Consumer Advertising Law Blog: Privacy & Data Security

Arnold & Porter LLP

Editors

Get Updates via E-mail

Our iPhone App

Click here to download

Disclaimer

The content of this blog is intended for informational purposes only. It is not intended to solicit business or to provide legal advice. Laws differ by jurisdiction, and the information on this blog may not apply to every reader. You should not take, or refrain from taking, any legal action based upon the information contained on this blog without first seeking professional counsel. Your use of the blog does not create an attorney-client relationship between you and Arnold & Porter LLP. Click here to view additional disclaimer language.

Copyright 2008-2012 Arnold & Porter LLP

Privacy & Data Security

January 26, 2012

Europe Announces Plans To Reform Outdated Data Protection Rules

The European Commission has announced plans to reform comprehensively the existing EU data protection regime. The proposals, in the form of a new Regulation and Directive, aim to modernise, strengthen and future-proof the principles set out in the 1995 Directive, which was designed to safeguard a pre-internet society. The new Regulation will sweep away the current patchwork of national laws in favour of a single EU law, valid across all 27 Member States. This will, it is hoped, end some of the legal uncertainty and fragmentation that companies of all sizes face when doing business in Europe.

The proposals include some significant amendments to the existing rules including:

the strengthening of individuals’ rights to include easier access to personal data, a right to request that all personal data be deleted if no longer necessary, and new rules on obtaining explicit consent;
increased obligations for data controllers, such as the mandatory requirement to notify security breaches and the obligation for large organisations to appoint a data protection officer;
the extension of EU rules to companies located outside the EU but which are active in the EU market and offer goods and services to consumers in the EU;
the reduction of red tape for businesses by removing the requirement to notify all data protection activities to data protection supervisors; and
the strengthening of national data protection authorities’ powers, such as the ability to impose fines for serious breaches up to €1 million or up to 2% of a company’s annual worldwide turnover.

The proposals will now be passed to the European Parliament and the EU Member States for consultation. If agreed, the new Regulation will take effect two years from the date of adoption and will apply to all Member States automatically.

The proposed Regulation can be found here.

UPDATE: A more detailed discussion of this development can be found here.

- Richard Dickinson and Gemma Davies

Posted on January 26, 2012 in EU, Internet, Privacy & Data Security | Permalink

January 12, 2012

But, Upromised to Keep My Data Secure ….

In a significant action signaling the high risks involved in collecting personal information online, the FTC recently settled charges against the online membership program Upromise Inc. Upromise offers its members the opportunity to purchase products from certain partner merchants, receive cash rebates in return, then place those rebates into college savings accounts. In order to use the program, consumers download a toolbar onto their computers that highlights partner merchants in consumers’ search results so they may easily find companies that are part of the Upromise program.

In addition to the standard toolbar, Upromise offered its members option of activating a “personalized offers” feature that collected and transmitted information through a member’s browser (this is referred to by the FTC as the “Targeting Tool”). The information collected was subsequently used to provide targeted advertising to the member.

The FTC took issue with Upromise’s Targeting Tool, which it alleged collected scores of highly sensitive personal information from its members, including the websites they visited; their usernames and passwords; and, in some instances, information entered into forms on secure web pages such as credit card and account numbers, security codes and social security numbers. The FTC alleged that this information was collected, and in some instances, transmitted to a third party, without proper protections and safeguards.

Upromise’s privacy statement noted that the Toolbar might “infrequently” collect some personal information, but that any identifiable information would be removed. The FTC alleged that the filter Upromise purportedly used to avoid collecting certain sensitive data was too narrow and improperly structured, and that data collected as part of the Targeting Tool and then transmitted to a third party provider for analysis was sent over the internet in clear text, rather than encrypted text. Data transmitted in clear text is highly vulnerable to interception, particularly over unsecured networks such as those in coffee shops and other public spaces. The FTC also alleged that Upromise failed to test its security measures to ensure they functioned properly and provided adequate protections.

In its recent settlement with the FTC, Upromise agreed to take a variety of ongoing measures to ensure proper security of personal information and disclosures to consumers consistent with the level of security actually provided.

The FTC’s complaint and the Consent Order agreed to by Upromise highlight key lessons for companies that collect and utilize data entered by consumers over the Internet. Sensitive personal information should always be encrypted before transmitted via the Internet. Technology related to data collection and security should be tested and checked regularly and on an ongoing basis using a reliable, certified set of tools and measures. Privacy and security policies should be displayed to consumers in a clear and prominent way, and inform consumers of the risks involved with the provision of personal information either actively or passively by use of an Internet tool. And users should always be given an opportunity, clearly and affirmatively, to opt-out of the collection of their personal information or its transmission to third parties. The more sophisticated Internet technology becomes, the more important these lessons are.

- Danielle Garten and Nancy Perkins

Posted on January 12, 2012 in FTC, Internet, Privacy & Data Security | Permalink

November 23, 2011

COPPA Compliance is No Day at the Beach

Skid-e-kids, a social networking site which advertises itself as the “Facebook and Myspace for kids,” recently entered into a consent decree with the Federal Trade Commission (FTC) regarding alleged violations of the Children’s Online Privacy Protection Act (COPPA). This latest social networking should send a strong warning to all website operators regarding the potential pitfalls of collecting site visitors’ information without strict screening. In addition, because COPPA applies not just to website operators, but also to operators of mobile applications, many applications operators should be on notice of the implications of the Skid-e-kids Consent Decree.

COPPA requires that website operators notify parents and obtain their consent before collecting personal information from children under age 13. This is required not only for ostensibly “children’s sites”, but also for any website whose operators have actual knowledge the site is collecting information from children under age 13. A website operator may have actual knowledge of a user’s age, for example, if it asks for, and receives, information from which age can be determined, such as by asking “What grade are you in?”

Skid-e-kids allegedly violated COPPA by allowing children to register on its site without first obtaining parental permission. Such collection allegedly occurred despite the statement in the site’s privacy policy that it was mandatory for “child users to provide a parent’s valid email address in order to register on the website.” In practice, there apparently was no such requirement, as Skid-e-kids allegedly obtained information from approximately 5,600 children without parental consent.

Pursuant to the Consent Decree, Skid-e-kids must (i) delete all of the personal information it obtained from children without parental consent, (ii) provide a link to online privacy educational material and (iii) retain a privacy professional to oversee compliance for a period of time. Further, the Consent Decree imposes a $100,000 civil penalty on Skid-e-kids – although payment of all but $1,000 of that penalty will be suspended provided Skid-e-kids complies with the Consent Order’s oversight provisions and its operator provided truthful financial information.

The FTC is currently accepting comments on proposed changes to the COPPA rule. Among the potential changes are expanding the definition of “personal information;” allowing children to participate in some interactive communities without parental consent so long as certain conditions apply; developing new parental consent mechanisms; and strengthening the oversight of the “safe-harbor programs.” Written comments on the proposed revisions are due to the FTC by November 28, 2011.

- Nancy Perkins and McCormick Conforti

Posted on November 23, 2011 in Children/Kids, Internet, Privacy & Data Security | Permalink

November 10, 2011

Truth and Consequences: SEC Cybersecurity Disclosure for Publicly-Traded Companies

While we don’t often venture into securities disclosure issues on this blog, privacy, security, and SEC compliance sometimes all converge. On October 13, 2011, prompted by recent high-profile data security breaches in the public and private sectors, the Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued disclosure guidance on cybersecurity risks and cyber incidents. The guidelines reflect the Division of Corporation Finance staff’s interpretation of how existing disclosure requirements apply to cybersecurity risks and likely foreshadow staff comments that will be issued on SEC filings.

According to the guidelines, reporting companies are now expected to disclose risks related to cybersecurity, including past incidents, future risks, and any foreseeable effects that cybersecurity breaches might have on a company’s financial condition. These risks could, of course, include risks related to consumers’ personal information. The staff emphasized that the guidelines are consistent with the relevant disclosure considerations that arise in connection with any business risk, and highlighted several areas in which disclosure of cybersecurity risk may be appropriate, including a company’s Management Discussion & Analysis and Risk Factor disclosure as well as in relevant sections of Form 8-K.

In the coming months, additional cybersecurity reporting requirements will likely be added to the disclosures set forth in the guidelines. Bills being debated in the Senate would create civil penalties for failure to disclose breaches in security to those whose personal information has been compromised and criminal penalties for willful concealment of security breaches.

While applicable to all reporting companies, the guidelines may have an unintended effect on publicly-traded corporations, including providers of consumer goods and services, that hold government contracts. Disclosures made pursuant to the guidelines offer the government timely, credible and accurate information regarding contractor security policies, protection and performance. Agencies could potentially use this information to evaluate competing proposals, to assess contractor past performance and responsibility and to evaluate and pursue potential contract claims.

- Ronald Lee and Alexandra Mitter

Posted on November 10, 2011 in Privacy & Data Security | Permalink

October 25, 2011

Privacy Promises and Bankruptcy: Bordering on the Edge of Compliance

Almost all of us face this situation daily: We enter into an agreement with a company to disclose personal information, for example a home address and books purchased, and the company agrees to limit its use of such information. What happens to this personal information though when that company goes bankrupt? Does the agreement bind the buyer of the bankrupt company?

This precise question is currently playing out in the bankruptcy of Borders, the national bookseller which entered Ch. 11 in February. The bankruptcy court appointed a Consumer Privacy Ombudsman, whose report stated any use of Borders consumer information would require consent.

In issuing his report, the Consumer Privacy Ombudsman sought a written description of the Federal Trade Commission’s concerns regarding the sale of the consumer personal information Borders possessed. David Vladeck, Bureau of Consumer Protection Director at the FTC, responded in a letter laying down the framework for how the consumer personal information possessed by Borders should be sold to and used by a buyer. The framework generally followed that of the Toysmart settlement. The FTC stated its concerns about the transfer of customer information inconsistent with privacy promises would be “greatly diminished” if:

Borders were to sell the rights as part of a larger group of assets to a buyer engaged in the same line of business as Borders,
The buyer were to agree to be bound by the terms of Borders’ privacy policy, and
The buyer were to obtain affirmative consent from consumers before enacting any significant changes to the policy.

The ultimate buyer of the consumer privacy information was in the same line of business and claimed the customer information was not sold as a standalone asset because trademarks and online content were also included in the sale. However, the buyer also claimed that the ombudsman’s consent requirement would render the value of the customer information worthless.

The bankruptcy court approved the sale of the customer information allowing the buyer to keep and use all the information. The court did not explicitly follow the Ombudsman’s report. The court required the buyer to send an email to affected consumers giving them 15 days to opt out of the transfer and prevent their information from being handed over. The buyer sent out the email on September 30. The Ombudsman took issue with the email, claiming it “omitted material information” by not disclosing the extent of the privacy information to be transferred and failing to state that the opt-out opportunity was required by the Court. Further, the FTC issued a reminder to consumers about the deadline to opt out.

While consumers faced an October 15 deadline to opt-out, this case and the fall out will surely extend far beyond that. With companies collecting more personal information on its customers while facing uncertain financial futures, bankruptcy courts are likely to see more cases involving the sale of consumer information.

- Ronald Lee and McCormick Conforti

Posted on October 25, 2011 in Privacy & Data Security | Permalink

October 07, 2011

Google Vows to Improve Privacy for Owners of Wi-Fi Routers

Google has announced plans to enable owners of Wi-Fi routers to opt out of a registry of location data used to provide the company’s location services. The move has been heralded as an attempt to ‘play nice’ with European regulators, which have warned that the unauthorised use of data collected from Wi-Fi networks violates European data protection laws. (We previously blogged here about investigations into Google's "Wi-Spy" activities)

Location services, such as Google Maps, enable mobile device users to pinpoint their location, find nearby services (restaurants, shops, businesses etc.) and navigate from A to B. To do this, the services use traditional geo-location methods such as GSM base stations and GPS, but also ‘access-point’ information captured from Wi-Fi routers. Wi-Fi routers offer a reliable supplement to GPS and towers, particularly in urban areas; they are also widely used in residential homes and in businesses, and are sufficiently close together to provide precise location data.

Google is not alone in using Wi-Fi based geo-location data, but it is one of the most well-known, thanks largely to last year’s controversy over its location app ‘Street View’. In May and October 2010, Google announced that it had inadvertently collected payroll data, emails, complete URLs and passwords from unencrypted Wi-Fi networks. Google has since been under pressure from European regulators to tighten up its data protection, and has been the subject of investigations in Germany, the Netherlands, Spain, France and the UK.

This latest move suggests that Google is attempting to avoid further scrutiny from European regulators, particularly as it has said that no personal data is collected whilst using the Wi-Fi access point information. However, European regulators are looking to tighten up the protection of personal data generally and, in particular, the Article 29 Working Party issued a non-binding opinion in May which said that all geo-location data taken from Wi-Fi routers should be treated as personal data. The premise for this is that although Wi-Fi access point data is anonymous, it can pinpoint individual houses/businesses (particularly in sparsely populated areas) and it may be possible to identify individuals when that data is combined with tools such as house ownership registries, search engine queries or electoral registrations. Whilst the Working Party recognises that companies have a legitimate interest in collecting access point information in order to offer location services to consumers, it has said that companies should “develop and implement guarantees, such as the right to permanently opt-out”. German regulators have also insisted that Wi-Fi geo-location databases should be treated as personal data. Therefore, Google’s actions, whilst taken voluntarily, may be pre-empting a step that all other geo-location providers will soon be required to take.

The opt-out service will be launched later this year. Whether the move will have knock-on effects for geo-location services, particularly where large numbers of Wi-Fi routers are removed from the registries and reliance is placed back onto GPS and GSM base stations, remains to be seen. The only sure thing is that the advance of mobile computing devices and infrastructures supporting them will give rise to new and challenging privacy and security issues.

- Gemma Davies and Ronald Lee

Posted on October 07, 2011 in EU, Privacy & Data Security | Permalink

September 01, 2011

How Does the (Browser) Cookie Crumble?

A blog in The Economist (“Beware the cookie monster”) last week picks up on the latest publication by a group of researchers associated with U.C. Berkeley. The point of the pundit piece? The peskiness of tracking cookies that persist despite a consumer’s decision to “opt-out.”

The researchers’ study took a wide view, looking at how, and how many, cookies would be placed on a single computer visiting the top 100 sites on the Internet. Along the way to finding that some 600 separate third parties placed nearly 5,000 cookies on a single computer visiting those 100 sites, the researchers found a few companies placed cookies that seemed to come back from the dead. Although The Economist only highlighted a few of the technical means companies employ to bring cookies back even after consumers try to get rid of them, at last count one of the researchers who contributed to the study has found 13 such means, a list which grows almost each time new technologies are implemented.

Barely had the virtual ink dried on this study, when the first of what could be several consumer class-action lawsuits was filed in US District Court in California. In it, the plaintiffs allege that certain of the companies mentioned in the study employ practices of continuing to track their online habits after they have tried to opt out, violating their expectations to privacy, as well as several federal and state laws.

If any of this sounds familiar, it should. This most recent study follows on from an earlier one some of the same researchers published in 2009, which highlighted similar practices embedding cookies using Adobe’s Flash program that couldn’t be removed. Then, their findings quickly engendered controversy, followed by lawsuits, more lawsuits, and finally settlements.

Controversies over what actually happens after a consumer “opts-out” might sound familiar for another reason. A few weeks ago, we posted comments on the results of yet another study, this one conducted by Stanford University’s Center for Internet and Society. According to Stanford’s study, half of the online advertising companies participating in the NAI’s self-regulatory framework still tracked consumers even after they had “opted out” from receiving behavioral advertising.

Both studies’ findings come in an atmosphere slightly changed since 2009. As the FTC continues to explore how a “Do Not Track” registry might work to bolster behavioral advertising companies’ self-regulatory efforts, one of the Commissioners last week intimated the FTC may soon request far more information from those companies regarding their practices, including details of their opt-out processes. Also, although the FTC continues its longstanding focus in this area on ensuring companies protect consumers’ personal information, it also recently brought its first case ever in the behavioral advertising area, in June approving an order against an online advertiser. At issue in that case? Ironically − a “do not track” cookie that died after a brief life of 10 days and stayed that way, setting the stage for resumed tracking without informing the consumer.

Companies would be well-served to settle on a policy for tracking consumers and follow it. As technologies evolve offering new ways to record consumers’ activities, and companies seek to use those technologies to retain an edge through more targeted marketing or advertising, they may wish to remember the basics to stay above the emerging regulatory and class-action fray over consumer tracking. Explain to consumers when their behavior is tracked when visiting their website; offer a clear and conspicuous means to opt out of such tracking; and respect consumers’ privacy preferences, even if that means saying “no” to more cookies.

- Ronald Lee and Scott Swafford

Posted on September 01, 2011 in Privacy & Data Security | Permalink

August 16, 2011

Wanna Violate COPPA? Developer Finds Out That There's an App for That

Mobile Apps are big business. As of early July, Apple estimated that more than 15 billion apps have been downloaded for its popular iPhone and related products. Our blog even has an app and has contributed, in a modest way, to that total.

While many apps don’t require you to provide personal information, some do. And yesterday, in case there was any doubt the FTC made it clear that it views apps as sending and receiving information over the internet and thus are online services subject to its Children’s Online Privacy Protection Act (COPPA). The FTC entered into a settlement with a developer of several apps designed for children, including Emily’s Girl World and Emily’s Runway High Fashion, that were listed in the Games-Kids section of the App Store. The apps allowed children to email “Emily” comments and submit blogs and post information on message boards. As a result, the FTC alleged that the developer collected personal information, such as email addresses and other personal information posted on message boards, from children under the age of 13 without parental notice and consent. The developer agreed to pay a $50,000 penalty and to delete all personal information it collected in violation of COPPA.

COPPA enforcement continues to be a “hot” item for the FTC and clearly anyone marketing an app for children should take a look at their information collection practices and perhaps avail themselves of the safe harbor certification process offered by organizations such as the National Advertising Division’s Children’s Advertising Review Unit (CARU). In addition, even if an app is not “directed” toward children, a company marketing an app for adults can also violate COPPA if it knowingly collects personal information from a child under the age of 13 without parental notice and consent. It’s also worth noting that the definition of “personal information” is quite broad and can include the use of a “persistent identifier, such as a customer number held in a cookie that is associated with individually identifiable information. Still not sure what to do? A search of the App Store this morning yielded no hits for COPPA compliance but just wait. Maybe there’ll soon be an App for that .

- Randy Shaheen

Posted on August 16, 2011 in Children/Kids, Privacy & Data Security | Permalink

July 25, 2011

Self Regulation By Online Advertisers Yields Mixed Privacy Results

A recent study by Stanford University’s Center for Internet and Society has found that only a handful internet advertising companies participating in the self-regulatory Network Advertising Initiative (NAI) actually cease tracking user browsing habits after users request to opt-out of a member company’s targeted advertising. The researchers found that not only did half of the 64 companies they studied keep tracking software in place after users opted out, but eight NAI members even did so after expressly promising not to.

NAI touts itself as a voluntary and effective alternative to governmental regulation of online advertisers that use behavioral technology to “target” consumers with ads based on their browsing patterns. The NAI website offers its own “opt out” tool that allows users to detect and eliminate tracking software on their computers. However, NAI executive director Chuck Curran has criticized the Stanford study as failing to distinguish between a policy of not tracking any online browsing, something the Stanford researchers advocate, and NAI’s voluntary “self regulatory commitments to limit ad targeting based on user interests.” In other words, NAI distinguishes between, on the one hand, collecting data on browsing patterns, and, on the other hand, acting on that data by targeting ads at individual users tailored to their interests. The NAI website also reminds readers that “most content on the Internet” is free because of effective online advertising.

However, web tracking is receiving increased attention from more than the industry itself. The FTC has signaled that it will regulate tracking behavior it finds deceptive or egregious, such as a 2009 action in which the agency censured a retailer for paying users of its website $10 in exchange for installing software on their systems that the retailer did not disclose would track virtually everything the users did on their computers.

Online advertisers are also facing threats from their client websites. The Wall Street Journal recently reported that a company called Ensighten is promising website owners software that will allow them to dictate what information online advertisers can track about browsers of their websites. This software purports to allow website owners to limit tracking by those online advertising companies that “don’t have a strong privacy policy or follow industry standards.”

But, as the Stanford study indicates, even those online advertising companies with “strong” privacy policies do not necessarily limit their tracking of user data the way users likely think they do. So, much uncertainty remains about what “industry standards” for online advertisers actually are, and the success of self-regulation like NAI remains unclear.

- Ronald Lee and Tom McSorley

Posted on July 25, 2011 in Internet, Privacy & Data Security | Permalink

July 23, 2011

Maureen Ohlhausen Is Nominee for FTC Commissioner, Says Obama Administration

Maureen Ohlhausen Is Nominee for FTC Commissioner, Says Obama Administration The Obama administration announced its intention today to nominate Maureen Ohlhausen as the next FTC Commissioner. Ohlhausen, currently a partner with Wilkinson Barker Knauer, LLP, would replace outgoing Commissioner Bill Kovacic, who finishes his term in September of this year. Ohlhausen is no stranger at 600 Pennsylvania Avenue; her prior tour of duty included serving as Director of the Office of Policy Planning (OPP) and as attorney advisor to former Commissioner Swindle. Her prior personal experience with how business is done at the commissioner and the staff level should be an asset. Also for those who track such things this would mark the first female majority at the Commission level since 1997.

While Kovacic is a strong antitrust academic, Ohlhausen is a practicing lawyer experienced in issues of privacy and consumer protection. During her tenure, the OPP repeatedly encouraged informative labeling and advertising meant to better inform consumers, as well as clearer disclosure by mortgage lenders and pharmaceuticals. This reflects the growing focus by the FTC on consumer protection issues. With the Consumer Financial Protection Bureau launching as another agency watchdog on the consumer financial landscape, the consumer protection side of the Commission will clearly not be taking a vacation; instead, it is gearing up with a commissioner likely more interested in taking an active role in directing staff priorities rather than sitting back to see what staff puts on her desk.

Should she be appointed, Ohlhausen’s presence would also beef up the FTC’s growing technology focus. Through the FTC’s Internet Access Task Force, Ohlhausen was responsible for reports on competition in broadband connectivity, which touched on the issue of net neutrality, and on municipal provision of wireless Internet. Meanwhile, under her leadership the OPP weighed in on issues of technology ranging from protecting children from online advertising to auctioning wireless licenses. We would not be surprised given her background and interest in technology if Ohlhausen takes a leadership role in the recently announced antitrust investigation into Google’s search practices.

Ms. Ohlhausen previously served as a clerk to Judge David Sentelle (D. C. Cir.) and to Judge Robert Yock (Fed. Cl.). She received a B.A. from the University of Virginia and a J.D. from George Mason University School of Law, and has since taught Unfair Trade Practices as an adjunct professor at her alma mater. Ms. Ohlhausen has also contributed academically to the analyses of the relationship between advertising and childhood obesity.

As this blog has discussed previously, the FTC is an independent agency led by five commissioners who each serve staggered seven-year terms. Although nominated by President Obama, Ohlhausen would fill one of the slots reserved for a Republican or independent-- no more than three sitting commissioners may belong to the same political party --as the FTC currently has three Democratic members in the form of Commissioners Julie Brill, Edith Ramirez, and Jon Leibowitz. J. Thomas Rosch rounds out the current roster of Commissioners.

- Amy Mudge and Will Thomas

Posted on July 23, 2011 in FTC, Internet, Privacy & Data Security | Permalink

July 11, 2011

Google Street View Case Rolls Along After Recent Ruling

A federal judge in Northern California denied Google’s motion to dismiss allegations that its street-mapping project, which collected information from unprotected, private wireless (WiFi) networks, violated the federal Wiretap Act. Since 2007, a worldwide fleet of camera-laden vans and bicycles has collected images of city streets that are used to augment the online service Google Maps. In 2010, German regulators discovered that those vans and bicycles were also “archiving the location of wireless networks.” While early reports suggested Google was merely recording the name (SSID) and unique address (MAC) of private networks, later Google announced that its fleet also collected “payload data,” — data packets containing usernames, passwords, and private emails. The revelation of captured payload data gave rise to the extant suit, as several private individuals sued Google under the Wiretap Act, as well as under similar state statutes, on the basis that surreptitious collection of information from private networks violated the Act, and entitled them to civil damages. Similar claims were brought under a equivalent state statutes.

Central to the motion to dismiss was whether data packets on private, unsecured networks constitute “radio communication.” The Wiretap Act creates a private right of action against interceptors of “electronic communication” except where the communication was “readily accessible to the general public.” However, Congress defined “readily accessible to the general public” not in the context of all electronic communication, but instead only with respect to “radio communication.” In Google’s view, radio communication applies to all communication relying on the medium of radio waves. Plaintiffs argued a decidedly narrower view, suggesting instead the term covered only the method of using radio for traditional services. Finding the expression ambiguous, and deriving only indirect assistance from similar provisions (the Wiretap Act at various points identifies “oral communication” and “wire communication”), the court ultimately turned to legislative history to resolve this method-or-medium disagreement. The Court held that Congress intended the expression “radio communication” be construed narrowly; the wiretapping exception was created to protect radio hobbyists, and noticeably declined to extend that protection to wireless telephony. (Yes: cell phones existed in 1986.) Finding that wireless networks more closely resembled cellular networks than amateur radio, the Court held that the Wiretap Act’s carveout for the interception of communications “readily accessible to the general public” does not extend to WiFi networks.

The decision is the first domestic decision addressing the applicability of certain Wiretap Act exceptions to WiFi networks. The court also dismissed a host of state claims against Google, and has yet to decide whether to certify a class of plaintiffs complaining Google breached their privacy. One thing is clear: WiFi network security requires more than passing attention.

UPDATE (7/22/2011): Tapping the breaks? The district court has granted parties leave to appeal its recent decision not to grant Google’s motion to dismiss. That decision gives the Ninth Circuit an opportunity to decide the proper scope of exceptions to The Wiretap Act before litigation continues.

- Nancy Perkins, Ronald Lee, and Will Thomas

Posted on July 11, 2011 in Internet, Litigation, Privacy & Data Security | Permalink

July 04, 2011

Facebook’s Putting Names to Faces - A New Violation of Privacy Rights?

The Electronic Privacy Information Center (EPIC) along with the Center for Digital Democracy, Consumer Watchdog, and the Privacy Rights Clearinghouse, filed a complaint with the FTC claiming that Facebook’s use of facial recognition technology constitutes unfair and deceptive trade practices, in violation of Section 5 the FTC Act.

According to the complaint, the technology being challenged concerns the “covert” collection of “biometric data” by Facebook. Specifically, Facebook’s “Tag Suggestions” technology “converts photos uploaded by Facebook users into an image identification system under the sole control of Facebook,” which allegedly “has occurred without the knowledge or consent of Facebook users and without adequate consideration of the risks to Facebook users.” In other words, when User A uploads a photograph of Friend B, Facebook’s face recognition technology suggests a name label, or “tags” the photo of Friend B with a name based on other photos of Friend B that Facebook has in its database -- which it allegedly collected without notifying Facebook users. This is in contrast to User C’s ability to upload a picture of Friend D and manually tag that photo of Friend D, a practice most Facebook users enjoy without concern. According to the EPIC, Facebook now possesses approximately 60 billion photographs, and its actions impact 500 million users, 150 million of whom fall within the jurisdiction of the FTC.

EPIC alleges that Facebook’s practices injure users by invading their privacy in several ways:

by “allowing for disclosure and use of information in ways and for purposes other than those consented to or relied upon by such users”;
by “causing them to believe falsely that they have full control over the use of their information”; and
by “undermining the ability of users to avail themselves of the privacy protections promised by the company.”

The Complaint requests several forms of relief. It asks that the Commission:

Require Facebook to suspend any form of Facebook-initiated tagging based on Facebook’s database of images;
Require that Facebook not misrepresent the extent to which it protects the security and privacy of user information;
Require Facebook, prior to sharing user information with a third party, to make appropriate disclosures;
Require Facebook to maintain a comprehensive privacy policy;
Permit Facebook to reintroduce auto tagging only after it has established appropriate security safeguards, revised its privacy policy to limit disclosure of user information, and obtain informed user consent that allows individuals to opt-on of the auto tagging features.
Finally, EPIC requests the appropriate injunctive and compensatory relief.

It remains to be seen whether the FTC will take up this investigation. In the meantime, a European Union privacy watchdog, Article 29 Data Protection Working Party, is investigating Facebook’s facial recognition software to see if it violates EU privacy regulations. The feature has been active in most European countries for the last few months. Facebook has since apologized for rolling out the feature the way it did, namely without notifying users more aggressively. Of course, unless this new technology informs Facebook users of information that they did not already know - it is hard to see how any privacy issues are raised.

- Marianne El Sonbaty, Ronald Lee, and Alex Watt

Posted on July 04, 2011 in EU, FTC, Internet, Privacy & Data Security | Permalink

June 30, 2011

Consumer Data Security: Where the FTC Is, and Where It Wants to Go

At a recent hearing before the Subcommittee on Commerce, Manufacturing, and Trade of the House Committee on Energy and Commerce, FTC Commissioner Edith Ramirez testified on both the role the FTC currently plays and hopes to play in the future protecting consumer data security. Ramirez, in addressing FTC’s current function in enforcing consumer data security, said that the FTC has undertaken “substantial efforts” to promote data security in the private sector, namely through law enforcement, education and policy initiatives.

Pertaining to law enforcement, Ramirez told Congress that, since 2001, the FTC has brought 34 cases against companies that allegedly failed to sufficiently protect consumers’ personal information. Many of these cases resulted in consent orders where the charged companies agreed to cease misrepresenting their data security capabilities, implement wide-ranging information security systems and policies, and undergo bi-yearly security audits for the next two decades.

Ramirez also stressed that the FTC has education and policy initiatives to mitigate the effects of consumer data-security breaches. Relative to education, Ramirez told Congress that the FTC sponsored many online consumer self-help guides including OnGuard Online, which instructs consumers about “basic” computer security, the Identity Theft Primer, and the Victim Recovery Guide. Regarding policy initiatives, Ramirez highlighted FTC-sponsored roundtables, which discussed and analyzed consumer privacy, the FTC Staff’s Preliminary Privacy Report issued in December 2010, and the Child Identify Theft Forum.

Relating to the data-protection role that the FTC wants to play in the future, Ramirez advocated for enhanced FTC authority in order to protect consumer data security. Ramirez stated that the FTC expressed support for key concepts in the discussion draft of Chairman Bono Mack’s proposed data security bill because it would provide the FTC with additional rule-making authority to ensure that both for-profit and non-profit companies “implement reasonable data security policies and procedures and, in the appropriate circumstances, provide notification to consumers when there is a security breach.” Just as importantly, Ramirez said that the FTC “appreciates” that the bill would authorize the FTC to use the APA notice and comment procedures for rulemaking rather than the current rule-making procedures enumerated in Section 18 of the FTC Act (AKA Magnuson-Moss ruling making), a change that FTC officials have been arguing for since last year. Additionally, the bill also proposes that the FTC be able to obtain civil remedies for data-security violations, which would significantly expand the enforcement power of the Commission that is now limited to “traditional equitable remedies” such as consumer restitution and disgorgement.

Although it is too early to accurately gauge support for the discussion draft of Bono Mack’s proposed data-security legislation, it appears likely that the FTC’s appreciation of key principles in the legislation will be influential. If this or a similar bill is passed, the ever-growing spectrum of companies possessing consumer data can expect more FTC-enforced regulations on the requirements for securing such information.

- Ronald Lee and Kevin O'Doherty

Posted on June 30, 2011 in FTC, Privacy & Data Security | Permalink

June 07, 2011

Privacy Concerns in a Mobile World

On May 19, David Vladeck, director of the FTC’s Bureau of Consumer Protection, testified on behalf of the Commission before the Senate Committee on Commerce, Science and Transportation about the growing consumer privacy challenges presented by mobile technology.

While the increasing range of new mobile services available to consumers offers tremendous benefits, it also raises privacy challenges as it has facilitated unprecedented levels of data collection from consumers. The testimony came at the same time as lawmakers grilled technology executives about their privacy policies with respect to mobile technology and how they share consumer information with other companies. The hearing was prompted by concerns over revelations that Apple iOS devices were in some cases storing up to a year’s worth of location data in an insecure manner both on the iOS device itself and on computers with which the iOS devices were synced.

The FTC testimony highlighted the privacy concerns that expanding mobile technology presents for U.S. consumers and discussed the agencies’ attempts to deal with these growing concerns. The Commission noted that mobile devices are almost always carried by the user and switched-on, thus potentially allowing companies to collect data over time and “reveal[] the habits and patterns that mark the distinction between a day in the life and a way of life.” United States v. Maynard. To deal with these issues, the FTC made three main recommendations for mobile technology: transparency, streamlined privacy choices and “privacy by design.” Additionally, as Congress continues to examine a Do Not Track mechanism, the FTC urged that any Do Not Track mechanism should be universal, easy to find, enforceable, ensure that consumer choices are persistent, and allow consumers to opt out of both targeted advertising and collection of behavioral data for all purposes not commonly accepted.

Both the FTC and members of the Senate Commerce Committee were interested in how location services may impact younger users given the rising use of mobile devices by children and teens. The number of 12 to 17 year olds who use a cell phone has increased rapidly over the past few years, and was as high as 75% by 2009. Tracking of younger users raises issues under the Children’s Online Privacy Protection (COPPA) rule, which regulates companies’ collection of information from the online activity of children ages 13 and younger. At the hearing, the FTC said it is currently handling several COPPA investigations involving the use of mobile phones. The FTC has already brought sixteen complaints against companies for violating COPPA, and this past month announced its largest civil penalty in a COPPA action, a $3 million settlement with Playdom, Inc.

Director Vladeck’s testimony reminds companies, if any such reminder were needed, that their privacy policies, practices, and compliance processes all need to devote substantial attention to mobile technologies, applications, and users. When it comes to privacy enforcement, the FTC is on the move.

- Ron Lee and Tiana Russell

Posted on June 07, 2011 in FTC, Internet, Privacy & Data Security | Permalink

May 19, 2011

FTC Asks Tech Companies to Be Superheroes in Protecting Consumer Privacy

If you thought that Spiderman, Rupert Murdoch, and Santa Claus had nothing in common, think again.

In a May 4th speech before the Computer and Communications Industry Association, FTC Commissioner Julie Brill managed to weave each of the three characters into one speech. She quoted Rupert Murdoch as she challenged technology industry leaders to “innovate like never before” in protecting privacy and earning consumer trust.

Commissioner Brill praised the technology industry for everything from online dating to helping spawn revolutions in Tunisia, Egypt and Libya, but reminded the companies that, in the words of Spiderman’s alter ego Peter Parker, “With great power comes great responsibility.” She said, “I do ask you to take very seriously your responsibility to your customers, to consumers, and to society, and to remember, as you improve on the powerful online tools and mobile apps you have already provided to us, to build privacy protections into the design of your innovations.”

Brill then outlined the FTC’s two most recent strategies for dealing with consumer control over private data, both of which she said had “fallen short” as technology continued to advance. The first strategy -- “notice and choice” -- failed because it was unreasonable to expect consumers to read lengthy and detailed privacy policies. The second -- “no harm, no foul” -- failed because it only addressed problems after the fact, and did not give companies any incentive to protect privacy at the outset.

Brill then highlighted the three key recommendations of the FTC’s preliminary privacy report issued in December 2010 [previously blogged about here]:

Building privacy and security protections into new products rather than waiting to add them after problems arise.
Simplified privacy policies. One suggestion is exempting “commonly accepted” practices from the initial notice, such as authorization to share certain information with the shipping company.
Greater transparency around data collection, use and retention, including giving consumers knowledge of and access to the data that companies collect.

The remainder of the speech focused on the FTC’s self-described “most talked-about recommendation” -- the Do Not Track mechanism. Brill confirmed what we wrote about back in December -- namely, that the Do Not Track list would not be a government-run registry like the Do Not Call list, but would instead be based on a “technology-driven approach that will allow consumers to make persistent choices that travel with them through cyberspace, communicating their tracking preferences to every website they visit.” According to Brill, such an approach, which would be run through the major browser providers, would give consumers “meaningful control over the information they share and the sort of targeted ads they receive.” Brill praised the major browser providers for taking steps to implement Do Not Track tools, but reiterated that the FTC’s work was not done and that the agency would continue to press industry to implement an effective Do Not Track mechanism.

Brill also sought to alleviate industry concerns about the Do Not Track list, specifically that it would lead to consumers opting out of all forms of behavioral advertising en masse, “drying up the ad revenue that lets us enjoy content and innovate online activities for free.” Brill suggested that much like the Macy’s Santa Claus from “Miracle on 34th Street,” who believed that Macy’s would profit more in the long term if it encouraged customers to shop at other stores for items that Macy’s did not carry, technology companies could actually generate more revenue by increasing their transparency and credibility with consumers.

- Nancy Perkins and Daniel Stuart

Posted on May 19, 2011 in FTC, Privacy & Data Security | Permalink | TrackBack (0)

May 17, 2011

Playdom, Inc. Pays $3 Million in FTC COPPA Settlement

Last week, Playdom, Inc., agreed to pay $3 million to settle charges that online virtual worlds it operated violated federal rules designed to protect the safety and privacy of children younger than 13 on the Internet. Playdom, Inc., a developer of online multi-player games, operates twenty virtual world websites where users could access online games such as 2 Moons, 9 Dragons, My Diva Doll and Pony Stars. Pony Stars was a website specifically directed to children, while many of the other websites were intended for a general audience but also attracted a significant number of children. Over the past five years, over 400,000 children registered on the defendants’ general audience sites, and 821,000 children registered on the Pony Stars website

The a complaint, the FTC alleged that Playdom Inc. illegally collected and disclosed personal information from hundreds of thousands of children under age 13 through these websites without their parents’ prior consent, in violation of the FTC’s Children's Online Privacy Protection Act (COPPA). In many instances, Playdom, Inc. allegedly allowed children to publicly post information, including their names, emails, and location, on personal profile pages and in online forums.

COPPA was originally enacted in 1998 to protect the online privacy of children under the age of 13. The law, which governs online sharing by, and collection of information from, children under age 13, went into effect in 2000. Among its numerous provisions, COPPA requires that operators of websites directed at children obtain parental consent before collecting, using or disclosing personal information from children. COPPA also requires that website operators post a privacy policy that is clear, understandable, and complete. The FTC alleged that Playdom, Inc. failed to meet these requirements.

This settlement is the largest civil penalty to date for a violation of the FTC’s COPPA Rule and signals that the FTC intends to take an aggressive stance towards this behavior. Jon Liebowitz, Chairman of the Federal Trade Commission, emphasized, “You owe it to parents and their children to provide proper notice and get proper consent. It’s the law, it’s the right thing to do, and, as today’s settlement demonstrates, violating COPPA will not come cheap.” The fine comes at the same time as Reps. Joe L. Barton (R-Texas) and Edward J. Markey (D-Mass.) are signaling their intent to introduce a bill to increase online privacy protections for children. Their proposed “Do Not Track Kids Act” would ban companies from using children's personal information for targeted ads and marketing.

Not all COPPA violations necessarily result in enforcement action. In a staff letter from March of this year, the FTC closed another COPPA investigation against AnimalCrossingCommunity.com after the company took prompt action to respond to concerns raised by its online policies, including deleting the personal information of children previously collected, implementing a reasonable means of obtaining verifiable parental consent and revising its privacy policy to reflect changes to its website. Which COPPA violations will result in consent orders and penalties and which will result in a closing letter? Best not to find out, and instead to comply. The FTC has issued guidance documents that are helpful (here and here) and has blogged on COPPA requirements. There are also approved self-regulatory programs that can provide a safe harbor if implemented. It is important to remember that COPPA is not limited to websites directed to children under the age of 13 but also applies if a website operator knowingly collects information from kids; defining actual knowledge can be tricky.

- Tiana Russell and Amy Mudge

Posted on May 17, 2011 in Children/Kids, FTC, Privacy & Data Security | Permalink | TrackBack (0)

April 21, 2011

White House Issues Blueprint for Digital Identity Management and Privacy: Will the Private Sector Build It?

On April 15, 2011 the White House issued the National Strategy for Trusted Identities in Cyberspace. The document responds to the administration’s Cyber Policy Review of December 2010, which had identified the establishment of a secure and trusted authentication system as a key component of improving digital security.

The Strategy envisions replacing the current model of digital interactions, in which users maintain multiple passwords and provide varying degrees of personal information to different entities, with a new model based on authenticated “credentials.” In this new model, consumers would obtain “credentials” from designated providers, and the “credentials” would in turn be recognized by businesses, government agencies, and other consumers. This shift, the Strategy suggests, will have salutary effects such as enabling more sensitive transactions to occur online, and relieving consumers’ burden of entering personal information over and over again.

Ultimately, the Strategy seeks to usher into existence a full-blown “identity ecosystem” in which users are able to select and obtain credentials that provide a level of privacy that is appropriate for a given transaction. For a sensitive transaction involving medical data, for example, a user could obtain and use a “high-assurance” credential, whereas more quotidian tasks like purchasing clothes online might be accomplished with a more easily obtainable “low-assurance” credential. These credentials would be offered by private sector companies in competition with one another, and would be accepted by businesses and government agencies as a means of identifying or validating the user.

The document itself is somewhat abstract, and pronouncements such as “the identity ecosystem must be grounded in the holistic adoption of the FIPPS” may be obscure for the uninitiated. Helpfully, though, the Strategy conveys its basic idea via a series of descriptions of various means by which the proposed “credentials” might be obtained and used. For example:

A consumer obtains a digital credential from her ISP. The credential is stored on a smart card. She inserts the smart card into her computer; obtains digital cash from her bank; buys a sweater at an online retailer without opening an account; signs documents to refinance a mortgage, and reads a note left by her doctor in her personal health record. These tasks are accomplished “in just minutes.” (see page 7)
A teenager wants to enter an online chat room that is for users from age 12-17. He gets permission from his parents to obtain a digital credential from his school. His school provides the credential and acts as an “attribute provider,” validating that he is of the correct age but not providing other information such as his name or birth date. (see page 11)

These and other examples indicate how the proposed system would work, and suggest the benefits that could accrue from a successful marriage of online privacy and security.

Still, the Strategy acknowledges that many challenges remain, including obstacles related to incentives, security, technology, and institutional capacity.

Incentives: The Strategy emphasizes that participation must be both voluntary and “market-driven.” However, if no companies accept “credentials” there will be no incentive for users to obtain them or for anyone to provide them, and conversely if no users obtain credentials, there will be no incentive for companies to accept them. (i.e., there is a two-sided market problem).

Institutional Capacity: The Strategy envisions that entities such as ISPs and schools will issue credentials and perform authentication functions. It is unclear whether such entities (particularly schools) are suited for these tasks.

Security: If the credentials themselves are compromised or stolen, then the same trustworthiness that makes them useful will render them all the more destructive. Thus the success of the Strategy rests on the ability of the credential-providers to keep credentials secure and to provide a prompt and effective means of revoking them if they are compromised.

Technology: The Strategy notes that some social networking sites currently provide a stripped down version of identification. (For example, when a user logs in to Facebook and he/she can then be identified by other sites, Facebook is providing authentication and/or credentials for the user.) This capability, which is similar to a “low assurance” credential in the parlance of the Strategy, highlights the need to ensure that the Strategy stays abreast of changes in the digital environment.

Recognizing the existence of these and other challenges, and to help implement the Strategy, the Secretary of Commerce will establish an interagency National Program Office, which will be charged with coordinating the process of implementation by the private sector with government input. At this time, then, the Strategy is perhaps most notable for its firm embrace of the idea that privacy can and should exist online, and that this can be achieved without sacrificing the benefits that can accrue from digital interactions.

- Ron Lee, Nancy Perkins, and George Langendorf

Posted on April 21, 2011 in Privacy & Data Security | Permalink | TrackBack (0)

April 06, 2011

FTC to Google/Buzz: Say What You Do, Do What You Say

The FTC and Google recently entered a consent agreement concerning Google’s Buzz platform. Launched in February of 2010, Google Buzz is said to be Google’s version of Facebook or Twitter, enabling users to communicate with other users over a social networking platform. The FTC’s complaint alleged that Google engaged in misleading and deceptive practices by publicly disclosing Gmail users’ information without notice, and without their consent. When Buzz was first launched, Gmail users automatically saw a message announcing the new service and giving the options of “Sweet! Check out Buzz” and “Nah, go to my inbox.” The users who chose the former option were enrolled in certain features of the Google Buzz social network without being informed of which features, and some of the users who chose the latter “nah” option were nonetheless also enrolled in certain features of the Buzz network. Enrollment in the Buzz network meant that users were automatically signed up to follow other Gmail contacts in Buzz, and their Gmail contacts in Buzz were signed up to follow them. The default setting for items posted in Google Buzz was “public,” meaning anything posted was shared with all of a user’s followers and searchable on the internet, and the option to privatize was difficult to find. If a Buzz user wanted to direct a comment through the Buzz network to an individual from the user’s email contact list, that individual’s private email address would be exposed to all followers of the user and searchable by search engines. Gmail users could also find themselves being followed by individuals they had blocked on Gchat, or by individuals showing up as “unknown” with no first or last name, and were not able to block the unknown users.

The complaint stated that users complained about the following problematic cases of both exposed email addresses and followers not able to be blocked: abusive ex-husbands individuals who had restraint orders filed against them, clients of attorneys, patients of mental health professionals, children, recruiters for potential jobs. The “turn off Buzz” option did not remove Gmail users from being followers on other users’ Buzz pages and Google profiles.

Continue reading "FTC to Google/Buzz: Say What You Do, Do What You Say" »

Posted on April 06, 2011 in FTC, Privacy & Data Security | Permalink | TrackBack (0)

March 14, 2011

Does the Alcohol Industry Have Self-Control?

That’s what the FTC wants to find out. On March 8, the FTC announced that it published a notice in the Federal Register seeking public comment on a proposal to collect self-regulatory compliance and other advertising and marketing data from beverage alcohol manufacturers. Comments are due by April 26. The announcement of a new alcohol industry study comes after the FTC sent warning letters to four makers of caffeinated alcoholic beverages last Fall.

In its 1999, 2003, and 2008 reports, the FTC looked at industry self-regulation of advertising to underage consumers and offered recommendations to improve self-regulation. As a result, the industry has improved self-regulations practices by, among other things, increasing the placement standard for advertising from audiences that are at least 50% adults of legal drinking age to 70%, improving compliance with this placement standard, adopting third-party compliance review, and increasing attention to advertising content that may appeal to underage consumers.

The current data collection proposal is aimed at verifying and studying the industry’s compliance with its voluntary standards. Keeping pace with evolving marketing practices and the Commission’s focus on privacy issues in on-line and mobile marketing, the FTC is also proposing to collect data on the industry’s digital and social media marketing and its data collection practices with respect to underage consumers.

All in all, it appears that the beverage alcohol industry and the FTC can count the industry’s self-regulation practices as a success. The FTC has long encouraged self-regulation because it “can be more prompt, flexible, and effective than government regulation.” But, as on-line marketers are finding out, the FTC’s patience will last only so long if industry is seen as non-responsive to its concerns.

- Matthew Shultz

Posted on March 14, 2011 in Children/Kids, Food and Drink, FTC, Privacy & Data Security | Permalink | TrackBack (0)

March 03, 2011

Did Google Pry with its Wi-Spy? Some Countries Say Yes, FCC Investigating, Congress Says Look Into It

Members of Congress are vigorously urging the FCC to conduct a “full investigation” into the collection of consumer data by Google’s Street View cars. Last May, Google disclosed that its cars had been collecting payload data from unsecured private Wi-Fi networks. That disclosure prompted a flurry of “Wi-Spy” investigations by the FTC, state prosecutors, and foreign regulatory bodies. Though the FTC closed its investigation last October, citing Google’s promises to improve its privacy controls, the FCC announced its own investigation a month later.

In a recent letter to the FCC, Representatives John Barrow (D-GA) and Mike Rogers (R-MI) complained that U.S. investigations to date have been unsatisfactory. According to the letter, the FTC dropped its investigation without answers to “serious questions” such as how the data breach occurred and how many consumers were affected. The letter further asserts that state attorneys general have been unable to obtain the collected data from Google even though investigators in South Korea, “a country one sixth the size of the U.S.,” have done so and have identified “hundreds of thousands of affected consumers.” The letter urges the FCC to fully investigate the matter and disclose the facts to American consumers, regardless of whether the agency finds a violation of law or not.

Since its disclosure last May, Google has been under investigation in more than twenty countries, at least five of which have found violations of their privacy laws. In the United States, although the FTC and FCC may be reluctant to take responsive action, Members of Congress have indicated that the Wi-Spy incident could play a role in shaping internet privacy legislation being considered this year. So, while there have been no legal ramification for Google in the United States thus far, the incident may trigger the enactment of new elements of privacy law aimed at addressing technology such as Street View.

- Nancy Perkins and Anita Kalra

Posted on March 03, 2011 in Internet, Privacy & Data Security | Permalink | TrackBack (0)