Online

The Online Internet-Based Advertising Accountability Program issued five decisions in November enforcing the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising.  The Accountability Program’s first two decisions, issued November 18 against BMW of North America and Scottrade, addressed those companies’ failure to provide notice of third-party data collection on their websites.  On November 20, the Accountability Program issued three more decisions stemming from a recent online behavioral advertising campaign by personal genomics and biotechnology company 23andMe.Continue Reading OBA Accountability Program: A Recap of What Happened in November

Last week, dating website PlentyOfFish withdrew its offer to buy bankrupt rival True.com, citing concerns raised by Texas Attorney General Greg Abbott that the sale would violate True.com’s privacy policy and expose its members to unexpected privacy risks.  Two weeks ago, Abbott filed an objection in U.S. Bankruptcy Court to block the proposed transfer of True.com’s membership database, which contains personal information about the website’s 43 million subscribers.  True.com has been in Chapter 11 bankruptcy proceedings since 2012.

The Texas Attorney General objected to the proposed sale on the grounds that that it was inconsistent with True.com’s privacy policy, which Abbott argued “contains ambiguities as to whether Customers will have a right to opt-out or opt-in to consent to the transfer of their [personal information].”  As part of the bankruptcy proceeding, True.com had entered into an Asset Purchase Agreement with PlentyOfFish, another popular dating website, under which PlentyOfFish would gain access to True.com’s extensive database of members’ personal information.  But last week, PlentyOfFish withdrew from the Asset Purchase Agreement, citing the Texas Attorney General’s objection.  In a letter filed with the court on October 23, PlentyOfFish stated that the transfer of True.com’s customer information “do[es] not appear to be legal, valid and effective,” and that the sale “appears to violate Seller’s privacy policy which affects and binds Seller’s assets.”  Markus Frind, the CEO and founder of PlentyOfFish, addressed the problem candidly in his blog, asking “Who in their right mind is going to buy a dating site with 43 million members if you are not allowed access to those members?” Continue Reading Texas AG Objections To Transfer of Personal Data Demonstrate Significance of Privacy Policy Disclosures

By Dan Cooper and Mark Young

This week, the Article 29 Working Party (the “WP29”) released an opinion paper on what constitutes “consent” for purposes of complying with the EU’s “cookie” rules — rules that were revised to include a consent requirement nearly four years ago.  The paper will be relevant to website providers that are subject to the EU’s cookie regime.

The timing of the paper is curious.  After EU Directive 2009/136, amending Directive 2002/58, was passed in 2009, the market was in a state of limbo as Member States worked out what the consent rules meant and how to implement them in national law (see here).  To everyone’s relief, a consensus slowly began to emerge, arguably spurred by guidance from the UK Information Commissioner’s Office (the “ICO”) in late 2011 and May 2012 (see here and here).  Now, the latest WP29 guidance — which is not legally binding but carries significant weight — threatens to revive the old debate and compel industry to revisit issues that many thought were resolved.

For example, the paper suggests that going forward websites “operating across all EU member states” — although it is not clear what this actually means — will need to adopt the following mechanisms to ensure that user consent is valid:

  • Specific information.  In addition to other relevant disclosures, operators will have to inform users about how to accept all, some or no cookies, and how they can change their preferences in the future.
  • Prior consent.  Website operators will be expected to obtain consent from users before deploying non-essential cookies, such as analytics or behavioral advertising cookies, on the user’s device.
  • Affirmative action.  Even more controversially, websites will have to capture affirmative user consent through the clicking of a button or a link, or the ticking of a box positioned near the relevant cookie notice (as opposed to passive pop-ups or banners, commonly used by industry at present).  The WP29 also points out that information on cookies should remain visible on the site until the user has expressed his or her consent; which again runs contrary to current practices.
  • Real choice.  Users should be given a real choice about the types of cookies deployed on their machine, which in practice would mean being allowed to access a website without accepting non-essential cookies.  Such granularity is only a recommendation and it remains to be seen how, and if, it will be adopted by websites.

Continue Reading European Regulators and the Eternal Cookie Debate

Earlier this week, the organization that enforces the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising issued a “Compliance Warning” to website operators, advising them to provide “enhanced notice” on every web page where data is being collected or used for online behavioral advertising (“OBA”) by January

Continue Reading DAA to Website Operators: Provide “Enhanced Notice” of OBA by January 1

Earlier this month, we blogged about the California Senate’s passage of the bill titled “Privacy Rights for California Minors in the Digital World”, which prohibits certain targeted advertising to California minors and requires that minors be allowed to delete materials they have posted online.  Yesterday, California Governor Jerry Brown signed

Continue Reading CA Governor Signs Bill Providing Online Protections For Minors

Last Friday the California Senate unanimously passed legislation titled, “Privacy Rights for California Minors in the Digital World,” which prohibits certain types of marketing to minors (defined as a natural person under the age of 18 residing in California) and allows minors to delete materials they have posted online.  The bill, which already cleared the California Assembly, now has been sent to Governor Jerry Brown for approval.  If signed into law, the legislation would be effective beginning January 1, 2015. 

The bill, S.B. 365, which was introduced by Senator Darrell Steinberg, adds two new sections to the California Business & Professions Code.

Section 22580 would:

  • Prohibit an operator of a website, online service or application, or mobile application that is directed to minors from marketing or advertising on the service or application certain enumerated products or services that minors cannot otherwise legally purchase or use.  While some of these products and services may be obvious—e.g., alcohol, firearms, tobacco, and obscene materials—others—e.g., tanning and etching cream that is capable of defacing property—may be less so.  
  • Prohibit an operator of a website, online service or application, or mobile application from marketing or advertising the enumerated products or services where the operator has actual knowledge a minor is using its service or application, if the marketing or advertising is directed to that minor based on information specific to the minor such as profile, activity, address, or location, but excluding IP addresses and product identification numbers.  The operator shall be deemed in compliance with this provision if it takes reasonable actions in good faith designed to avoid marketing or advertising under these circumstances.
  • Prohibit an operator of a website, online service or application, or mobile application that is directed to minors or who has actual knowledge that a minor is using its service or application from knowingly using, disclosing, or compiling the personal information of a minor (or allowing a third party to do so) with actual knowledge that such activity is for purposes of marketing or advertising the enumerated products or services to that minor. 
  • These prohibitions do not apply, however, to the incidental placement of products or services embedded in content, if the content is not distributed by or at the direction of the operator primarily for the purposes of marketing and advertising the enumerated products or services.
  • Additionally, “marketing or advertising” is defined to require an “exchange for monetary compensation” in order “to make a communication to one or more individuals, or to arrange for the dissemination to the public of a communication, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service.”  Thus, social media content or applications that only promote an enumerated product or service without paid placement would not fall within the scope of the bill. 

Continue Reading CA Legislature Passes Bill Establishing Online Protections for Minors

Last week the California Senate unanimously approved a bill requiring that operators of commercial websites and online services that collect personal information disclose how they respond to “do-not-track” signals from web browsers and whether they allow third parties to engage in online tracking.  The legislation, which was introduced by Assemblyman Al Muratsuchi, has been sponsored by CA Attorney General Kamala Harris. 

The proposed new law would amend the California Online Privacy Protection Act (“CalOPPA”), which requires that covered websites conspicuously post a privacy policy disclosing certain information and practices.  Specifically, the bill adds new requirements that a privacy policy:

  • “disclose how the operator responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection”; and
  • “disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

The operator may satisfy the disclosure regarding how the operator responds to do-not-track signals by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”Continue Reading Bill Adding Do-Not-Track Disclosures to CalOPPA Passes California Senate

The Digital Advertising Alliance (“DAA”) recently released a guidance document titled Application of Self-Regulatory Principles to the Mobile Environment (“Mobile Guidance”).  The Mobile Guidance does not purport to establish new principles, but rather to explain how the DAA’s existing principles — the Self-Regulatory Principles for Online Behavioral Advertising and for Multi-Site Data — apply to the “mobile Web site and application environment.”  Still, the Mobile Guidance contains a considerable amount of new direction that should interest publishers, advertisers, and other companies that operate in the online advertising space.  Below is an overview of key takeaways from the Guidance. 

The Guidance explains how companies operating in the mobile space should provide consumers “transparency and “control” (i.e., notice and choice) in connection with four types of data: Multi-Site Data, Cross-App Data, Precise Location Data, and Personal Directory Data. 

Although the DAA’s definitions of these types of data focus on the way in which data is collected, the application of the key principles of “Transparency” and “Control” depends mainly on the way the data is used.  For example, the Multi-Site Principles define “Multi-Site Data” as “data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web sites.”  This definition focuses on the nature of the collection, but the “Transparency” and “Control” principles’ application to the data turns on the way the data is used:  if Multi-Site Data is used for one of many enumerated purposes (e.g., IP protection, product or service fulfillment, and product development), the Principles’ transparency and control principles do not apply. 

Thus, the guidelines suggest that companies evaluate their obligations not only by considering whether the data they collect is covered by the Principles, but also by determining how that data will be used.  With that background, we turn to a discussion of the Mobile Guidance. Continue Reading The DAA Principles Applied to Mobile: Key Takeaways

The last two weeks have brought two important decisions in the ongoing litigation over behavioral advertising firm NebuAd’s alleged use of a device to intercept data from ISP networks. Several ISPs allegedly permitted NebuAd to install an “appliance” on their networks in order to collect and analyze subscriber data for ad targeting purposes.  In lawsuits that began to be filed in 2008, plaintiffs have alleged that NebuAd–and the ISPs with which it allegedly partnered– violated Title I of the Electronic Communications Privacy Act (i.e., the Wiretap Act) as well as other federal and state laws.  Plaintiffs have sued the ISPs in separate suits around the country.  Two of these suits–against ISPs Embarq and WideOpen West (“WOW”)–yielded decisions in favor of the ISPs last week. Continue Reading Two New Decisions on the Wiretap Act and Secondary Liability

On Thursday, the Federal Trade Commission (“FTC”) hosted a workshop to explore the practices and privacy implications of comprehensive data collection. The event gathered consumer protection groups, academics, privacy professionals, and business and industry representatives to examine the current state of comprehensive data collection, its risks and potential benefits, and what the future holds for consumers and their choices.

In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”

The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change.  In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company’s relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).Continue Reading FTC Hosts Workshop to Examine Comprehensive Data Collection