DAA’s existing principles — the Self-Regulatory Principles for Online Behavioral Advertising and for Multi-Site Data — apply to the “mobile Web site and application environment.”  Still, the Mobile Guidance contains a considerable amount of new direction that should interest publishers, advertisers, and other companies that operate in the online advertising space.  Below is an overview of key takeaways from the Guidance. 

The Guidance explains how companies operating in the mobile space should provide consumers “transparency and “control” (i.e., notice and choice) in connection with four types of data: Multi-Site Data, Cross-App Data, Precise Location Data, and Personal Directory Data. 

Although the DAA’s definitions of these types of data focus on the way in which data is collected, the application of the key principles of “Transparency” and “Control” depends mainly on the way the data is used.  For example, the Multi-Site Principles define “Multi-Site Data” as “data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web sites.”  This definition focuses on the nature of the collection, but the “Transparency” and “Control” principles’ application to the data turns on the way the data is used:  if Multi-Site Data is used for one of many enumerated purposes (e.g., IP protection, product or service fulfillment, and product development), the Principles’ transparency and control principles do not apply. 

Thus, the guidelines suggest that companies evaluate their obligations not only by considering whether the data they collect is covered by the Principles, but also by determining how that data will be used.  With that background, we turn to a discussion of the Mobile Guidance. Continue Reading The DAA Principles Applied to Mobile: Key Takeaways

The Worldwide Web Consortium’s Tracking Protection Working Group concluded a three-day international stakeholder meeting in Amsterdam on October 5 without reaching consensus on certain key issues concerning a global do-not-track standard.  There are reportedly three major unresolved questions:  (1) what the default setting should be—whether do not track should be turned on or off

As noted in our coverage of the inaugural Privacy Multistakeholder Meeting, NTIA promised to release meeting notes and the results of informal polls taken during the meeting.  This information is now available on NTIA’s website, and includes notes in document format and images of the flipcharts used during the meeting.

Additionally, NTIA has

Yesterday marked the inaugural Privacy Multistakeholder Meeting at the Department of Commerce, hosted by the National Telecommunication & Information Administration (“NTIA”).  The meeting brought together representatives of technology companies, advertisers, consumer groups, and  other stakeholders for a discussion of mobile application transparency and the process for future discussions and meetings.  While the meeting did not bring consensus on either process or goals, it did engender considerable discussion between a large number of participants, both in-person and through the online meeting tool.

Representatives from NTIA worked with an outside facilitator to solicit stakeholder views on 1) potential key elements of a mobile transparency policy and 2) methods that the group might employ to move the conversation forward in the future. The use of the facilitation process itself generated a considerable amount of debate and substantive discussions were often interrupted by questions about or objections to the process.

By the end of the day, the participants had generated a substantial list of items to consider during future meetings and had informally “voted” to express whether they felt the item needed to be addressed early in the process.  John Verdi, Director of Privacy Initiatives, stated that the list of ideas and the results of the informal poll would be released next week.  Verdi also announced that NTIA would schedule an additional meeting in August, though no specific date was announced.Continue Reading Recapping the NTIA Multistakeholder Meeting

Mobile security firm Lookout has issued guidelines to help mobile ad providers and app developers standardize privacy practices for app-based mobile ads.  According to Lookout Chief Technology Officer Kevin Mahaffey, the guidelines are intended to provide guidance about what constitutes “acceptable behavior” in the mobile ad ecosystem, and to “fix this problem before it gets so big that it needs regulation.” 

Lookout’s guidelines are built on well-recognized privacy principles such as transparency, individual control, reasonable limits on data collection and retention, and security, but the guidelines also break new ground in that they focus primarily on the obligations of ad providers — i.e., ad networks, ad exchanges, and mobile ad mediation layers that manage ad delivery across a number of different ad networks. Other industry guidelines issued to date have been primarily geared toward app developers (including the EFF’s Mobile User Privacy Bill of Rights, CDT/FPF’s Best Practices for Mobile App Developers, and MMA’s Mobile Application Privacy Policy Framework) or directed at specific practices (such as the CTIA’s Best Practices and Guidelines for Location-Based Services). Continue Reading Company Releases Industry Guidelines for Mobile App Advertising