Consumer Advertising Law Blog

For many of us who did not learn to use a computer keyboard and mouse before we could walk, terms like downloading files using BitTorrent or talking to friends on the Gnutella network sounds like having some dental procedure. But others in this generation, and certainly our kids, use those protocols and networks daily to chat and share pictures and videos with their friends though peer to peer or P2P file-sharing networks.

But the same feature of P2P software that underpins its functionality -- its ability to access and share files on your computer across the Internet -- also creates potential security vulnerabilities. The Federal Trade Commission investigated the reportedly largest provider of these P2P services - Limewire. The FTC alleged that older versions of the Limewire software contained security vulnerabilities that put users at risk of inadvertently sharing personal information, including social security numbers, bank account numbers and other matters, stored on their computers.

Limewire upgraded its software, incorporating safeguards into its user interface to help users avoid the inadvertent sharing of sensitive information. The company also said it would tell consumers to upgrade their Limewire software and inform consumers on how to best avoid inadvertent sharing, even though the company could not force users to upgrade (one version is free and the other is a one-time download for $39.99). In large part for those reasons, and the fact that the FTC found that users tended to upgrade voluntarily at a high rate (undoubtedly wanting the fastest service possible to share their latest creations), the FTC closed the investigation without action.

While no computer connected to the Internet is invulnerable, using the most recent version of P2P software may help reduce the vulnerability of your personal information to unintended disclosure.

- Ronald Lee and Beth DeSimone

Many people use Twitter to share their deepest feelings to the cyberworld (in 140 characters or less) about topics ranging from their dismay about the current unemployment rate to the joy of Landon Donovan’s dramatic goal in the World Cup. But sometimes Twitter users just want to send private messages to their friends and colleagues and of course, no one wants their private information to be shared with the public or to be misrepresented through phony tweets in such a public forum. However, according to the FTC, Twitter users’ private information may have been at more risk than they were led to believe through Twitter’s privacy disclosures.

Last week, the FTC voted 5-0 to settle charges against Twitter that it deceived consumers by failing to provide the necessary safeguards to protect their personal information. The FTC alleged that “serious lapses” in data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers designated as private, and the ability to send phony tweets from any user. This was the first case of this kind brought by the FTC against a social networking service.

In its complaint, the FTC alleged that Twitter made several misleading statements on its webpage about the protection of their users’ private information and the ability to make private, direct Twitter messages and to create private Twitter accounts. For example, the Twitter webpage states that users can “send followers private tweets, called direct messages” and that “only author and recipient can view direct messages.” With regard to protected accounts, the webpage states that users “have the option of … protecting the account to keep [their] updates private” and “only approved followers are able to see [their] profile page.”

On June 3, 2010, FTC BCP Director David Vladeck spoke at the Privacy Law Scholars Conference in Washington, DC. His remarks focused on the issue of privacy and technology. In the 1890’s, Vladeck noted, Louis Brandeis and Samuel Warren wrote about their concerns with the invasiveness of a new technology, the camera. Since that time, we have grappled with the impacts of more and more invasive technology on privacy. Vladeck discussed new technological information practices and the privacy risks they pose. The FTC, he noted, is trying to “address these risks [through policy development and enforcement.] without stifling the dramatic benefits of technological innovation.”

With respect to policy development, Vladeck offered several key messages from roundtables and public discussions: (1) given the volume of information maintained about consumers, it “no longer makes sense to talk about ‘personal information’ and ‘non-personal information’”; (2) because it is now more expensive to destroy than to keep data, data will likely “hang around long enough that it is re-examined and re-purposed for uses that may not have been contemplated at the point of collection”; (3) consumers are still getting up to speed about how information is handled and with whom it is shared; (4) privacy policies, while useful to promote business accountability, are not useful to consumers because they are not located where “consumers need them and they’re too complicated, too vague, and too long.” Vladeck discussed the effort led by a non-profit think tank, the Future of Privacy Forum, along with marketing company WPP, to develop an icon to notify consumers how to make choices about use of their information in behavioral targeting.

With respect to enforcement, Vladeck indicated that a number of non-public investigations are ongoing, including efforts by the FTC to investigate companies in order to determine whether actions are necessary in new technology areas, such as P2P file sharing software. Finally, he discussed the contribution of academic research. As an example, he discussed the assistance academics from the University of Texas made to an investigation FTC conducted of Netflix’s release of “anonymized” movie queue information. The professors made the FTC aware that it was possible to re-identify individuals using the data set. As a result, Netflix agreed to modify its practice.

In the same vein, an FTC representative spoke at a Calgary, Alberta event put on by Canada’s privacy commissioner. The representative’s remarks, reflected frustration with current U.S. privacy laws, including an indictment that they “[aren’t] working,” in particular because “’[w]e’ve put too much burden on the consumers to understand [privacy] policies.’” No one should be surprised to see more FTC enforcement and regulation efforts in this area.

- Nancy Perkins and Marianne El Sonbaty

With the ever-increasing availability and utilization of smartphones and GPS technology, location has become a vehicle through which marketing and social information can be transmitted. "Geo-location" technology has been in existence since 1999 and is well known from applications ("apps") like Google Maps, which enable a user to search for physical places (i.e. hotels, restaurants, stores, tourist attractions) relative to a computer or phone's location. These apps are now becoming more advanced and creative which has led both Congress and the FTC to examine how businesses and the government (should) regulate location-based information.

Geo-location apps, such as Foursquare and Loopt, allow friends to share their location and post comments about places they frequent or visit. The more places one visits and shares with friends, the more points and "badges" that person receives which can be redeemed for discounts and rewards. For example, on May 22nd, Pepsi released "Pepsi Loot" for the iPhone and iPad. This location-based app directs users to restaurants serving Pepsi products, known as "Pop Spots." As visits to these establishments accumulate, a user can obtain rewards, such as free downloads of exclusive music or free Pepsi with an entree purchase.

From a legal standpoint, the use of location-based information produces privacy and data security concerns. The FTC, after holding a town hall on the mobile marketplace in 2008, issued recommendations ("Self Regulatory Principles for Online Behavioral Advertising") for companies seeking to advertise based on a consumer's online activity over time. The FTC recommended that industry self-regulation consist of a requirement of "affirmative express consent" for "material retroactive changes to privacy promises" and for use of "sensitive" data, which should include "precise geographic location information." Companies need to be certain any notice they provide for location-based apps is consistent with their privacy policy; otherwise, they may be subject to privacy violations for "deceptive" notice under Section 5 of the FTC Act.

Location-based apps may trigger a string of laws concerned with protecting personal information, such as:

• the Children's Online Privacy Protection Rule (for online services aimed at children under 13),
• HIPAA and the FTC Health Breach Rule (for covered entities under HIPAA or their "business associates"), 
• FACTA and the FTC Red Flag Rules (for financial institutions with data subject to identity theft),and
• Section 222 of the Federal Communications Act (for telecom providers with customer proprietary network information), and various state data security laws.

In Congress, meanwhile, Representative Rick Boucher (D-Va) and Representative Cliff Stearns (R-Fla) have sponsored an online consumer privacy protection bill, released May 4th, which would require that consumers opt-in before companies collect, use, or disclose "sensitive" data, such as "precise geographical location." More generally, Apple is looking to control third-party targeted advertising, as the most recent iPhone Developer Agreement mandates that third parties get Apple's permission before collecting user data, which would include location-based data, to advertise. The FTC, however, is reported to be investigating potential antitrust issues with this policy.

The bottom line is this: regulators seem to be in agreement that companies should obtain affirmative consent from online consumers before collecting, using, and disclosing their precise geographic location data. How mandatory any requirements might be, how extensive their reach, and where they might come from is still uncertain. Anyone involved in this growing market should watch to see if the legal parameters are clarified in the near future.

FTC Chairman Jon Leibowitz spoke earlier this month at the National Cable & Telecommunications Association’s Cable Show 2010. He also recently testified before the U.S. Senate Subcommittee on Financial Services and General Government of the Committee on Appropriations concerning the FTC’s FY 2011 budget request. Both his remarks and testimony reflected the FTC’s commitment to protecting consumer privacy while promoting competition. At the Cable Show, Leibowitz discussed behavioral advertising as it intersects with “consumer choice” and “consumer control” -- the choice consumers have to allow advertisers to chart their personal information, and the control they have to say how or where it is stored. In the cyberspace context, Leibowitz commented, “ ‘notice and consent’ rarely reflect[] a consumers’ conscious informed choice.” So what is being done to address this situation?

First, as Leibowitz discussed, a coalition including the Direct Marketing Association, the Interactive Advertising Bureau, and the Better Business Bureau have proposed behavioral advertising guidelines, encouraging companies to explain their information collection practices for advertising outside their privacy policies.

Second, Congress may end up regulating online data collection, as is reflected by Representative Boucher’s draft legislation, released earlier this month. And, last year the FTC issued a revised set of behavioral advertising self-regulatory principles, including the following: (1) websites need to give consumers the choice as to whether they want their personal information gathered for behavioral advertising, and, as Leibowitz warned, the disclosure should not be a “3-point font, ten-page document written by corporate lawyers and buried deep within the site;” (2) consumer data should be stored securely and only as long as necessary to fulfill a business need; (3) where a company changes its privacy policy, consumers should be informed and allowed to choose whether to continue allowing their data to be collected under the new terms; and (4) companies that use sensitive data in advertising should collect it only after receiving express affirmative consent.

Leibowitz’ testimony before the Senate Subcommittee concerning the FY 2011 budget also described the agency’s efforts and successes in protecting consumer privacy, including pursuing 29 actions against companies that failed to protect consumers’ personal information, obtaining $11 million as part of a settlement preventing false identity theft prevention claims, shutting down a rogue ISP that helped deliver child pornography among other illegal spam, and settling a lawsuit against Sears for not fully disclosing the scope of personal information collected. Efforts to protect consumer privacy are also being made in the areas of social networking, cloud computing, online behavioral advertising, and mobile marketing.

Outside the privacy area, Leibowitz also described the FTC’s continuing efforts to (1) protect financially-strapped consumers; (2) continue enforcement of the Do Not Call Registry; (3) protect children through litigation under the Children’s Privacy Protect Act; (4) promote competition by challenging anti-competitive health care mergers and stopping pay-for-delay drug patent settlements; and (5) protect competition in the technology, energy, and consumer goods services. The FTC requested $314 million to support 1,207 full time employees, up $22.3 million and 40 full time employees from last year.

- Amy Mudge and Marianne El Sonbaty