Disclaimer

  • The content of this blog is intended for informational purposes only. It is not intended to solicit business or to provide legal advice. Laws differ by jurisdiction, and the information on this blog may not apply to every reader. You should not take, or refrain from taking, any legal action based upon the information contained on this blog without first seeking professional counsel. Your use of the blog does not create an attorney-client relationship between you and Arnold & Porter LLP. Click here to view additional disclaimer language.

    Copyright 2008-2013 Arnold & Porter LLP

Legislation

May 04, 2010

Long-Awaited Consumer Privacy Bill Announced by House Committee

Today, the House Energy and Commerce Committee released a bipartisan, draft proposal of new legislation to protect consumer privacy both on and off the Internet. The proposed legislation would require entities that collect “covered information” from at least 5,000 individuals in any 12-month period to give individual notice of the entity’s privacy policy and request consent before collecting, using, or disclosing their “covered information.” 

The bill defines “covered information” broadly to include personal data such as a consumer’s name, address, social security number, medical records, and financial information. However, the bill’s restrictions and requirements are principally focused on the use and disclosure of such information for advertising or marketing purposes, and generally would not apply to uses and disclosures of information collected for conducting a “transaction” or “operation” at the request of or under an agreement with the individual.

Before collecting any of the covered personal information other than for “transaction” or “operations” purposes, companies would generally be required under the bill to provide notice of the company’s privacy policy and the intended uses of the data. If the information is being collected over the internet, the notice must be posted conspicuously on the web site. Otherwise, the company must provide the consumer with a written copy of the notice. The notice must, among a number of requirements, describe who the company is that is collecting the information, how they will collect it, what it will be used for, how long the company will keep it, and under what circumstances the company will disclose it to others.

Although the bill requires the consumer’s consent before a company can collect, use, or disclose the consumer’s information, it generally assumes consent unless the consumer opts out. This means that if the individual consumer either affirmatively agrees to the use of their information or does not respond either way, then the company may use their information. Companies will only be prevented from using an individual consumer’s information if the consumer actively denies consent. This “opt out” consent does not apply in three situations. First, a company must get affirmative consent before collecting or disclosing sensitive information about the consumer. Sensitive information includes a consumer’s medical records, financial information, location, race, religion, or sexual orientation. Second, a company may not release any of the consumer’s data to another company without express consent. Third, and finally, a company cannot collect or disclose all or substantially all of a consumer’s online activity without express consent.

Under the proposed legislation, the Federal Trade Commission (FTC) would be responsible for enforcing the bill. The FTC would have the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. § 41 et seq.) were incorporated into the bill. The FTC would also be able to make rules as needed to carry out the bill. State attorneys general would also be able to enforce the bill through civil actions in federal court, subject to the intervention of the FTC. However, there would be no private right of action to enforce the bill.

- Nancy Perkins and Peter Roman

Posted on May 04, 2010 in Internet, Legislation, Privacy & Data Security | | TrackBack (0)

| | |

April 26, 2010

Is Congress putting the FTC on Steroids?

As reported in February on this blog, the Federal Trade Commission (FTC) has been urging Congress to grant the FTC increased powers to safeguard consumers from unscrupulous providers of financial products and services. The US House of Representatives included provisions that expanded the FTC’s rulemaking authority in the version of financial reform legislation that passed in that Chamber in December. Specifically, the House-passed bill included provisions that gave the FTC powers similar to the “notice and comment” rulemaking authority given to other federal agencies under the Administrative Procedures Act.

Right now, the FTC is constrained in its rulemaking by the so-called “Magnuson-Moss” rules. These rules require the FTC Staff to engage in an industry-wide investigation, prepare draft staff reports, propose a rule, and engage in a series of public hearings, including cross-examination opportunities prior to issuing a final rule in any area. These processes are so burdensome that the FTC has not engaged in a Magnuson-Moss rule-making in 32 years. The bill would also give the FTC authority to go after parties for aiding and abetting an unfair or deceptive practice.

The Senate is poised to consider its version of the financial reform legislation starting this week. It is expected that this bill will give this broader authority to the FTC as well as to the new proposed Consumer Financial Protection Bureau. However, if the legislation is enacted as proposed, it is the Bureau that will have primary rulemaking, enforcement and regulatory authority over providers of consumer financial products and services (including non-banks), including over whether these providers offer these products and services in an unfair and deceptive or abusive manner. The FTC is only proposed to have backup authority in this area.

It would appear therefore that the more important implication of this proposal is the effect any broader FTC rulemaking authority would have on entities that offer consumer products and services outside of the financial services area. Chairman Leibowitz spoke at the conference of the Association of National Advertisers (ANA) last month in an effort to assure businesses that the FTC had no intent to run amok with APA authority. He described the FTC’s use of APA procedures when the agency has been specifically authorized by Congress to use them (such as in the Do Not Call Act) as judicious. There, the Staff spent considerable time gathering information and engaging with industry before proposing rules. In the Chairman’s own words “Put differently, we’d be stupid if we tried to solve every problem with a rule; we’d be smart to use our authority very judiciously.”

But businesses and the FTC may have different views of “judicious.” In his speech, Chairman Leibowitz noted areas ripe for rule-making, such as negative option or free offers in online sales. Areas not ripe for rulemaking would be in industries where self-regulation was robust and showing promise and in and new areas where business and consumer expectations are evolving. Nevertheless, business groups overall are opposed to the expansion of FTC authority, and expressed as much in a letter to Congress late last week. Indeed, some advertisers are particularly worried about the proposal on the ground that the FTC will use this power to crack down on such practices as online behavioral advertising, which involves tracking Internet users on-line usage to target ads at them. National advertising groups have urged that if passed, the result would be an “FTC on steroids” with the power to make rules in general areas such as children’s advertising or green marketing even in cases where the Commission has not identified an prevalence of bad actors. Arguments also are being advanced of potential fall out from these provisions, including potentially less innovation and financial growth in industry sectors that had nothing to do with the financial crisis. For that reason, businesses are urging that any change in FTC powers be considered not as a political compromise in the CFPA debate but as part of a separate FTC reauthorization act.

Nevertheless, the Senate bill appears to be on a fast track to passage. While the bill’s primary architect, Senator Christopher Dodd, D-CN, continues to try to work out a compromise with leading Republicans, all reports are that the majority of amendments will be limited to issues outside of the consumer area. Thus, those involved in the consumer area even outside of financial services may wake up soon to find themselves subject to new regulatory requirements.

- Beth DeSimone & Amy Mudge

Posted on April 26, 2010 in FTC, Legislation | | TrackBack (0)

| | |

April 20, 2010

Common Sense Privacy Legislation Passed Last Week

In the midst of the high stakes political rhetoric swirling around the US Senate last week concerning financial reform legislation, the US House of Representatives quietly passed some common sense legislation in the area of privacy disclosure. The legislation, aptly called the “Eliminate Privacy Notice Confusion Act,” (H.R. 3506) would allow financial institutions that do not disclose nonpublic personal customer information to third parties (other than to service or market the institution’s own accounts and certain other exceptions) and have not changed their privacy policies during the previous calendar year to not have to send an annual privacy disclosure notice to their entire customer base.

Currently, all financial institutions must send a copy of their privacy policy to their entire consumer customer base on an annual basis (whether or not the policy has changed during the previous year), or give a customer an opportunity to opt out prior to disclosing nonpublic personal information to a third party. Press reports indicate that many customers are confused by the annual requirement, as it looks like their financial institution has changed their policy when it has not. It also is costly for institutions to send the notices. This burden seems unnecessary if the privacy policy has not changed.

The legislation would allow those institutions that (i) do not provide nonpublic person information to third parties in a manner that would require an “opt-out” notice to a customer and (ii) have not changed their privacy policy in the last year to not have to send those annual notices.

The legislation does not affect the requirement that an institution provides its privacy notice when a customer opens an account, nor does it affect those institutions that are required to send out notices to customers.

This is common sense reform. The legislation has not been referred to the Senate. Hopefully, in the midst of the Senate’s financial reform debate, the Senate will be able to slip this provision into the bill it is considering. Otherwise, it may be some time before this small, but good, change is made.

- Beth DeSimone

Posted on April 20, 2010 in Financial Services, Legislation, Privacy & Data Security | | TrackBack (0)

| | |

January 21, 2010

FTC Round Table Tango: Agency and Congress Dance Steps Hint At Where Online Privacy Legislation Is Going

The FTC announced today the agenda for its second privacy roundtable discussion, scheduled for January 28, in Berkeley, California “to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data.” This second recent foray into online privacy follows the first roundtable, held December 7, 2009, in Washington DC. Although the focus of these roundtables is wider than using consumers' information to support Behavioral Advertising (BA), a bit of background on that practice and the history behind these discussions, provide perspective on some of the issues involved.

A Brief History

As long-time readers know, the FTC has been engaged in a dance with industry for years over using consumers' personal information to support different business activities, including BA (the “tracking of a consumer’s activities online - including the searches the consumer has conducted, the web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer’s interest”). When the music first started the FTC and industry seemed to be doing a waltz, moving together in both apposition and concordance, and the FTC in 2007 seemed happy to let industry take a self-regulatory spin. With the changing of administrations, the waltz gave way to alternating turns of break-dancing. First industry, then the FTC, sought to anticipate the other and vied for the crowd's attention. The Network Advertising Initiative (NAI), jumped on stage early, modifying its existing online self-regulatory code of conduct in December, 2008, anticipating the FTC’s release of “final” self-regulatory principles by two months. The FTC issued those principles in February, 2009, with staff in the accompanying report. Congress, watching from the sidelines, grumbled it wasn't overly fond of the music, and began to mutter about changing the tune completely. The Interactive Advertising Bureau (IAB), until then mostly silent, broke onto the floor in July, suggesting Congress stay on the sidelines because the dance floor was full and the dancers already doing quite fine on their own. The FTC then sidled closer to where Congress was standing, and said that it too was thinking it might be time to change the music once and for all. Since then, the dance has slowed to a crawl as everyone has waited to see what music Congress decides to put on and occasionally suggesting the current tune was still snappy and shouldn't be changed just yet.

Continue reading "FTC Round Table Tango: Agency and Congress Dance Steps Hint At Where Online Privacy Legislation Is Going" »

Posted on January 21, 2010 in FTC, Internet, Legislation, Privacy & Data Security, Workshops | | TrackBack (0)

| | |

December 14, 2009

House Vote Pushes Consumer Financial Protection Agency One Step Closer to Reality

The U.S. House of Representatives on Friday afternoon passed its comprehensive financial regulatory reform legislation. The vote for H.R. 4173, called the “Wall Street Reform and Consumer Protection Act of 2009, was fairly close, 223-202, with twenty seven Democratic congressman voting against it along with all of the Republican members.

One of the central planks of the legislation is the creation of the Consumer Financial Protection Agency, or CFPA which will have rulemaking and regulatory authority over consumer financial products and services, including mortgages, home equity lines, credit and debit cards, pay day loans, installment loans, auto loans and leases and other consumer financial products. This plank has been controversial from the start, but it survived an amendment offered during the debate that would have substituted the CFPA for a 12 member council of regulators (similar to the FFIEC) that would have had rulemaking authority over financial products as well as safety and soundness concerns. That amendment failed by 223-208, with 33 Democrats voting for it.

Thus, as passed, the legislation requires that the rulemaking functions for the laws governing these products and services, which have been generally housed in the Federal Reserve, to be moved to this new agency. These laws would be supervised and enforced for nonbank companies by the CFPA, but the federal banking agencies would continue to have examination and enforcement authority over an estimated 98% of all financial institutions, as any bank or credit union that has less than $10 billion in assets are exempt from CFPA enforcement authority. The FTC also would lose rulemaking authority over nonbank institutions for unfair and deceptive practices but would retain back up enforcement authority.

The legislation mandates that the CFPA issue minimum standards for unfair and deceptive practices in the sale and provision of consumer financial products and services, as well as enhanced disclosures. The legislation also mandates that the agency impose certain fair dealing standards. However, there is no longer any requirement that the agency require lenders to offer “plain vanilla” products along with any nonstandard offerings. There also is no restrictions on interest rates, which are mostly governed by state law.

The final legislation also continues to allow national banks and federal savings banks to preempt certain state consumer protection laws, but only the state law "prevents, significantly interferes with, or materially interferes" the business of banking.” This is what is called the “Barnett Bank” standard, which is named after the 1996 Supreme Court case that articulated this standard.

The legislation now faces a somewhat uncertain outlook. Senator Chris Dodd (D-CT), head of the Senate Financial Services Committee, issued a discussion draft of his counterpart legislation in November, but Committee members on both the Democrat and Republican urged him to seek a more bi-partisan bill. Thus, the draft is currently being rewritten by different Committee groups, with Sen. Dodd and Sen. Richard Shelby (R.-AL) taking the lead on the CFPA title. The content of the revised draft, as well as timing, will become clearer in the coming weeks. However, if provisions creating a CFPA survive, its creation will be historic, as it will transfer major consumer responsibilities now divided among several federal agencies into one agency whose sole purpose will be consumer financial protection.

- Beth DeSimone & Brian Larkin

Posted on December 14, 2009 in Financial Services, Legislation | | TrackBack (0)

| | |

October 23, 2009

House Does Not Want FTC to Go “Where Everybody Knows Your Name”

Cheers, and other businesses where “everybody knows your name” may soon be relieved of the obligation to adopt identity theft prevention programs under the FTC’s “Red Flags” regulation. In a measure that passed 400-0, the House approved an amendment to the Fair Credit Reporting Act, 15 U.S.C. § 1681m(e), to exclude certain businesses from the FTC’s Red Flags implementing the Act. Those businesses, according to the amendment, include those who can show they know all of their customers or clients individually.

The Fair Credit Reporting Act was amended in 2003 to require the FTC and the Federal banking agencies to develop Red Flags regulations for banks and creditors in order to help prevent identity theft. The agencies’ respective rules mandate that written programs be created to detect and respond to warning signs of identity theft related to a customer account. The regulations apply to financial institutions and to “creditors,” which is generally defined as “a person who arranges for the extension, renewal, or continuation of credit.” This broad definition sweeps in virtually any businesses that provides consumers with goods or services in advance of payment. According to the FTC, even government and non-profit entities can be creditors under this definition. If the House bill becomes law, there will be far fewer businesses for the FTC to monitor.

The House bill responds to the concerns of small businesses, by categorically excluding some of them from the FTC regulation and providing a test by which others may also become exempt. H.R. 3763  provides that the term “creditor” does not include a health care, legal, or accounting practice with 20 or fewer employees. Additionally, the bill states that any other business can be excluded from the Red Flags rule if it can make one of three showings:

  • that it knows all of its customers individually;
  • that it only performs services near the residences of its customers; or
  • that it has not experienced identity theft and the crime is rare for a business of that type.

The sponsor of the bill, John Adler, D-N.J., introduced the measure by noting that, “[d]uring these tough economic times, the Federal Government should not be placing burdensome regulations on small businesses.” The bill has been sent to the Senate, and referred to the Committee on Banking, Housing, and Urban Affairs.

Small businesses, and possibly some large businesses with good memories, may soon find relief from an apparently unwarranted regulatory burden.

- Nancy Perkins and Brian Larkin

Posted on October 23, 2009 in FTC, Legislation, Privacy & Data Security | | TrackBack (0)

| | |

August 13, 2009

States Skipping Summer Vacation Opting for Heightened Regulation

The state enforcers have been busy of late, many focusing efforts on combating financial fraud schemes (Last week, Julie Brill who heads the NC AG consumer protection division, noted “it is a full time job” just to keep up with predatory lending and mortgage relief scams). State legislators are also busy at work and we detail some current updates for you:

Maine: Maine has enacted a new law in effect in September restricting the collection or use of any minor’s personally identifiable information or health-related information in product or service marketing. Section 9552 of LD 1883 allows collection of such information only with parental consent but use of such information in marketing or advertising is a per se offense, regardless of whether Mom or Dad approve. The proposed law provides for civil penalties even for first time violators and a private right of action. This law goes far beyond COPPA, which provides limits on advertising to kids under 13, and reportedly is a reaction to marketing taking place to tweens on social networking sites. Not surprisingly, at least several businesses have announced an intent to challenge the law.

UPDATE (9/10/09): Maine Independent Colleges Association, the Maine Press Association, and Reid Elsevier, Inc. sued to enjoin Maine’s Predatory Marketing Practices law from going into effect on September 12, 2009. On September 9th, the court issued a stipulated order of dismissal in light of the State Defendant’s representation that it will not enforce the statute and that the Legislature will reconsider it when they reconvene in January 2010. The Court opined the statute likely violates the First Amendment on overbreadth grounds, and advised third parties considering suing to enforcing rights under the law that a private challenge "could suffer from the same constitutional infirmities."

Iowa: Effective July 1, the Consumer Fraud Act gives Iowan consumers a private right of action for fraud or deception. Iowa was the only state not to allow a private right of action under its consumer protection statute. Previously Iowans had to rely on their AG to protect them or if wanting to go it alone, had to rely on common law fraud theories, requiring a showing of reliance and intent. The new law, according to the AG, allows consumers to recover on a showing of deception and provides for recovery of attorneys fees and damages.

Florida: The Investor Protection Act expands the AG’s authority to file civil and criminal case and to seek restitution and penalties in cases involving investor fraud.

Posted on August 13, 2009 in Legislation | | TrackBack (0)

| | |

July 30, 2009

Government Attempts to Stop Facilitating Identity Theft

A recent bipartisan bill, known as the Social Security Number Privacy and Identity Theft Protection Act of 2009 (H.R. 3306), is the latest Government attempt to curtail identity theft. The bill would prohibit Federal, State and local governments from selling Social Security numbers (SSNs), displaying SSNs to the general public, displaying SSNs on checks issued for payment or on identification cards issued to employees, employing prisoners in jobs that provide them with access to SSNs, and transmitting the SSNs over the internet without encryption. The bill would also forbid the private sector from doing all the same things, and limit truncated SSNs to the last four digits.

The punishments for violating this potential law would be quite harsh. Repeat offenders who try to sell, purchase or misuse the SSN could face up to ten years in prison, and Social Security Administration employees who sell or transfer SSNs potentially face prison sentences of twenty years. But why all this fuss about social security numbers?

Well, although originally a humble group of nine digits designed to track individuals for retirement benefits, the social security number has now become a de facto national identification number, required to obtain a driver’s license, submit a loan application, apply for a job, donate blood, and a host of other things. Because SSNs are so frequently used by businesses to authenticate identity, a thief that manages to get his hands on an individual’s SSN may be able to wreak havoc. The stories of identity theft victims tell of mysterious credit card bills, loans taken out in their name, difficulties repairing credit, and substantial, continuing anguish. To make things worse, in many cases, the Government might have been an unintentional accomplice.

Despite the SSN being a portal into identity theft, Federal, state and local governments have been often making SSNs easier to steal. Until recently, the Social Security Administration displayed the recipient’s full SSN on the millions of benefit statements mailed each year. Tens of millions of ID cards for Medicare, the Department of Defense and Veterans Affairs display the social security numbers of the card holders. State and local governments are even worse. The GAO estimates that 85% of the largest counties in the US either display records that may contain SSNs online, or offer them in bulk sales. These records include divorce settlements, property liens, and mortgage documents, all with the consumer’s SSN potentially in full display. Why bother trolling through someone’s dumpster to steal an identity when the government has so graciously provided all the tools you need online?

Every year, up to 10 million Americans are victims of identity theft, costing consumers $50 billion dollars annually. Identity thieves employ a variety of methods to steal identities, from simply swiping mail or dumpster diving to “phishing,” where thieves solicit personal information through emails disguised as coming from the consumer’s financial institution. But no matter the method, identity thieves everywhere benefit from the ubiquity of the social security number. Whether or not this bill will change that remains to be seen.

- Nancy Perkins

Posted on July 30, 2009 in Legislation, Privacy & Data Security | | TrackBack (0)

| | |

July 21, 2009

The Current State of Play for BA

In an earlier blog entry, we reviewed the FTC’s Online Principles for Behavioral Advertising, and came to two conclusions: the FTC was continuing to rely on industry self-regulation, and it appeared likely either a new FTC would reverse course, or Congress would enter the fray. Five months, three more Congressional hearings, a new FTC Chairman, and another industry effort at a self-regulation regime later, and the only question left appears to be what legislation is going to look like.

First, for background, Behavioral Advertising (BA), is the “tracking of a consumer’s activities online - including the searches the consumer has conducted, the web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer’s interest.” (as defined by the FTC). In 2007, the FTC issued a draft set of principles for industry self-regulation. The House and Senate held a series of hearings in 2008 decrying some of the bad apples in the online BA world - those using Deep Packet Inspection (DPI) to potentially review the content of what a user sends or receives in order to better target advertising. The Industry, or at least the Network Advertising Initiative (NAI), responded by tightening the principles underlying its self-regulatory code of conduct, in December, 2008, beating the FTC to the punch by barely two months.

Since then, a lot has happened that suggests Congress will be taking its turn by issuing general privacy legislation addressing the issue, which may provide some absolute protections, and give both the FTC and FCC greater authority to regulate in this area. So, what happened?

Continue reading "The Current State of Play for BA" »

Posted on July 21, 2009 in FTC, Internet, Legislation, Privacy & Data Security | | TrackBack (0)

| | |

May 15, 2009

Popular Card Legislation Charging Toward Passage

The US Senate is poised this week to debate legislation restricting certain credit card practices. The bill, which is very similar to regulations issued by the Federal Reserve Board last year that are scheduled to go into effect in June 2010, would, among other things, restrict when card issuers could raise interest rates on cards, mandate the order in which issuers may apply payments to different interest rates, and ban double-cycle billing and universal default. A companion bill has already passed the US House of Representatives on April 30, 2009.

The legislative push for this bill is being driven in part by the Obama administration, which has been focusing on credit card reform in the past two weeks. And the bill does differ from the Federal Reserve regulations in certain respects by imposing additional restrictions on issuers increasing interest rates in the event of late payments, requiring customer consent before an issuer could charge an over-limit fee, and restricting access to credit cards by college students. The bill also contains restrictions on gift cards, gift certificates and more general purpose gift cards. Furthermore, the Senate bill, unlike the House bill, requires issuers to comply with these restrictions sooner than the Federal Reserve’s June 30, 2010 effective date.

Given the crowded legislative calendar this year, however, it is curious that Congress and the Administration is spending meaningful and precious time on issues that to a large extent have already been handled by regulation. We believe it is an effort to support the consumer in the face of the large and continuing financial support to the banking industry. Regardless, given the momentum the bills appear to be having, financial institutions, retailers, and other who issue gift cards or certificates should be paying attention to these developments and potential earlier implementation dates, and not assume that either the House bill (which more closely mirrors the Federal Reserve rules) will prevail or these provisions will otherwise be diluted. Non-card issuers also may be advised to pay attention to this legislation, as it may auger how other initiatives (such as mortgage loan reform) may be implemented that will affect a broader range of institutions than this bill.

- Beth DeSimone

Posted on May 15, 2009 in Disclosures, Financial Services, Legislation | | TrackBack (0)

| | |

July 25, 2008

California: Credit Card Consumers Cough Up Phone Numbers When Returning Merchandise

Making a purchase, or returning an item to the store?  If you’re using a credit card in California, your customer status makes a difference.  According to a recent decision from California’s Court of Appeal for the Second District, cardholders who purchase goods do not receive the same protections as those who return goods.

California’s consumer protection statute forbids merchants from requiring credit card users to provide personal identification information.  (See § 1747.08(a)).  Two years ago, David Absher purchased a locking gas cap from AutoZone.  After discovering that the gas cap did not fit his car, he promptly went back to the store to return it.  As part of AutoZone’s return policy, Absher was required to provide his telephone number to complete the transaction.  In response, Absher filed a class action suit, alleging that AutoZone’s return policy violated the state’s consumer protection statute.

According to the statute, merchants cannot use forms with spaces designated for personal identification information in any credit card transaction.  Absher argued that this applies to all credit card transactions, including returns.  The court, however, held otherwise.  First, the court found that the phrase “credit card transaction” did not “clearly and unambiguously” include all kinds of transactions.  Next, the court analyzed the preceding provisions of the statute to determine the meaning of “credit card transaction.”  Because those provisions explicitly applied to purchasing transactions, the court decided it would be inconsistent for “credit card transaction” to include returns.

Although consumers who return or exchange products may have to provide personal identification information, such as an address or a telephone number, this does not mean their information will be unprotected.  There are many measures businesses can adopt to ensure protection of sensitive information.  In fact, next August, the FTC and the California Office of Privacy Protection will host a workshop instructing businesses on ways to protect the personal information of its consumers and employees.  The FTC’s website also has tips on how businesses can better protect personal information.

Posted on July 25, 2008 in Class Action, Legislation, Privacy & Data Security, Workshops | | TrackBack (0)

| | |

July 11, 2008

Behavioral Advertising Firms Come Under Scrutiny in Recent Senate Hearing


The Senate held a hearing Wednesday regarding online behavioral advertising and heard testimony from public officials, corporate executives, and nonprofit representatives.  The hearing  was especially concerned about a relatively new type of advertising that involves Internet service providers (ISP) selling subscriber activity to online marketing companies.

NebuAd has become an emerging leader in this field and its CEO, Bob Dykes, was among those testifying.  The type of advertising NebuAd engages in works by ad service companies such as NebuAd striking a deal with an ISP that allows the ad service to copy the contents of the ISPs subscriber's online traffic streams (which includes the websites visited and search terms used).  The ad service then analyzes the data to create a profile for every individual based on their online behaviors and interests.  Then, when a user goes to a website where the ad service has purchased space, the ad service serves ads to the user based on the developed profile. 

The hearing comes at a time when NebuAd has been under increased criticism and scrutiny.  The Center for Democracy and Technology (CDT) released a report on July 8, alleging that NebuAd practices may violate several federal and state wiretap and privacy laws.  The report focuses primarily on possible violations of the federal Wiretap Act as amended by the Electronic Communications Privacy Act.  The Act prohibits businesses that provide electronic communication services (including ISPs) from intentionally divulging the contents of electronic communications while they are in transmission.  

Two exceptions to the Act may apply, though CDT discounts them both.  First, an exception exists when the disclosure is a "necessary incident" to the rendition of services.  CDT rejects this exception, arguing that "necessary incident" has been interpreted narrowly by courts to include purposes such as anti-virus and anti-spam and would not likely be extended to include advertising.  Second, information may be divulged if there is consent from the individual.  Currently, NebuAd operates as an opt-out system and does not receive consent from the operators of all pages a user visits.  CDT criticizes this system as not offering any sort of meaningful consent and instead argues that NebuAd should adopt a meaningful opt-in system that goes beyond the typically long and onerous click-through agreements.

As a result of this and other criticism, NebuAd has seen several possible deals put on hold, including deals with Charter Communications, CenturyTel, and Embarq, and Wide Open West has stopped using the advertising software.  In response, NebuAd has announced various improvements in how it notifies users that it is collecting data, including a new direct online notification system and the development of an opt-out system that does not rely (DLL) on cookie-based technology.

At the Senate hearing, NebuAd drew most of the questioning from Sen. Byron Dorgan, D-N.D., chair of the Senate Commerce Committee.  Sen. Dorgan implied that NebuAd’s business model was “just wiretapping” and that the opt-out method was likely insufficient to protect privacy and an opt-in model was preferable, though not likely to garner much support since few people would willingly opt in to the system.

CEO Bob Dykes defended NebuAd from charges that it violated federal laws and explained that the system does not share a user’s entire web history, giving the example that if a person visited BMW and Mercedes, NebuAd would only note that the person was interested in German luxury cars.  Dykes further highlighted NebuAd’s policy of sending users email reminders of their opt-out rights.

NebuAd’s advertising model is different than the more typical behavioral advertising practiced by, among others, Google, where web-site operators enter into agreements with advertising networks that use cookies to monitor individual users and distribute advertisements to those users based on their profile.  The FTC has issued proposed online marketing principles to encourage self-regulation, including:  transparency and consumer control; reasonable security and limited data retention for consumer data; affirmative express consent for material changes to existing privacy promises; and affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising.  See here for a summary of the report and links to Public Comments.

Executives from Microsoft, Google, and Facebook also testified regarding this type of advertising, and both Microsoft and Google advocated new privacy legislation that would protect consumers from intrusive online advertising.  The companies believed that new legislation should be based on three core principles: “Consumers should be clearly notified what information is being collected about them; people should control how that information is used; and such data should be secured to ensure it does not fall into the wrong hands.”  A Facebook executive offered a different approach and advocated that companies’ give users of their services the tools to control who gets to view the user’s personal information.

Lydia Parnes of the FTC also testified and advocated that industry should be given the chance to effectively self-regulate before the government gets involved, especially because the industry holds great promise since “consumers value ads that are more personalized.”  This sentiment was echoed by Sen. Jim Demint, R-S.C., and Google executives, but was countered by Leslie Harris of CDT, who charged that, “Self-regulation is not the answer.”

Posted on July 11, 2008 in Legislation | | TrackBack (0)

| | |

June 13, 2008

Watching What You Click

Next Wednesday, June 18th, the U.S. Senate Commerce Committee will have a hearing on "Privacy Implications of Online Advertising." The Committee will be discussing online behavioral advertising and the related privacy implications. According to the FTC, "[b]ehavioral advertising is the tracking of a consumer's activities online - including the searches the consumer has conducted, the Web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer's interests." Internet users are often unaware that their online activities are being monitored in such a fashion.

Companies that engage in behavioral advertising tout it as a benefit. Consumers benefit because the ads they receive are potentially much more useful to them. Advertisers benefit because their ads will reach a more receptive audience at a lower cost.

While the Senate is just now joining the debate over online advertising, other regulatory and legislative bodies have already entered the fray. The FTC staff in December of last year issued a set of proposed principles for self-regulation. The proposed principles include:

  • companies collecting data must have a prominent statement on their website to put users on notice;
  • companies collecting data should take reasonable precautions to secure the data and should dispose of it when no longer useful;
  • if a company decides to use the data in a different manner than originally announced they must receive affirmative express consent from the user; and
  • companies should only collect sensitive data (such as medical records) if they receive affirmative express consent from the user.

Two states have also taken steps to regulate online behavioral advertising. New York has legislation pending that would prohibit companies from collecting personally identifying information and would require the disclosure of practices and uses of collecting any data. The bill would also allow consumers to opt-out of any data collecting activity, whether personally identifying or not.

Connecticut also has legislation pending which focuses generally on disclosure. The bill requires "online third-party advertising networks" to "post notices about their data collection" and how they use it. The Connecticut bill has a few other provisions but by and large does not go as far as its New York counterpart.

As in many other areas, federal action here may prevent a situation where companies find themselves forced to comply with sometimes conflicting state regulation.

Bret Finkelstein

Posted on June 13, 2008 in Internet, Legislation, Privacy & Data Security | | TrackBack (0)

| | |

April 10, 2008

Proposal to Expand FTC Authority

The FTC often argues that various products won’t give you six pack abs or turn you into the next Mr. Universe, but when it comes to Congress apparently the Commission believes there’s substantiation for the claim that Congress can “pump the FTC up.”


Tuesday two key Senate Commerce Committee members introduced an FTC Reauthorization Act (none has passed since 1996) that would expand the FTC’s authority in a number of respects. Several commissioners spoke at the hearing in support of the proposed legislation. Among the highlights the bill would:

  •  Allow the FTC to litigate civil actions under Section 5 (including civil penalty cases) without involving the DOJ
  • Permit civil penalties for any violation of Section 5 not just for consent or existing rule violations
  •  Expanded authority to challenge aiding and abetting a violation of Section 5
  • Repeal the exemption under Section 5 for certain nonprofits
  • Permit the FTC to engage in speedier rulemaking via Section 553 of the APA
  • Repeal the common carrier exemption

At the hearing on the bill, the FTC indicated expanded civil penalties would be particularly valuable in cases where the FTC’s usual monetary remedies -- restitution and disgorgement -- are inadequate, such as where the wrongdoer’s profits were slim and where the wrongdoer did not benefit financially from the conduct. An example cited was in cases where customer’s data security was not protected. The identity thief rather than the company with lax security measures benefited, but the FTC would like the ability to fine the latter.

Even without this new authority the Commission has become increasingly aggressive in collecting redress and civil penalties. From March 2007 through February 2008 the FTC Bureau of Consumer Protection obtained judgments and orders for an astounding $161 million in consumer redress and $11 million in civil penalties. The “one free bite” rule seems increasingly inapplicable at the Commission. Should the proposed legislation pass, expect the above numbers to grow, probably significantly.

Posted on April 10, 2008 in FTC, Legislation | | TrackBack (0)

| | |

« Previous