Inside Privacy - Updates on Developments in Global Privacy & Data Security

Yesterday, the FTC announced that MySpace has agreed to settle charges that it engaged in deceptive practices by disclosing personal information to third parties despite statements in its privacy policy suggesting it would not engage in such sharing.  The proposed settlement with MySpace reflects the FTC’s continuing concern with the privacy practices of social networking services and follows on the heels of settlements with Facebook, Twitter, and Google (the latter relating to Google's "Buzz" social networking service).  Like Facebook and Google before it, MySpace agreed to a consent order that (if it becomes final) would require the company to implement a comprehensive privacy program and submit to third-party privacy audits for the next 20 years. 

As with many of the incidents involving consumer privacy that have been subject to recent FTC action (as well as private litigation), MySpace’s practices appear to have been first explored by the Wall Street Journal, as part of its “What They Know” series on online privacy.

The FTC has decided not to pursue an enforcement action against Clearwater Aquarium for alleged violations of the Children's Online Privacy Protection ("COPPA") Rule. 

In February 2012, the Children's Advertising Review Unit ("CARU") referred the Clearwater Aquarium's website to the FTC for review under COPPA after the Aquarium reportedly did not respond to CARU's inquiry.  CARU claimed that the site featured a “Kidzone” where visitors could sign up for an e-newsletter by entering their first and last names, mailing and email addresses, and cellphone numbers.  CARU was concerned that the Aquarium collected personally identifiable information from children under the age of thirteen without first obtaining parental consent and that the Aquarium's privacy policy -- which stated that it did not collect information from children under 18 without parental consent -- did not accurately reflect its actual privacy practices.

After reviewing the website, the FTC concluded "that the information collection practices that had triggered CARU's inquiry had been remedied."  The FTC declined to take any further action, instead referring the matter back to CARU. 

CARU, a division of the Council of Better Business Bureaus, is a self-regulatory body that monitors websites for compliance with COPPA.  Although CARU's self-regulatory program is completely voluntary, CARU may refer cases to the FTC if companies refuse to respond to inquiry letters.  The FTC reviews CARU's case referrals to determine whether enforcement action is appropriate.  Although the FTC has initiated enforcement actions in response to CARU referrals in the past, the Clearwater Aquarium case is a reminder that the FTC may decide no further action is necessary.  

In the face of calls by the FTC for improved mobile privacy protections, as well as interest by members of Congress, mobile advertising companies are actively working on privacy initiatives.  Yesterday, a group of companies in the mobile advertising industry announced that they are working to create an industry standard for anonymous mobile device identification.  The Companies include Velti PLC, Jumptap, RadiumOne, mdotm, StrikeAd, Smaato, Adfonic and SAY Media.  This standard would replace the need to use unique device ID numbers.

Also this week, TrustE announced the creation of a tool to provide consumers with a single source of information about the information being collected from them both online and through mobile apps.  The TrustED Mobile Ads tool would allow consumers to opt out of receiving mobile ads through this unified platform.

These industry self-regulatory efforts come at a time when the FTC and members of Congress have expressed concern about consumer privacy in the mobile ecosystem.  As we previously reported, last month’s FTC report called for improved mobile privacy protections and urged the mobile industry to develop standards to address data collection, transfer, use, and disposal in the mobile context.  The topic will be addressed at a workshop that the FTC is hosting May 30, 2012.

By Daniel Kahn and Kerry Monroe

Following more than a year of deliberation, the Federal Trade Commission today released its seminal report on consumer privacy, entitled Protecting Consumer Privacy in an Era of Rapid Change.  The report contains “best practices” for businesses as well as recommendations to Congress for legislation.  The final report issued today builds upon and revises a preliminary FTC staff privacy report previously released in December 2010.  At a press conference announcing the release of today’s report, FTC Chairman Jon Leibowitz stated that in promulgating the report, the FTC does not “want to erect a stoplight” to innovation but rather to “monitor the traffic.” 

The report proposes that companies adopt “privacy by design” principles, provide consumers simpler choices about privacy, and offer greater transparency into their data practices.  The report also advocates data security and breach notification legislation as well as legislation concerning data brokers and asks Congress to consider baseline privacy legislation.  In addition, it outlines privacy regulatory priorities for the FTC for the next year, including Do Not Track, mobile, promoting self-regulatory codes, and addressing data brokers and “large platform providers.” 

Privacy Framework — Generally

The centerpiece of the report is a privacy “framework” recommended by the FTC.  Unlike some federal agencies, the FTC does not have general rulemaking authority, so the framework does not provide a set of binding rules.  Instead, the FTC describes its framework as a set of “best practices” designed to guide industry, consumers, and regulators.  However, as Commissioner J. Thomas Rosch notes in his dissent from the report, the FTC’s framework may provide guidance on when the FTC will exercise its authority to take enforcement action against “unfair” or “deceptive” trade practices.  Accordingly, the FTC’s framework is noteworthy.

Privacy Framework — Scope

Companies:  The framework generally applies to almost all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.  However, contrary to the preliminary staff report issued in December 2010, the final framework excludes entities that collect “only non-sensitive data from fewer than 5,000 consumers per year and do[] not share that data with third parties.”  Sensitive data includes, but is not necessary limited to, Social Security numbers and financial, health, children’s, and precise geolocation data.  The framework does not apply to the extent that a requirement would conflict with the requirements of a sector-specific privacy law such as GLBA or HIPAA.

Data:  Despite concerns raised by some commenters about the extent to which the framework should apply to data collected offline, the final report reiterated that that framework “applies in all commercial contexts, both online and offline.”  It also applies broadly to all “consumer data that can be reasonably linked to a specific consumer, computer, or other device.”  Companies may render data not “reasonably linked” and therefore not within the scope of the report if they: (1) take reasonable measures to ensure the data is de-identified, i.e. anonymized; (2) publicly commit to maintaining the data in de-identified form; and (3) prohibit, by contract, the re-identification of the data by any third parties to whom the company makes the data available.

Privacy Framework — Privacy By Design

In its report, the FTC continues to support the proposed “privacy by design” principles described in its draft report, which shift the burden away from consumers and place obligations on businesses to treat consumer data in a responsible manner.  The FTC does, however, respond to a number of comments on the principles, noting that broad support for the privacy by design concept was especially encouraging in light of the increasingly global nature of data transfers.

Providing Reasonable Security for Consumer Data:  The FTC makes note of a variety of data security protection initiatives implemented by certain private sector entities, and it calls on industry sectors to develop and implement best data security practices. 

Limiting Collection of Consumer Data:  In response to commenters’ concerns about vagueness and potential inflexibility in the FTC’s approach to limiting the collection of consumer data, the FTC clarifies the collection limitation principle as follows:  Companies should limit consumer data collection to that which is consistent with the context of a particular transaction or to the consumer’s relationship with the business, or as required or specifically authorized by law.

Implementing Reasonable Data Retention and Disposal Policies:  The FTC confirms its conclusion that companies should implement reasonable restrictions on the retention of data and should dispose of data once it has outlived the legitimate purpose for which it was collected.  Retention periods, however, can be flexible and scaled according to the type of relationship and use of the data.

Maintaining Reasonable Accuracy of Consumers’ Data:  The FTC agrees with commenters that the approach to maintaining the accuracy of consumers’ data should be flexible, scaled to the intended use of the data and the sensitivity of the information.  The maintenance of reasonable data accuracy is particularly important if the use of such data could cause significant harm or be used to deny consumers services.

Maintaining Comprehensive Data Management Procedures:  In response to comments in support of the preliminary staff report’s call for organizations to maintain comprehensive data management procedures, the FTC agrees that companies should implement accountability mechanisms and conduct regular privacy risk assessments to ensure that privacy issues are addressed throughout an organization.  The FTC describes its recent Google and Facebook settlements to illustrate how procedural protections might work in practice.  The FTC also calls on companies to look for new ways to protect consumer privacy throughout the life cycle of their products and services, including through the development and deployment of privacy-enhancing technologies.  Finally, the FTC recognizes that, although companies need to apply the substantive privacy by design elements to their legacy data systems, companies need a reasonable transition period to update their systems.

Privacy Framework — Simplified Consumer Choice

The report criticizes the previous “notice-and-choice” approach to privacy, which it asserts has resulted in long and incomprehensible privacy policies, many of which are presented on a take-it-or-leave-it basis.  The overall theme of the FTC’s framework is that, in contrast to what it describes as existing practices, consumers should have clear choices concerning their privacy, and their ability to exercise choice should be simplified. 

When Choice Is Required:  The framework first identifies situations in which choice is not required.  The overall principle adopted is that “whether a practice requires choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer’s existing relationship with the business, or is required or specifically authorized by law.”  The report characterizes this contextual standard as a concrete approach that looks to objective factors rather than subjective consumer expectations.  Examples of data collection practices for which consent is not required include fulfillment, fraud prevention, internal operation, legal compliance, public purpose, and most first-party marketing (the last of which is subject to a number of exceptions, such as for first-party marketing that relies on sensitive information). 

What Choice Should Be Presented - Generally: The FTC states that companies generally should provide choices at a time and in a context in which the consumer is making a decision about his or her data.  Precisely how that choice will be given will depend on factors such as the nature or context of the consumer’s interaction with a company or the type or sensitivity of the data.

What Choice Should Be Presented - Special Circumstances: The FTC identifies a number of circumstances in which special principles should apply with respect to choice:

• Take-It-or-Leave-It: The FTC states that “take-it-or-leave-it” choice for “important products or services” raises concerns when consumers have few alternatives, such as, it asserts, in the market for broadband Internet access.
• Do Not Track:  The FTC continues to advocate providing a Do Not Track mechanism to give consumers choice concerning the collection of Web surfing data. 
• Large Platforms:  The report notes that the activity of “large platforms” such as ISPs, operating systems, browsers, and certain social networks raises special concerns due to their ability to collect information from a broad range of online activity.  The FTC raises concerns, in particular, about deep packet inspection by ISPs.
• Affirmative, Express Consent:  The FTC identifies at least two circumstances in which advance affirmative, express consent should be obtained: (1) before material retroactive changes to privacy practices are made, or (2) when collecting sensitive data for certain purposes.

Privacy Framework — Transparency

The report indicates that, while privacy notices should account for variations in business models, such notices should be clearer and shorter and should contain some standardized elements.  The FTC calls on industry sectors to develop standard formats and terminology for privacy statements applicable to their particular industries.  In the FTC workshop to be held later this year, one topic to be addressed is how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens. 

The report also lays out a categorization of companies with regard to the reasonable extent of an individual consumer’s access to his or her own data.  These categories reflect different levels of data sensitivity: 

• First, the FTC recognizes that, for entities that maintain data for marketing purposes, the costs of providing individualized access would likely outweigh the benefits.  However, the FTC supports the idea of providing consumers with a list of categories of data that such entities hold and the ability to suppress the use of such data for marketing. 
• Second, the FTC observes that, where entities subject to the Fair Credit Reporting Act (“FCRA”) are concerned, the FCRA provides consumers with rights to access and correct their information. 
• Third, regarding entities not subject to the FCRA, but which maintain data for non-marketing purposes, the FTC supports a sliding scale approach, with a consumer’s ability to access his or her data scaled to the use and sensitivity to the data.  At a minimum, the report states, consumers should have access to the types of information such companies maintain about them and the sources of such information.  In appropriate circumstances, the FTC also urges companies to provide the names of third parties with whom consumer information is shared.

Legislative Recommendations: Baseline Privacy, Data Security/Breach Notification, and Data Brokers

In addition to providing its privacy framework detailed above, the FTC also made recommendations with respect to two key pieces of privacy legislation.  First, it called on Congress to “consider” enacting baseline privacy legislation that would provide clear standards and appropriate incentives across all industry sectors, while still being “technologically neutral” and “sufficiently flexible” to allow for innovation.  The FTC noted that any privacy legislation enacted by Congress would be more effective if the FTC were authorized to impose civil penalties for violations.  It also reiterated its earlier calls for federal data security and breach notification legislation, as well as targeted legislation allowing consumers to access and dispute data held by data brokers. 

Areas of Emphasis

Finally, the FTC identified five areas where it plans to be especially active during the next year:

Do Not Track (“DNT”): The report noted that several legislative proposals had called for the creation of a DNT mechanism, and the FTC praised the efforts of the browser vendors, the DAA, and the W3C.  However, the FTC warned that “the work is not done.”  The FTC will collaborate with these industry groups to complete implementation of a DNT system that is universal, easy to use, persistent, enforceable, and that allows consumers to opt out of the collection of behavioral data for all purposes (other than expected contextual uses).  

Mobile:  The report called for improved mobile privacy protections, including better disclosures.  Mobile privacy disclosures will be addressed during the workshop that the FTC is hosting on May 30, 2012, as part of its ongoing project to update the Dot Com Disclosures guidelines. The FTC also called on entities involved in the mobile ecosystem to develop standards addressing data collection, transfer, use, and disposal, particularly for location data. 

Data Brokers:  The report supported targeted legislation to provide consumers with access to information held by data brokers, similar to legislation that has already been introduced in data security bills in the 111th and 112th Congress.  The FTC also called on data brokers to create a centralized website where consumers can learn about the data brokers’ information-handling practices and the access rights they offer.

Large Platform Providers: The FTC noted that privacy concerns are heightened when “large platforms” – including ISPs, operating systems, browsers, search engines, and social media providers – comprehensively track consumers’ online activities.  The staff plans to host a public workshop in the second half of 2012 to explore collection, use, and competition issues. 

Promoting Enforceable Self-Regulatory Codes:  The report pledged that FTC staff will participate in the Department of Commerce’s ongoing project to facilitate the development of sector-specific codes of conduct.  The report took both carrot and stick approaches to the codes:  the FTC will view adherence to strong privacy codes “favorably” in connection with its enforcement actions, but the report warned that failure to abide by self-regulatory programs will continue to be an unfair or deceptive practice under the FTC Act. 

An action brought by the Electronic Privacy Information Center (“EPIC”) asking that the FTC be compelled to enforce its Google Buzz consent order (previously described, here) was dismissed by Judge Amy Berman Jackson of the United States District Court for the District of Columbia, who held that “enforcement decisions are committed to agency discretion and are not subject to judicial review.”

EPIC contended that Google’s announced changes to its user privacy policies for all of its services, scheduled to take effect on March 1, 2012, would violate various portions of the consent order Google reached with the FTC regarding its former social networking service Google Buzz by “altering the use of personal information” obtained by users and “consolidat[ing] user data from across [Google’s] services and creat[ing] a single merged profile for each user.”

Continue Reading

The FTC staff released a report today calling for participants in the mobile app ecosystem -- including app developers, app stores, and third parties who collect data through mobile apps -- to provide better privacy notices to parents about mobile apps directed to children, and warning that over the next six months, staff will be conducting additional reviews "to determine whether there are COPPA violations and whether enforcement is appropriate."

The report is based on the staff's survey of apps offered in the Android Market and the Apple App store. Staff focused on "the types of apps offered to children; the age range of the intended audience; the disclosures provided to users about the apps’ data collection and sharing practices; the availability of interactive features, such as connecting with social media; and the app store ratings and parental controls offered for these systems."

Notably, the report stated that the FTC expects the whole app ecosystem to "play an active role in providing key information to parents who download apps." Specifically, the report outlined the following:  

• App developers should provide parents information about (1) what information an app collects, (2) how the information will be used, and (3) with whom the information will be shared, using short disclosures or icons that are easy to find and understand on the small screen of a mobile device. App developers also should alert parents if the app connects with social media, or allows targeted advertising to occur through the app.
• Third parties that collect information through apps should disclose their privacy practices, whether through a link on the app promotion page or another easily accessible method.
• App stores should provide a more consistent way for developers to display information regarding their app’s data collection practices and interactive features. The FTC stated, for example, that app stores could provide a designated space for developers to disclose this information and standardized icons to signal specific features, such as connections with social media services. In addition, the FTC emphasized that app stores should be enforcing developer agreements that require developers to disclose the information their apps collect.

The report expressed a preference for disclosures that are provided prior to the parent's purchase of the app, noting that "[i]nformation provided to parents after downloading an app is, in staff’s view, less useful in the parent’s decision-making since, by then, the child may already be using the app and the parent already could have been charged a fee."

In addition, the report focused on disclosures involving in-app purchases, interactive features, and targeted advertising.  The report states that the FTC is considering whether additional protections are needed with respect to in-app purchase capabilities in apps for children.  It emphasized that "confusing and hard-to-find disclosures do not give parents the control that they need in this area." Staff believe that the presence of social features within an app is highly relevant to parents selecting apps for their children, and that such functionality should be disclosed prior to download.  And the report states that "parents need clear, easy-to-read, and consistent disclosures regarding the advertising that their children may view on apps, especially when that advertising is personalized based on the child’s in-app activities.”

As we have blogged about here and here, the FTC currently is reviewing its rules implementing the Children’s Online Privacy Protection Act, which governs the online collection, use, and disclosure of personal information from children under the age of 13.  

The Federal Trade Commission has announced that it will host a workshop on April 26, 2012, to discuss mobile payments.  In addition to exploring payment technologies and business models, the workshop will likely cover consumer protection issues such as the risks of financial loss, the need for information disclosures, data protection concerns, and the remedies available to consumers.  The FTC plans to bring together a variety of stakeholders – industry, consumer advocates, regulators, technologists, and academics – and welcomes public comments in advance of the event.

As we previously noted, the law governing mobile payments is a complex blend of existing federal laws as well as rapidly changing state laws.  The regulatory picture is further complicated by the number of federal agencies that could theoretically assert jurisdiction over mobile payments.  Besides the FTC, other agencies that might have an interest include the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Communications Commission, the Treasury Department's Federal Crimes Enforcement Network, and the Consumer Financial Protection Bureau. 

Yesterday, the FTC announced that it has settled charges against Upromise, Inc., a company that enables consumers to receive rebates when shopping at partner merchants.  (The rebates are placed in college savings accounts—hence Upromise’s name.)  According to the Commission’s complaint, Upromise offered online users a toolbar feature, which, when downloaded, would highlight Upromise’s partners in search engine results.  The toolbar feature also enabled users to choose to receive tailored advertising.  In connection with this aspect of the toolbar, the FTC alleged that Upromise (through an unnamed service provider) collected the names of all websites a user visited and all links clicked, as well as information that users entered into some webpages (which, in some cases, included credit card and financial account numbers, security codes, expirations dates and Social Security numbers). 

The Commission charged that the scope and frequency of the data collection was much broader than Upromise represented in its privacy statement.  The FTC contended that despite using a filter intended to limit the collection of PII, Upromise sometimes collected sensitive information, such as PIN numbers and security codes.  Finally, the FTC alleged that Upromise collected this information by causing the user’s browser to transmit it in clear text, which left it vulnerable to interception—particularly when users were connected to the Internet through unsecured wireless networks.  The FTC stated that by engaging in these practices, Upromise failed to adequately disclose the extent of its data collection and also “failed to provide reasonable and appropriate security for [the] consumer information” that was collected. 

Notably, the Commission described these alleged shortcomings in terms of Upromise’s failure to integrate privacy protections into the design and implementation of the toolbar feature (i.e., its failure to sufficiently adhere to the principle of “privacy by design,” which the Commission described in its December 2010 preliminary staff report).  For example, the complaint faulted Upromise for not testing the ad-tailoring feature or monitoring its collection of information after implementation to ensure that the collection was consistent with Upromise’s policies.  The complaint also alleged that Upromise had failed to ensure that employees responsible for creating and operating the feature received adequate training about security risks and Upromise's privacy and security policies.  Similarly, the Commission alleged that Upromise did not take appropriate steps to ensure that its service provider implemented the feature in a manner that was consistent with Upromise’s policies and the contractual provisions designed to protect consumer information. 

As in recent FTC settlements involving privacy and data security issues, the Upromise consent decree (among other things) would require the company to implement privacy by design in the form of a comprehensive information security program and obtain third-party audits for 20 years. 

Last week, the FTC announced that it has agreed to end its 18-month investigation of Facebook’s privacy practices, with a settlement that involved a twenty-year compliance plan and specific steps to formalize privacy within Facebook’s organization.  Though the proposed settlement, which will now be open for public comment, has met with a range of reactions, what we’re hearing most are questions about what the development means for the rest of the industry.

In its investigation, the FTC focused on a number of privacy practices that it claimed were misleading.  For example, the agency looked at changes that Facebook made to its privacy practices in 2009 that the FTC alleged led to changes in the privacy status of certain information.  The FTC also argued that Facebook hadn’t done enough to explain to users when their information might be shared with apps by their friends and how Facebook handled deletion of information.

In settling these charges, Facebook didn’t agree to these allegations or admit that it violated the law.  Instead, the company explained in a blog post that it signed the agreement to formalize its “commitment to do the things we’ve always tried to do and planned to keep doing -- giving you tools to control who can see your information and then making sure only those people you intend can see it.”  Facebook also said that it agreed to “embrace [the FTC’s] ideas” about how it could enhance its internal privacy practices.

So what lessons can you take from the Facebook agreement if you’re not Facebook and aren’t directly obligated to comply with its terms? 

Continue Reading

Last month, as we previously reported, the Federal Trade Commission (FTC) announced that it will host a December workshop to explore potential privacy and security implications raised by the increasing use of facial recognition technology.  Yesterday, Senator John D. Rockefeller IV (D-W.Va.), chairman of the Commerce, Science, and Transportation Committee sent a letter to the FTC commending the agency for its examination of this emerging technology and requesting a report following the workshop.  Senator Rockefeller indicated that the report should include potential legislative approaches to protect consumer privacy as facial recognition technology proliferates.

New uses for facial recognition technology are being deployed in both the public and private sectors.  The Federal Bureau of Investigations is working to activate a nationwide facial recognition service, Next Generation Identification, which will be available to law enforcement authorities in select states by January 2012.  And, as Senator Rockefeller noted in his letter, "facial recognition technology is already being put to use in a broad range of commercial areas," including real-time scanning to identify the demographic features of crowds or of individuals standing next to advertising displays, as well as scanning of photographs users upload to an online service to identify the individuals depicted in them.

The FTC workshop is scheduled for December 8, 2011, and Senator Rockefeller has requested that the FTC provide a preliminary report to the Senate Committee on Commerce, Science, and Transportation by February 8, 2012.

The House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade held the latest in its series of hearings on Internet privacy Wednesday morning. The hearing — titled “Protecting Children’s Privacy in an Electronic World” — focused on the Federal Trade Commission’s proposed updates to the regulations implementing the Children’s Online Privacy Protection Act (COPPA), which generally bars website operators from collecting or disclosing personal information from children under 13 without first obtaining parental consent. Lawmakers and witnesses also discussed whether Congress should enact additional legislation, particularly to protect teenagers. Click the jump to see a summary of some of the key issues addressed at the hearing and in witness’ prepared statements.

Continue Reading

The Federal Trade Commission announced this week that it will host a workshop to explore potential privacy and security implications raised by the increasing use of facial recognition technology.  The discussion will take place on December 8, 2011 in Washington, DC.

According to the FTC, the workshop, which is free and open to the public, may focus on topics including:

Continue Reading

By Lindsey Tonsager

This morning the FTC released its long anticipated proposed revisions to its rule implementing the Children’s Online Privacy Protection Act (“COPPA”).  COPPA governs (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13. Below is a summary of the highlights.  Comments on the proposed revisions are due by November 28, 2011.

Continue Reading

Resolving the FTC's first complaint against a mobile app developer under the Children's Online Privacy Protection Act ("COPPA"), W3 Innovations, LLC, a developer of children's games for the iPhone and iPod touch, has agreed to pay $50,000 to settle allegations that it collected and disclosed the personal information of thousands of children under the age of 13 without first providing parents notice of their children's privacy practices or obtaining parental consent.

The FTC alleged that several of the mobile apps operated by W3 Innovations, including the Emily's Girl World app, Emily's Dress Up app, Emily's Dress Up & Shop app, and Emily's Runway High Fashion app, are directed to children under the age of 13.  In addition to collecting and maintaining children’s email addresses, the FTC claimed that the defendants also allowed children to publicly post personal information, including their full names, on message boards in violation of COPPA.

The settlement provides industry guidance on a few of the issues that the FTC raised as part of its 2010 COPPA Rule review and is a reminder that the FTC may decide to resolve some of these issues through enforcement actions rather than through the rulemaking process.  For example, the FTC's 2010 Notice of Inquiry on COPPA asked for comment on how the definition of "Internet" applies to mobile communications.  The FTC's complaint clarifies that the FTC believes COPPA is broad enough to cover mobile applications.  The complaint also clearly defined the term "online service" for the first time, stating that W3 Innovations' mobile apps are "online services" covered by the COPPA rule because they "send and receive information via the Internet." 

As we blogged about here, the FTC has told industry to expect more enforcement actions against mobile app developers under Section 5 of the FTC Act.  This settlement suggests that the FTC also plans to use its enforcement authority under COPPA to help ensure that mobile app developers fulfill their obligations to protect children's privacy.  

Your company has just launched an innovative new social media service, and you’ve received fanfare from the press, increased website traffic, and a spike in advertising revenues.  In short, the service is a complete success — until you’re served with a class action complaint seeking millions of dollars in damages and a civil investigative demand from the FTC.  What did you do wrong, and what can you do to get out of this mess?

That’s the question that I recently explored as a part of a panel at the summer meeting of the Virginia Bar Association on the benefits and risks of social media.  On the panel, we discussed the many ways that social media has influenced law and policy over the past few months and highlighted what businesses and their lawyers need to understand about privacy issues online in order to avoid litigation and regulatory enforcement. 

One of the main reasons that companies face litigation and investigations in the social media area is that they haven’t fully evaluated the information that they are collecting through social media and how that information is (or could be) used.  That is why the discussion on privacy today is coalescing around the concept of “privacy by design,” which Kashmir Hill at Forbes recently described as companies “bak[ing] privacy into their products” rather than considering privacy only reactively.  (You can read more about privacy by design here.)

Continue Reading

Jon Leibowitz, chairman of the Federal Trade Commission, and Cameron Kerry, general counsel of the Department of Commerce, spoke today about the need for industry codes of conduct to address emerging privacy issues.  They were the featured speakers at an event held by the Brookings Institution on strategies to protect consumer privacy while ensuring continued innovation on the Internet.

As we previously discussed, the Commerce Department has called for baseline consumer privacy protections that would serve as the basis for codes of conduct that specify how the baseline principles apply in particular contexts.  At today’s event, Kerry provided more detail about the Department’s proposal.

Continue Reading

By Katie Keith

Yesterday, two Subcommittees of the House Energy and Commerce Committee (Commerce, Manufacturing and Trade and Communications and Technology) held a joint hearing entitled “Internet Privacy:  The Views of the FTC, the FCC, and NTIA” that featured testimony from FCC Chairman Julius Genachowski, FTC Commissioner Edith Ramirez, and NTIA Assistant Secretary Lawrence Strickling.  Topics discussed included the need for privacy and data security legislation, the development of baseline governing principles, and current efforts by each agency to engage stakeholders on these issues. 

Legislators from both Subcommittees recognized the economic and social value of the Internet throughout the hearing and emphasized that nearly every aspect of our daily lives now has an online component.  Despite its “incalculable value,” the Chairwoman of the Subcommittee on Commerce, Manufacturing and Trade, Rep. Mary Bono Mack (R-Cal.), characterized the Internet as a “work in progress” and expressed concerns shared by many Members of the two Subcommittees over the collection, use, sharing and protection of online data and the need to improve consumer education.  The witnesses generally shared these concerns, and although their testimony did not reflect a shift in policy at the FTC, FCC, or NTIA, the dialogue between the legislators and regulators did shed light on the current state of thinking about privacy regulation at the federal level. 

Continue Reading

As we previously discussed, the House Energy & Commerce Committee announced last month that it would be undertaking a comprehensive review of electronic privacy concerns.  That process will kick off on July 14, 2011 with a joint hearing by the Commerce, Manufacturing, and Trade Subcommittee and the Communications and Technology Subcommittee. 

Regulators from the Federal Communications Commission, the Federal Trade Commission, and the National Telecommunications and Information Administration have been invited to report on existing federal laws and practices to protect online consumer privacy.  FCC, FTC, and Commerce Department representatives also testified last week before the Senate Commerce Committee, which is similarly analyzing privacy and data security issues. 

Continue Reading

by Rob Sherman and Allison Ray

The FTC’s recent announcement [PDF] that it will update its decade-old guidance on online advertising—known as Dot Com Disclosures [PDF]—has inspired animated industry discussion.

In its request for comments, the FTC highlighted that forums for online advertising that we take for granted today -- such as social media and mobile apps -- didn't exist when the Disclosures were released in 2000, and so the guidelines will need to be updated to address these new forms of communication.  (Eric Robinson discusses this point in his post at the Citizen Media Law Project,)  For companies that place or distribute online advertising, these changes may have a particularly significant impact, particuarly since they will need to be framed in a way that is flexible enough to account for changes in the industry and technology that we haven't yet seen. 

When they were first released, the FTC intended the Dot Com Disclosures to import traditional advertising disclosure rules into the online context. The guidelines set a performance standard for disclosures rather than a technical checklist, allowing marketers some flexibility in creating disclosures as long as disclosures met a “clear and conspicuous” standard. Both the FTC and industry commenters noted the danger of creating overly rigid rules at a time when consumer understandings and the internet itself were constantly transforming.

Continue Reading

The Federal Communications Commission is seeking public comment on the use of location-based services in connection with a forthcoming staff report.  Comments are due to the FCC by July 8, 2011.

The agency also is teaming up with the Federal Trade Commission to host an educational forum on June 28, 2011, to help consumers understand the privacy implications of location-based services.  Representatives from mobile phone carriers, technology companies, consumer advocacy groups, and academia will discuss how these services work; their benefits and risks; industry best practices; and what parents should know about location tracking when their children use mobile devices.  

Location-based services have been the topic of a number of recent Congressional hearings.  Part of the focus at the most recent of these hearings was on children’s privacy.  Senator Rockefeller, Chairman of the Senate Commerce Committee, has sent letters to Apple, Google, and the Association for Competitive Technology with questions to help determine whether the applications running on their mobile platforms comply which the Children's Online Privacy Protection Act (COPPA).

By David Fagan and Josephine Liu

The Obama Administration today sent Congress its long-awaited legislative proposal for improving U.S. cybersecurity.  The proposal is in the form of individual legislative amendments tackling various issues, packaged together as a comprehensive legislative framework.  As we previously discussed, cybersecurity is a subject of interest in both chambers of Congress.  Senate Majority Leader Harry Reid and six Senate committee chairs requested last July that President Obama provide input on cybersecurity legislative reforms; today’s proposal responds to that request. 

While the legislative proposals are extensive – the complete section-by-section analysis is, on its own, more than 20 pages – the following provisions are likely to be of particular interest for businesses operating in this space:

• National data breach notification.  The proposals would seek to create, for the first time, a unified federal standard for notification to customers in the event of a security breach.  Specifically, business entities would be required to notify customers following the discovery of a security breach involving sensitive personally identifiable information, and also to notify law enforcement and national security authorities under certain circumstances.  These provisions would preempt the 47 existing state data breach notification laws, and would be enforced by the FTC and state attorneys general. 
• Development of critical infrastructure cybersecurity plans.  DHS would work with industry, through a rulemaking process, to identify core critical infrastructure operators and specific risks.  An entity would not be designated as a critical infrastructure operator unless (1) disruption of the entity’s operations would have a debilitating effect on national security, national economic security, or national public health or safety; and (2) the entity depends on information infrastructure to operate.  Operators designated under this process would be responsible for developing cybersecurity risk mitigation plans, which would be assessed by third-party auditors.  DHS would be authorized to enter into discussions or take other action if operators’ plans are insufficient. 
• Voluntary sharing of cybersecurity threat information.  The proposal would authorize private entities to share cybersecurity threat information with DHS, and would provide them with immunity for doing so.  DHS would be tasked with developing policies and procedures to minimize the impact on privacy and civil liberties and to prevent misuse of the shared information. 

Continue Reading

By David Fagan & Libbie Canter

Last week, Congressman Bobby Rush (D-Ill.) reintroduced the Data Accountability and Trust Act (H.R. 1707).  During the 111th Congress, the House of Representatives approved the same measure by voice vote, but the legislation, introduced in the Senate by Senators Jay Rockefeller (D-WV) and Mark Pryor (D-Ark.), did not make it out of the Senate Commerce Committee before the end of the session.  The legislation would create a federal breach notification standard and authorize the FTC to promulgate information security and data disposal regulations.

• Scope.  The legislation covers persons engaged in interstate commerce, with certain additional requirements applicable to information brokers.  The provisions generally apply to the ownership or possession of personal information, which is defined as a person’s “first name or initial and last name, or address, or phone number, in combination with any 1 or more of [certain] data elements.”  Those data elements include social security number, driver’s license number, other government-issued identification numbers, and financial account numbers. 
• Breach Notification.  Following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses typically would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed.  Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
  • Timing.  Under the bill, notification would be required not later than 60 days following discovery of the breach, with a limited number of exceptions available.
  • Content Requirement.  Consumer notifications would be required to include the date of the breach; a description of the personal information accessed; a telephone number for further inquiries; notice that the individual is entitled to receive certain credit protection products at no charge (which the Act would require businesses to furnish); and contact information for the major credit reporting agencies and the FTC.
  • Obligation to Furnish Credit Products.  The bill indicates businesses will be required to provide or arrange for the provision of free consumer credit reports on a quarterly basis and credit monitoring to affected individuals for a period of two years following a breach.  The bill directs the FTC to promulgate rules with respect to the circumstances in which such credit products will be required to be offered.
  • Risk of Harm.  There is no notification requirement or other obligations on a business if it determines there is no reasonable risk of identity theft, fraud, or other unlawful conduct.  This is presumed to be the case if the data is encrypted or otherwise unreadable, although the bill directs the FTC to promulgate regulations on the technologies that adequately render data unreadable.
  • Service Providers.  Third parties contracted to maintain or process data and service providers would be required to notify the owner of the information, which would then have the obligation to notify the FTC and consumers.

Continue Reading

Yesterday, Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, testified before a subcommittee of the House Ways and Means Committee on the use of social security numbers (SSNs) in identity theft. In addition to providing background information on the use of SSNs in identity theft and the FTC’s recommendations for preventing misuse of SSNs, the testimony described the Commission’s approach to combating identity theft. Key aspects of the FTC’s approach include:

• The FTC has brought 32 law enforcement actions since 2001 against businesses, including pharmacies and credit report resellers, that failed to protect sensitive consumer information in violation of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the FTC Act, and other consumer protection laws.
• The FTC manages and makes available to federal and state law enforcement the Identity Theft Clearinghouse, an online database of identity theft-related complaints.
• The Commission provides educational outreach to consumers and businesses in order to raise awareness about identity theft and outline precautions to be taken to prevent it.

I attended the ABA's Antitrust Law Spring Meeting the last two days.  What struck me the most was the increased prominence of data and privacy as factors in analysis of markets and competition in antitrust law.  This was the topic in the Chairman's Showcase session on Thursday.  Julie Brill, the FTC Commissioner, perhaps made the point the best.  She explained that if privacy is becoming a competitive differentiator (e.g., consumers are persuaded to use one service over another because the chosen service has better privacy practices), then privacy is clearly a non-price factor in competition law analysis.  Commissioner Brill provided an overview of the FTC's report on consumer privacy and emphasized three parts of the report: privacy by design, transparency and choice.  She also emphasized that the FTC was focused on the fact that technical approaches to privacy solutions could impact competition in the market.  However, her view was that standards bodies would mitigate against this concern.  Ken Anderson, Assistant Commissioner for Privacy in Ontario provided an explanation of privacy by design.  Much of the information from his presentation is readily available in a useful video presentation at  www.privacybydesign.ca. 

HP demonstrated an automated tool that it is testing as part of its privacy by design implementation which looked impressive. The HP "Accountablity Model Tool" sends records and reports to the HP privacy office as products are developed.  Google introduced the audience to the "data liberation front" which enables users to extract their data from Google products - see www.dataliberation.org.

Continue Reading

Just a week after the Obama Administration announced its support for comprehensive privacy legislation in testimony before the Senate Commerce Committee, Senator John Kerry (D-Mass.) has released a draft bill that attempts to respond to the Administration's call for broad baseline privacy protections for consumers.   Kerry's bill, which is co-sponsored by Senator John McCain (R-Ariz.) is still undergoing revisions, but a draft [PDF] was released to the public earlier this week. 

We have closely followed congressional efforts on privacy legislation over the 112th Congress and would offer this high level overview of how the Kerry/McCain legislation stacks up against other efforts:

• The draft envisions a significant role for the FTC and includes provisions requiring the FTC to promulgate rules on a number of important issues, including the appropriate consent mechanism for uses of data.  The FTC would also be tasked with issuing rules obligating businesses to provide reasonable security measures for the consumer data they maintain and to provide transparent notices about data practices.
• The draft also states that businesses should "seek" to collect only as much "covered information" as is reasonably necessary to provide a transaction or service requested by an individual, to prevent fraud, or to improve the transaction or service.  
• "Covered information" is defined broadly and would include not just "personally identifiable information" (such as name, address, telephone number, social security number), but also "unique identifier information," including a customer number held in a cookie, a user ID, a processor serial number or a device serial number.  Unlike definitions of "covered information" that appear in separate bills authored by Reps. Bobby Rush (D-Ill.) and Jackie Speier (D-Cal.), this definition specifically covers cookies and device IDs.
• The draft encompasses a data retention principle, providing that businesses should only retain covered information only as long as necessary to provide the transaction or service "or for a reasonable period of time if the service is ongoing." 
• The draft contemplates enforcement by the FTC and state attorneys general.  Notably -- and in contrast to Rep. Rush's bill -- the draft does not provide a privacy right of action for individuals who are affected by a violation. 
• Nor does the bill specifically address the much-debated "Do Not Track" opt-out mechanism that was recommended in the FTC's recent staff report on consumer privacy.  (You can read our analysis of that report here.) 

As noted above, the draft is reportedly still a work in progress.  Inside Privacy will provide additional commentary on the Kerry legislation and other congressional privacy efforts as they develop.     

Earlier this week, the Federal Trade Commission announced that it has reached a settlement with Chitika, Inc., an ad network that tracks a user’s online activities in order to deliver advertising targeted to the individual user's interests.  In its complaint, the FTC claimed that Chitika made statements that (1) users could opt out of targeted advertising by clicking on an "Opt-Out" button and (2) users who clicked on the button "are currently opted out." The FTC also alleged that Chitika's cookie-based opt-out mechanism lasted only 10 days, and that Chitika did not inform users about the duration of the opt-out.  The FTC claimed that Chitika's statements constituted a representation that Chitika's opt-out will last for a "reasonable period of time," and that because 10 days is not a reasonable period, its statements were deceptive. 

As part of the settlement, Chitika must include a hyperlink in every targeted ad that takes consumers to a clear opt-out mechanism.  User opt outs must be effective for at least five years. 

The settlement may help inform industry's ongoing development of innovative opt-out tools for consumers to control whether information is used for targeted advertising.  The Consent Order not only suggests that five years is a "reasonable" period of time for a user's opt-out selection to last, but it also reaffirms that cookie-based opt-out methods are an acceptable means for allowing consumers to opt out of targeted adverting.   Importantly, the Consent Decree carves out from the five-year effective period scenarios where a user deletes his or her cookies or takes deliberate action to disable the mechanism. 

Last Friday, the U.S. Court of Appeals for the D.C. Circuit issued its opinion in litigation between the American Bar Association (ABA) and the Federal Trade Commission (FTC) over the scope of the FTC’s Red Flags rule.  The Court held the ABA's claims moot in light of recently-enacted legislation.   

The Red Flags rule requires covered entities to design and implement identity theft prevention programs.  In August 2009, the ABA challenged the FTC’s authority to enforce the rule with respect to attorneys.  In December 2010, Congress passed the Red Flag Program Clarification Act, which amended the definition of “creditor” in the underlying statute to limit the scope of the FTC’s rule.  We covered in previous blog posts the Act as well as supplemental briefs (here and here) filed by both parties arguing over the Act’s impact on the litigation.  The Court held that the ABA’s claims were now moot because the Act caused there to no longer be a case or controversy. 

The ABA’s claims for injunctive relief were premised on the original definition of “creditor” prior to passage of the Act.  The Court stated that “the policy, rule, and statute that gave rise to [the] suit are no longer in the same posture.”  The Court acknowledged that the FTC could promulgate new regulations seeking to subject attorneys to the Red Flags rule but dismissed it as a mere “hypothetical possibility” not giving rise to a live dispute. 

FTC Chairman Jon Leibowitz applauded the Court’s decision for vindicating the FTC’s contention that the case should be dismissed.

We have previously reported on the Federal Trade Commission’s December 2010 preliminary staff report, “Protecting Consumer Privacy In An Era of Rapid Change.”  With the February 18, 2011 extended deadline to comment on the report quickly approaching, the Berkeley Center for Law & Technology held a roundtable on Browser Privacy Mechanisms last week. 

Participants included spokespersons from the FTC, privacy groups such as the Center for Democracy & Technology and Electronic Frontier Foundation, representatives from Microsoft, Google, and Mozilla, and leading academics and technologists.

FTC Commissioner Julie Brill noted that although most of the buzz around the preliminary staff report has focused on Do Not Track, the report has three principle components—Privacy By Design, Choice, and Transparency.  She commented that although industry has been slow to deal with these issues in the past, the response this time appears to be much stronger and more focused.  As of the roundtable, the FTC already had received more than 200 comments and expects the Commission’s server to be tested by the volume of comments anticipated on the deadline. 

Brill also outlined the five components by which FTC will judge a choice mechanism offered to consumers (whether through a self-regulatory mechanism or congressional action).

Continue Reading

We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  We have also published client alerts on the FTC report and the DOC green paper.  In this and two subsequent blog posts, I will share some observations on themes in these proposed frameworks that have implications for how companies approach their IT contracts.  

My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners. 

The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations.  As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider. 

The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance.  In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider.  IT contracts also need to require that the provider comply with the customer’s policies on FIPPs. 

Continue Reading

Here’s a five-minute overview of the five major bodies that will influence the privacy, data protection and data security areas as we start 2011.

1.       The Federal Trade Commission.  The FTC’s privacy efforts focus on the FTC Act’s broad prohibition against “unfair or deceptive” acts or practices.  The FTC also has played a valuable role in providing guidance to companies on appropriate privacy practices and has fostered valuable groups heading up industry self-regulatory efforts.  But in December 2010, the FTC signaled that “self-regulation has not kept pace with technology.”  The FTC’s report suggests a new normative framework for all commercial entities -- online and offline -- that handle any data that “can be reasonably linked to a specified consumer.”  The report has three core principles:

• Privacy by Design.  Companies should adopt practices to limit data collection, protect data that is collected, implement reasonable data retention periods, and ensure the accuracy of data as part of the design of their products and services.
• Choice.  Companies should provide real choices to consumers, unless data is collected for “commonly accepted practices.”  These choices should be clear and presented at the point where data is provided.  A do-not-track option for targeted advertising also is suggested.
• Transparency.  The FTC calls for privacy policies that are short, clear and standard.

Comments are due February 18, and the FTC will issue a final report in the late spring.

2.       The Obama Administration.  The Department of Commerce in December 2010 issued a “green paper” on privacy practices in the commercial sector.  It recommends adoption of a national framework that would be built around a set of “fair information practice principles,” many of which would track the FTC’s recommendations.  However, the Commerce approach is more encouraging to industry self-regulation than the FTC.  It suggested that those adhering to self-regulatory guidelines might gain the benefit of a safe harbor.  Comments on its report are due on January 28.

3.       Congress.  Privacy bills were introduced in the last Congress, after much study and debate, but the 111th Congress expired without new legislation.  Whether the 112th Congress will start with a march toward legislation is an open issue.  My colleague Gerry Waldron has a post that provides a great look at the prospects for legislation.  In short, the Senate Commerce Committee may be able to move more quickly than the House Commerce Committee, given the significant changes in membership on the House side.

4.       The Plaintiffs’ Trial Bar.  More than 35 major privacy lawsuits were filed in 2010.  The lawsuits have targeted unexpected sharing of consumer data with third parties.  They also have focused on new tracking technologies that are alleged to circumvent user control, such as “Flash cookies,” “history sniffing,” “cookie re-spawning” and “deep packet inspection.”  Privacy litigation can be expected to be a significant focus in 2011.

5.       The European Commission.  And if the developments on this side of the Atlantic weren’t enough, consider that the 1995 EU Data Protection Directive will be reconsidered in 2011.  The safe harbor -- the EU regulation that permits data to pass from countries that have privacy laws on par with Europe and those, like the U.S., that don’t -- also is being reconsidered on its 10-year anniversary.  Some 2,500 companies and organizations now are certified under the safe harbor, which raises the stakes for American industry.

Adobe's Flash Player includes a local storage feature that enables websites and applications to remember consumer data, such as log-in credentials and form information.  However, media and data companies' use of this feature, which is sometimes referred to as a "Flash cookie," has been the subject of a number of recent lawsuits.  Specifically, plaintiffs allege that defendants used the local storage feature to keep regular HTTP cookies alive, even after a user deleted them.  

Earlier this week, Adobe announced that it is taking steps to improve consumers' control over the information that is stored in local storage.  This move follows the FTC's request in its recently released preliminary staff report for companies to "create better tools to allow consumers to control the collection and use of their online browsing data."  Adobe's announcement is another example that industry is taking the FTC's call for "do-not-track" mechanisms seriously. 

Last week, the FTC filed a complaint against an Internet-based enterprise that allegedly caused hundreds of thousands of consumers to pay millions of dollars in unauthorized credit card charges.  According to the complaint, the defendants’ websites advertise the availability of government grants to pay personal expenses and offer “free” information at no risk.  The websites ask consumers to provide credit or debit card numbers to pay a small shipping and handling fee, but consumers are charged large one-time fees of up to $129.95 and monthly recurring fees of up to $59.95 for the grant services. 

The FTC also has accused the defendants of posting deceptive positive reviews and testimonials.  The FTC has asked for the court to order refunds for affected consumers and for disgorgement of all ill-gotten payments, among other relief.

Over the weekend, President Obama signed into law the "Red Flag Program Clarification Act of 2010."  The Act is intended to narrow the types of entities that are subject to the Federal Trade Commission’s Red Flags rule, which requires financial institutions and creditors to take certain steps to prevent identity theft.  More information on the Act is available in our prior post and client alert.   

Last week, Congress delivered to President Obama for his signature the “Red Flag Program Clarification Act of 2010,” which is intended to narrow the types of entities that are subject to the Federal Trade Commission’s Red Flags rule.  The Red Flags rule requires “financial institutions” and “creditors” to establish programs to detect, prevent, and mitigate identity theft in connection with consumer accounts.  The Act, which President Obama is expected to sign into law before the end of this year, is designed to exclude from Red Flags rule compliance certain classes of entities that the FTC previously determined could be creditors, such as doctors, lawyers, accountants, pharmacists and others who deliver services before receiving payment.

We've prepared a client alert that includes a more detailed summary of the new legislation.

The FTC today released its long-anticipated privacy report, "Protecting Consumer Privacy in an Era of Rapid Change."  The report proposes a new privacy framework that would apply broadly to online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer, or device.

Although most of the discussion of the report so far has been on its recommendation that Congress implement "do-not-track" legislation -- particularly in light of the House Subcommittee on Commerce, Trade, and Consumer Protection hearing on the subject -- the FTC's report includes a number of other significant proposals, including:

• introducing the concept of "privacy by design," which would push companies to adopt more rigorous internal privacy policies and to implement privacy protections throughout their organizations
• clarifying that companies do not need to provide users' choice for "commonly accepted practices," and seeks comment on how this term should be defined
• claiming that pre-checked boxes are not effective means of obtaining meaningful, informed consent
• encouraging companies to standardize the format and terminology for describing data practices across industries so that consumers can more easily compare companies' privacy practices and seeks comment on the feasibility of this approach.

We've just released a client alert that provides more detail on the report's key principles and analyzes how the FTC's new privacy framework is likely to affect businesses in the future.  The alert also focuses on the many questions that the FTC has asked industry to comment on between now and January 31.

• Covington Alert: FTC Announces Proposed Framework for Regulating Consumer Privacy