self-regulatory principles

Last week, the Consumer Electronics Association (“CEA”) announced its Guiding Principles on the Privacy and Security of Personal Wellness Data, a set of baseline, voluntary guidelines for private-sector organizations that handle the type of data often produced by wearable technologies.  The Guiding Principles are categorized into eight areas and generally include the following recommendations:

Last week, TRUSTe, Inc. (“TRUSTe”) settled Federal Trade Commission (“FTC”) charges that it misrepresented its certification programs and non-profit status to consumers.  TRUSTe offers clients Certified Privacy Seals, representing to consumers that the website, software, data processing service, or mobile application is compliant with the relevant TRUSTe program.  These programs include specifications related to transparency of company practices, verification of privacy practices, and consumer choice regarding the collection and use of consumer personal information.

The FTC’s complaint alleges that TRUSTe represents that it annually recertifies all companies displaying the Certified Privacy Seal to ensure ongoing compliance with the program requirements, however, from 2006 until January 2013, TRUSTe did not do so in over 1,000 instances.  According to the complaint, prior to its transition to a for-profit entity in July 2008, TRUSTe required its clients’ privacy policies to include a statement that “TRUSTe is an independent, non-profit organization.”  The FTC also alleges that TRUSTe recertified clients who failed to update references to the company’s for-profit status.
Continue Reading FTC Alleges TRUSTe’s Certified Privacy Seals Misled Consumers

This week, the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing to discuss the Location Privacy Protection Act of 2014, a bill reintroduced in March by Senator Al Franken (D-MN).  Most concerned with the potential for misuse and abuse of location data for purposes of stalking and perpetrating domestic violence, Senator Franken, who chairs the Subcommittee on Privacy, made clear at the hearing his view that, “Stalking apps must be shut down.”  Franken clarified, however, that his bill is not only intended to protect victims of stalking, but provides basic privacy safeguards for sensitive location information pertaining to all consumers.  Most critically, Senator Franken suggested that because location data lacks sufficient legislative protection, some of the most popular apps used widely by average consumers have been found to disclose users’ precise location to third parties without obtaining user permission.  Further, he noted that in light of stalking apps that are deceptively labeled as something else, such as “parental monitoring,” it is necessary to create a law with basic rules for any service that collects location information.

The witnesses representing law enforcement, federal agencies, and consumer-advocacy and anti-domestic violence groups gave testimony sharing Senator Franken’s concerns, and also suggested that industry self-regulation in this area so far has not been consistent or transparent.  Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection, for example, noted that broadly speaking, while many industry groups and individual companies purport to adopt the opt-in model as a best practice, enforcement has shown that the standard is in fact not complied with on a regular basis. 

In response, witnesses representing industry largely rejected the notion that legislation like Senator Franken’s is needed at this time.  Expressing particular worry that laws and regulations are inflexible and can quickly become outdated in the face of rapidly evolving technologies, Lou Mastria, Executive Director of the Digital Advertising Association (“DAA”), testified that innovation is better served by self-regulation, which can adapt to new business models because it is more “nimble” than government regulation, as subcommittee ranking member Senator Jeff Flake (R-AZ) phrased it.  Mr. Mastria pointed to the DAA’s Self-Regulatory Principles as an effective framework for self-regulation.  Sally Greenberg, Executive Director of the National Consumers League, however, contested the usefulness of DAA’s code, calling it weak, “full of holes,” and “late to the game,” especially in the face of her view that there is “monumental evidence that self-regulation is not working.”Continue Reading Senate Subcommittee Examines “Stalking Apps” Bill

The Online Internet-Based Advertising Accountability Program issued five decisions in November enforcing the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising.  The Accountability Program’s first two decisions, issued November 18 against BMW of North America and Scottrade, addressed those companies’ failure to provide notice of third-party data collection on their websites.  On November 20, the Accountability Program issued three more decisions stemming from a recent online behavioral advertising campaign by personal genomics and biotechnology company 23andMe.Continue Reading OBA Accountability Program: A Recap of What Happened in November

The Digital Advertising Alliance (“DAA”) recently released a guidance document titled Application of Self-Regulatory Principles to the Mobile Environment (“Mobile Guidance”).  The Mobile Guidance does not purport to establish new principles, but rather to explain how the DAA’s existing principles — the Self-Regulatory Principles for Online Behavioral Advertising and for Multi-Site Data — apply to the “mobile Web site and application environment.”  Still, the Mobile Guidance contains a considerable amount of new direction that should interest publishers, advertisers, and other companies that operate in the online advertising space.  Below is an overview of key takeaways from the Guidance. 

The Guidance explains how companies operating in the mobile space should provide consumers “transparency and “control” (i.e., notice and choice) in connection with four types of data: Multi-Site Data, Cross-App Data, Precise Location Data, and Personal Directory Data. 

Although the DAA’s definitions of these types of data focus on the way in which data is collected, the application of the key principles of “Transparency” and “Control” depends mainly on the way the data is used.  For example, the Multi-Site Principles define “Multi-Site Data” as “data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web sites.”  This definition focuses on the nature of the collection, but the “Transparency” and “Control” principles’ application to the data turns on the way the data is used:  if Multi-Site Data is used for one of many enumerated purposes (e.g., IP protection, product or service fulfillment, and product development), the Principles’ transparency and control principles do not apply. 

Thus, the guidelines suggest that companies evaluate their obligations not only by considering whether the data they collect is covered by the Principles, but also by determining how that data will be used.  With that background, we turn to a discussion of the Mobile Guidance. Continue Reading The DAA Principles Applied to Mobile: Key Takeaways