Yesterday, the U.S. Senate Permanent Subcommittee on Investigations held a hearing on “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy.”  The hearing was based on a year-long investigation into a broader set of issues related to consumer privacy and security on the Internet, which narrowed over time to focus specifically on the online advertising industry and the problem posed by “malvertising,” or advertisement-based malware, which cybercriminals can use to target consumers through online advertising.

The hearing was accompanied by a report jointly authored by Subcommittee Chairman Carl Levin and Ranking Member John McCain.  The report, which focused on the problem of malvertising, highlighted recent malware attacks channeled through well-known websites such as YouTube (owned by Google) and Yahoo!.  The report presented four major recommendations for limiting the risk to consumers posed by malvertising: (1) establishing better practices and clearer rules to prevent online advertising abuses; (2) strengthening security information exchanges within the online advertising industry to prevent abuses; (3) clarifying specific prohibited practices in online advertising to prevent abuses and protect consumers; and (4) developing additional “circuit breakers” to protect consumers once malvertising attacks are discovered.


Continue Reading Senate Subcommittee Examines Online Advertising and Security

Last Friday the California Senate unanimously passed legislation titled, “Privacy Rights for California Minors in the Digital World,” which prohibits certain types of marketing to minors (defined as a natural person under the age of 18 residing in California) and allows minors to delete materials they have posted online.  The bill, which already cleared the California Assembly, now has been sent to Governor Jerry Brown for approval.  If signed into law, the legislation would be effective beginning January 1, 2015. 

The bill, S.B. 365, which was introduced by Senator Darrell Steinberg, adds two new sections to the California Business & Professions Code.

Section 22580 would:

  • Prohibit an operator of a website, online service or application, or mobile application that is directed to minors from marketing or advertising on the service or application certain enumerated products or services that minors cannot otherwise legally purchase or use.  While some of these products and services may be obvious—e.g., alcohol, firearms, tobacco, and obscene materials—others—e.g., tanning and etching cream that is capable of defacing property—may be less so.  
  • Prohibit an operator of a website, online service or application, or mobile application from marketing or advertising the enumerated products or services where the operator has actual knowledge a minor is using its service or application, if the marketing or advertising is directed to that minor based on information specific to the minor such as profile, activity, address, or location, but excluding IP addresses and product identification numbers.  The operator shall be deemed in compliance with this provision if it takes reasonable actions in good faith designed to avoid marketing or advertising under these circumstances.
  • Prohibit an operator of a website, online service or application, or mobile application that is directed to minors or who has actual knowledge that a minor is using its service or application from knowingly using, disclosing, or compiling the personal information of a minor (or allowing a third party to do so) with actual knowledge that such activity is for purposes of marketing or advertising the enumerated products or services to that minor. 
  • These prohibitions do not apply, however, to the incidental placement of products or services embedded in content, if the content is not distributed by or at the direction of the operator primarily for the purposes of marketing and advertising the enumerated products or services.
  • Additionally, “marketing or advertising” is defined to require an “exchange for monetary compensation” in order “to make a communication to one or more individuals, or to arrange for the dissemination to the public of a communication, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service.”  Thus, social media content or applications that only promote an enumerated product or service without paid placement would not fall within the scope of the bill. 


Continue Reading CA Legislature Passes Bill Establishing Online Protections for Minors

On Monday, the Online Interest-Based Advertising Accountability Program, which monitors compliance with the Self-Regulatory Principles for Online Behavioral Advertising, issued a decision finding that the auto company Kia had failed to adhere to the Principles.  The Accountability Program also issued decisions stating that Kia’s ad agency–and the ad network the agency had

The Network Advertising Initiative (“NAI”), a coalition of more than 80 online advertising companies committed to self-regulation, released a report this week finding that there is a high degree of compliance with the NAI’s Self-Regulatory Code of Conduct, which governs the use of consumer data for purposes of online behavioral advertising.   In particular, the report concludes

On October 27, 2011, Senator John D. Rockefeller, chairman of the Senate Commerce, Science, and Transportation Committee, sent letters to Visa and Mastercard requesting information regarding the companies’ data collection and aggregation practices and proposals.  An October 25, 2011, Wall Street Journal article outlined various initiatives from the two companies pertaining to online behavioral advertising. 

Senator

by Rob Sherman and Allison Ray

The FTC’s recent announcement [PDF] that it will update its decade-old guidance on online advertising—known as Dot Com Disclosures [PDF]—has inspired animated industry discussion.

In its request for comments, the FTC highlighted that forums for online advertising that we take for granted today — such as social media and mobile apps — didn’t exist when the Disclosures were released in 2000, and so the guidelines will need to be updated to address these new forms of communication.  (Eric Robinson discusses this point in his post at the Citizen Media Law Project,)  For companies that place or distribute online advertising, these changes may have a particularly significant impact, particuarly since they will need to be framed in a way that is flexible enough to account for changes in the industry and technology that we haven’t yet seen.

When they were first released, the FTC intended the Dot Com Disclosures to import traditional advertising disclosure rules into the online context. The guidelines set a performance standard for disclosures rather than a technical checklist, allowing marketers some flexibility in creating disclosures as long as disclosures met a “clear and conspicuous” standard. Both the FTC and industry commenters noted the danger of creating overly rigid rules at a time when consumer understandings and the internet itself were constantly transforming.


Continue Reading FTC Launches Online Advertising Review

Key players in the European online advertising industry — including such heavyweights as Google and Microsoft — have signed a self-regulatory Framework intended to improve transparency and user control when behavioral ads are delivered by a third party (i.e., by a company that is not the operator of the website on which the ad is delivered).  Behavioral

Earlier this week, the Federal Trade Commission announced that it has reached a settlement with Chitika, Inc., an ad network that tracks a user’s online activities in order to deliver advertising targeted to the individual user’s interests.  In its complaint, the FTC claimed that Chitika made statements that (1) users could opt out of targeted advertising by clicking on an “Opt-Out”

Speaking at today’s Senate Commerce Committee hearing on “The State of Online Consumer Privacy,” Assistant Secretary of Commerce Lawrence E. Strickling stated that the Obama administration supports comprehensive privacy legislation.  As we noted in yesterday’s post, this announcement represents a shift in Administration policy.  Although in its December 2010 “Green Paper,” Commerce recommended that consumers’ online activities be subject to greater protections, the Department stopped short of embracing baseline legislation as the way to ensure such protections.  Strickling explained today that after reviewing the dozens of comments submitted in response to the Green Paper, the Department concluded that privacy legislation should be the foundation of the U.S. privacy framework.


Continue Reading Administration Calls for Privacy Legislation

Ringleader Digital — an online advertising firm specializing in the mobile market — has agreed to settle two putative class actions that were filed against it last fall.  The plaintiffs alleged that Ringleader violated the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as various state privacy and consumer protection laws, by using HTML5 software to track users’ online activities.  Under the proposed settlement agreement [PDF], Ringleader will pay $30,000 to the named plaintiffs in both actions and $670,000 in attorneys’ fees.  The proposed agreement also provides for significant injunctive relief.

This is the second notable settlement of a privacy litigation in the past three months.  As we discussed in a previous post, online marketing firms Quantcast and Clearspring settled several privacy suits arising from the alleged use of “Flash cookies” to track users’ browsing activities for advertising purposes.  As with the Quantcast/Clearspring settlement, the settlement announced in the Ringleader cases is somewhat surprising given the strong defenses Ringleader appeared to have to the asserted claims and the limited release obtained.  Eric Bosset, Simon Frankel, Mali Friedman, and I recently published an article in the Intellectual Property & Technology Law Journal that details some of those defenses.        


Continue Reading Ringleader Agrees to Settle Privacy Suits