HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Two national newspapers today included items on targeted advertising, a further indication that online tracking remains a hot topic.  In an article on the front page of the New York Times entitled  "Retargeting Ads Follow Surfers to Other Sites"  the reporters note that "[b]ehavioral targeting has been hotly debated in Washington, and lawmakers are considering various proposals to regulate it."

People have grown accustomed to being tracked online and shown ads for categories of products they have shown interest in, be it tennis or bank loans.

Increasingly, however, the ads tailored to them are for specific products that they have perused online. While the technique, which the ad industry calls personalized retargeting or remarketing, is not new, it is becoming more pervasive as companies like Google and Microsoft have entered the field. And retargeting has reached a level of precision that is leaving consumers with the palpable feeling that they are being watched as they roam the virtual aisles of online stores.

The article quoted an Advertising Age writer who said “If the industry is truly worried about a federally mandated ‘do not track’ list akin to ‘do not call’ for the Internet, they’re not really showing it.”   The Interactive Advertising Bureau (IAB), comprised of more than 460 media and technology companies responsible for selling 86% of online advertising in the United States. disputes that they are not addressing the privacy issues associated with online tracking and targeting, as indicated  here.

A Wall Street Journal opinion piece by Emory University Economics Professor Paul Rubin paints a very different picture from the New York Times article.  The piece is entitled "Ten Fallacies About Web Privacy" and in summary form, here is Professor Rubin's list of privacy fallacies with excerpts of why he thinks the propositions are false. 

1) Privacy is free...  The more privacy consumers have, the less information is available for use in the economy. Since information helps markets work better, the cost of privacy is less efficient markets...

2) If there are costs of privacy, they are borne by companies... [C]onsumers get tremendous benefits from the use of information [and bear a cost from regulations designed to protect their privacy]...

3) If consumers have less control over information, then firms must gain and consumers must lose...  [W]hen information is used for other purposes—for example, in credit rating—then the cost of credit for all consumers will decrease...

4) Information use is "all or nothing." ... [S]ervices will be lower-quality and less valuable to consumers as information use is more restricted...

5) If consumers have less privacy, then someone will know things about them that they may want to keep secret....  [W]e are not used to the concept that something can be known and at the same time no person knows it. But this is true of much online information...

6) Information can be used for price discrimination (differential pricing), which will harm consumers.  [If] price discrimination makes it possible for firms to provide goods and services that would otherwise not be available (which is common for virtual goods and services such as software, including cell phone apps) then consumers unambiguously benefit...

7) If consumers knew how information about them was being used, they would be irate.  [C]onsumers don't bother to learn about information use on the Web precisely because there is no harm from the way it is used...

8) Increasing privacy leads to greater safety and less risk. The opposite is true....  Think of being called by a credit-card provider and asked a series of questions when using your card in an unfamiliar location, such as on a vacation...

9) Restricting the use of information (such as by mandating consumer "opt-in") will benefit consumers. In fact, since the use of information is generally benign and valuable, policies that lead to less information being used are generally harmful...

 10) Targeted advertising leads people to buy stuff they don't want or need. This belief is inconsistent with the basis of a market economy... 

Clearly, when Congress returns from its recess and the privacy advocacy community returns from vacation, and as the FTC prepares its long-awaited report following a series of privacy roundtables earlier this year, debate over online tracking, self-regulation and the need vel non of government regulation will heat up.

• Email This
• Print
• Share Link

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

• Email This
• Print
• Share Link

Quentin Archer, a partner in the London Office of Hogan Lovells, provides this report

The Article 29 Working Party (set up under Article 29 of the European Data Protection Directive) has been very productive over the last month as the summer holidays approach, issuing four opinions, one report and one set of FAQs.  In recent years we have come to expect these spikes in publications at the middle and end of each year, which are perhaps more a product of the Working Party's internal approvals process than any indication of unusual activity. 

Behavioral Advertising

In June, the Working Party issued Opinion 2/2010 (WP171) on online behavioral advertising.  The Working Party notes that both the E-Privacy Directive and the Data Protection Directive are relevant to online behavioral advertising, and goes into some detail on the requirements of the E-Privacy Directive (amended in 2009) that cookies should be employed for this purpose only with the informed consent of users.  It recommends that advertising network providers should limit in time the scope of consents given by users, offer the possibility for consents to be revoked easily and create visible tools to be displayed where monitoring takes place.  In relation to general data protection obligations, it emphasizes the importance of transparency regarding processing of personal data and points out that the responsibility for ensuring transparency will be shared between different service providers in relation to behavioral advertising.  However, the Working Party does not prescribe how legal obligations should be fulfilled from a technological point of view, and instead invites industry to undertake a dialog with it to explore how the legal framework set out in the Opinion can be satisfied.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Controller-Processor Standard Clauses

On 12th July 2010, the Working Party issued FAQs (WP176) designed to address issues raised by the entry into force of the Commission Decision of 5th February 2010 on the new controller-processor standard clauses.  Several of the FAQs address the situation where personal data is transferred from an EEA-based controller to an EEA-based processor and then to a non-EEA-based sub-processor, which is not specifically contemplated by the new clauses.  As the new clauses cannot be used to effect this, the Working Party suggests different solutions to address the problem.  The remainder of the FAQs answer a variety of questions which might arise where the processor to whom the data are transferred is located outside the EEA, such as whether a data exporter's consent to sub-processing must be specific or can be general, and whether sub-processing agreements can be made in respect of more than one data exporter.

Data Retention

On 13th July, the Article 29 Working Party issued Report 01/2010 (WP172) on its second joint enforcement action, which concerned the implementation of the Data Retention Directive (Directive 2006/24/EC).  The Data Retention Directive derogates from the provisions of the E-Privacy Directive by requiring Member States to ensure that certain categories of communications data are retained for periods of not less than six months and not more than two years.  This is in contrast to the general principle in Article 6 of the E-Privacy Directive, which requires such data to be erased or anonymised when it is no longer needed for the purposes of the transmission of a communication.

The data protection authorities of 25 EEA member states contributed to the joint enforcement action, circulating questionnaires and conducting onsite investigations in certain cases.  It was discovered that there were significant differences between Member States regarding retention of internet services traffic data, with variations in retention periods.  A more uniform picture emerged in relation to the retention of telephone traffic data.  The Working Party established that there was inconsistent implementation at domestic level as a result of differing views over the scope of the Directive, notably whether it was meant to be a derogation from the general obligation to erase traffic data upon conclusion of an electronic communication, or whether instead it affected only data which providers were already allowed to store for subscriber billing and interconnection payments purposes in accordance with Article 6(2) of the E-Privacy Directive.  The Working Party recalled its previous opinions on the Data Retention Directive and (awaiting the decision of the Commission as to whether or not to amend or repeal the Directive) it laid down specific recommendations to ensure increased harmonization, more secure data transmission and standardized handover procedures.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Accountability

Also on 13th July, the Working Party issued Opinion 3/2010 on the principle of accountability (WP173). The Opinion proposes that a new principle on accountability should be introduced (as part of amendments to the Data Protection Directive) which would require data controllers to put in place appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with, and to demonstrate this to supervisory authorities upon request.  It is hoped that this will provide a practical means of ensuring the observance of data protection rules as well as helping data protection authorities in their supervision and enforcement tasks.

FEDMA

The third opinion, also adopted on 13th July was Opinion 4/2010 on the European Code of Conduct of FEDMA for the Use of Personal Data in Direct Marketing (WP174).  The approval of draft community codes of conduct is anticipated in Article 27(3) of the Data Protection Directive, and indeed the European Code of Conduct of FEDMA (the Federation of European Direct and Interactive Marketing) had been the subject of a previous favorable opinion of the Working Party in June 2003.  The subject matter of the present Opinion was an annex to the Code dealing with the specific problems created by the on-line world, with special reference to provisions designed to protect children.  The annex (which is exhibited to the Opinion) was approved by the Working Party and FEDMA was encouraged to promote it within the direct marketing sector.

RFID

The final July 13th opinion is the Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications.  The opinion comments on an industry framework for RFID privacy impact assessments (PIA).  Although the Working Party agreed with the broad framework of the industry report, it indicated three concerns:  (1) no section of the PIA requires the RFID operator to identify risks associated with the RFID application; (2) the proposed framework fails to encourage the RFID operator to identify risks to individuals related to carrying RFID tags in everyday life; and (3) lack of clarity regarding RFID tag deactivation in the retail sector.  As a result of these concerns, the Working Party encouraged stated it could not endorse the proposed document.

• Email This
• Print
• Share Link

On July 19, Rep. Bobby Rush (D-Ill.), chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, introduced a privacy bill, H.R. 5777, that would codify certain fair information principles into law for "covered entities" that collect, maintain, use, and transfer to third parties any "covered information" (consisting of personally identifiable information as well as any "unique identifier," including IP addresses).  Covered entities would be those that (a) store covered information from or about at least 15,000 individuals; (b) collect covered information from or about at least 10,000 individuals during any 12-month period; (c) collect or store "sensitive information" (defined as an individual's medical history, race or ethnicity, religious beliefs, sexual orientation or behavior, financial information, precise geolocation information, biometric data, or Social Security number); or (d) use covered information to study, monitor, or analyze the behavior of individuals as the entity's primary business.  The bill, titled the “BEST PRACTICES Act,” would require each covered entity, with some exceptions, to do the following:

• Make specific privacy disclosures to individuals whose personal information it collects or maintains "in concise, meaningful, timely, prominent, and easy-to-understand notice or notices" in a manner to be specified by the Federal Trade Commission (FTC);
• Provide individuals with a "reasonable means" to opt out of the information collection and use for non-operational purposes (though covered entities would be permitted to require consent to the collection and use as a condition of service to individuals with which it has a direct relationship);
• Obtain opt-in consent before (a) disclosing covered information to third parties (except for joint marketing purposes); (b) collecting, using, or disclosing sensitive information; or (c) monitoring all or substantially all of an individual's Internet or computer activity;
• Obtain opt-in consent to any "material" changes to privacy practices governing previously collected information or sensitive information;
• Establish "reasonable procedures" to assure the accuracy of the covered information or sensitive information collected, assembled, or maintained, with the FTC issuing rules on what is "reasonable";
• Upon request and subject to identity verification, provide individuals with "reasonable access" to, and the ability to dispute the accuracy or completeness of, covered or sensitive information about that individual if such information may be used for purposes that could result in an "adverse decision" against the individual, in a manner to be specified by the FTC;
• Establish, implement, and maintain "reasonable and appropriate" administrative, technical, and physical safeguards for covered information stored and used by the entity;
• Provide a process for individuals to file complaints concerning policies and procedures required by the bill;
• Conduct a privacy risk assessment prior to the implementation of any plans by which the entity intends to collect, or believes there is a reasonable likelihood it will collect, covered or sensitive information from or about more than 1,000,000 individuals;
• Retain covered or sensitive information only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement; and
• Conduct periodic assessments to evaluate whether it is necessary to continue to retain information already collected, and whether ongoing information collection practices remain necessary for a legitimate business purpose.

The bill would provide exceptions from certain provisions for:

• Covered entities that participate in FTC-sanctioned industry self-regulatory programs that provide alternate mechanisms for obtaining consumer consent to information collection and use.  These programs, at minimum, would be required to (a) provide a clear and conspicuous opt-out mechanism (which may be a preference management tool that will enable individuals to make more detailed choices about the transfer of covered information to a third party); (b) provide a clear and conspicuous mechanism to set communication, online behavioral advertising, and other preferences that, when selected by the individual, applies the individual's selected preferences to all covered entities participating in the program; and (c) establish procedures for the review of applications, periodic assessment of members, and enforcement of violations for covered entities participating in the program;
• The collection, use, or disclosure of aggregated or anonymized information (allowing the FTC to set rules regarding the levels of aggregation or anonymization necessary to qualify for the exception); and
• Activities covered by other federal privacy laws.

If enacted, the bill could be enforced by the FTC or state attorneys general, with civil penalties authorized up to $5,000,000 for each type of violation.  The bill also would create a private right of action for individuals whose covered or sensitive information is "willfully" collected or used without the required consent, allowing recovery of actual damages not more than $1,000, punitive damages, and costs and attorney's fees.  There would be a two-year statute of limitations.

This bill contains a number of provisions similar to a discussion draft of privacy legislation published by Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) in May.  Like the Boucher-Stearns proposal (which has not been formally introduced), the Rush bill would usher in a series of stricter European-like privacy protections to the collection and use of information, now regulated on an ad hoc basis by the FTC under its authority to regulate unfair and deceptive trade practices under Section 5 of the FTC Act.

Rush will conduct a hearing on July 22 at 2:00 PM to discuss the bill and the Boucher-Stearns proposal.

• Email This
• Print
• Share Link

On June 22, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers' surfing habits must obtain the consumers' affirmative opt-in consent to such data collection. At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.

Behavioral Advertising is Regulated in the EU by Two Primary Sources

The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The ePrivacy Directive is to be implemented in the national laws of EU member states law by June 2011. 

The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.

Opt-In Consent Requirement and Opt-Out Deficiencies Explained

The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.

Currently, consumers can "opt out" of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.

The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes. 

Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.

Room for Innovation

While the Working Party charted a path for behavioral advertisers to follow in the EU, it also left room for behavioral advertisers to deviate from that path, so long as they utilize methods to ensure that users understand and sufficiently consent to behavioral tracking. Specifically, the Working Party cited the Future of Privacy Forum’s efforts in developing icons to place on targeted ads with links to additional information, and called these efforts an example “which the Working Party finds both positive and necessary.” It also recognized tools that enable users to access the preference profiles maintained about them by ad networks, and to modify them and erase them if desired. A final area that the Working Party cited for improvement was the provision of privacy-protective default settings for web browsers, a development it called “paramount.”

Other Obligations

The Working Party drew on other legal sources, most prominently the Data Protection Directive, to list some other obligations for those engaging in behavioral advertising. Specifically, it stated that:

• Email This
• Print
• Share Link

 On May 4, Representatives Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) of the House Subcommittee on Communications, Technology, and the Internet published a discussion draft of long-anticipated privacy legislation that would restrict companies’ online collection and use of personal information and online activity, including use for the purpose of targeted online advertising.  Here are some observations about the draft bill, in its current form:

• The bill would require any company that collects “covered information” from or about individuals to obtain opt-in consent to a statutorily mandated privacy policy containing at least fifteen enumerated disclosures.  Consent would be deemed adequate if the user expressly opted in to the information collection after being presented with the required disclosures, or in most circumstances if the user “does not decline consent at the time such statement is presented."  This would seem to imply that web sites would need to ensure that privacy policies appear on users’ screens at some point, to either expressly opt in or to fail to “decline consent” when the statement is presented to the user.  At the same time, however, the bill permits privacy policies to be “accessible through a direct link from the Internet homepage of the web site.”  It is unclear, then, whether the bill would consider the existence of such a link to be sufficient to infer that a user “does not decline consent” when merely accessing a web site, which would otherwise obviate the need to obtain opt-in consent.
• In a few specific circumstances, the bill would permit the use of web site user information for the purposes of marketing, advertising, or selling only with express opt-in consent.  This includes (1) when the web site wishes to disclose the information to unaffiliated third parties, such as advertisement networks, unless certain requirements are met (see the next bullet); (2) when the web site collects or discloses any “sensitive information,” which is defined as medical records or history, race, ethnicity, religious beliefs, sexual orientation, financial records or other information associated with a financial account, or geolocation information; or (3) when the web site collects or discloses “all or substantially all of an individual’s online activity.”
• Nevertheless, the bill would provide an exception permitting a web site to share user information with unaffiliated third parties for the purposes of marketing, advertising, or selling without express opt-in consent if it:  (1) provides users with a “readily accessible” opt-out mechanism; (2) deletes or renders anonymous any “covered information” within 18 months after it is first collected; (3) allows users to review and modify, or completely opt out of having, any profiles maintained about their preferences by web sites or their advertisement network partners for marketing purposes (these so-called “preference profiles” must be accessible through a hyperlinked “symbol or seal” on the web site and on or near any advertisement served based on the profile); and (4) prohibits advertisement networks from further disclosing any such information they receive.  This would seem to almost directly endorse the use of the online behavioral privacy icon put forth by groups supporting industry self-regulation of behavioral advertising.
• The term “covered information” would include a number of individual data elements – such as name, e-mail address, and Social Security number – that might otherwise be considered personally identifiable information under other statutory or regulatory regimes (at least in combination with other data elements).  In addition to the novel development of regulating the collection of these data elements individually, the bill includes in its definition of covered information:
  
  "Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user."
  
   Adopting this definition would be significant because no American privacy law has ever considered an anonymous identifier or IP address to be legally protected information (though IP addresses are considered to be personally identifiable in the EU and FTC Chairman Jon Leibowitz commented just a couple weeks ago that he believes that IP addresses should be considered personal information).  Additionally, this definition means that the bill would apply to any web site that maintains and uses information about users keyed to a unique identifier, which means that it applies to just about every web site that collects user registration information.

Click "Continue Reading..." for more

• Email This
• Print
• Share Link

On November 17, the Federal Trade Commission released the agenda of the first of three privacy round tables it will hold over the course of the next few months.  The first round table will occur on December 7 at the FTC Conference Center in Washington, DC, and will feature four panels entitled "Benefits and Risks of Collecting, Using, and Retaining Consumer Data," "Consumer Expectations and Disclosures," "Online Behavioral Advertising," and "Exploring Existing Regulatory Frameworks."

The FTC also announced that its second privacy round table will be held on January 28, 2010 at the University of California, Berkeley, School of Law.  The round table will focus on how technology affects consumer privacy, including its role in both raising privacy concerns and enhancing privacy protections, and will include specific discussions on cloud computing, mobile computing, and social networking.  The FTC has posed two questions for comment in advance of this round table:

1. What role do privacy enhancing technologies play in addressing Internet-related privacy concerns?  Consider the efficacy of technological innovations in areas such as identity management systems, new means of providing consumer notice and choice, and emerging methods of ensuring accountability in data usage.  In framing comments, consider the costs and benefits of privacy-enhancing technologies in the following contexts:  cloud computing services; social networking sites; online behavioral advertising; the mobile environment; services that collect sensitive data, such as location-based information; and any other contexts you wish to address.  If privacy enhancing technologies do play a role in resolving privacy concerns, discuss whether and how to create incentives for the development and adoption of such technologies, and ways to ensure they are effective and useful to consumers.
2. What challenges do innovations in the digital environment pose for consumer privacy, and how can those challenges be addressed without stifling innovation or otherwise undermining benefits to consumers?  For example, consider the technology and business practices that enable greater collection, use, and distribution of consumer data, including evolving methods of observation and tracking; techniques for correlating data, including the re-identification of anonymized data; the merging of data between on-line and off-line environments; and the emergence of third-party application developers in online platform environments.

The FTC currently is soliciting requests to participate as panelists in this second round table, as well as recommendations for topics for inclusion in the agenda, which are due by December 9.  Comments or additional research on the topics will be considered prior to the second round table if they are received by December 21.

Details have not yet been released for the third and final privacy round table, which is to be held on March 17, 2010 in Washington.

• Email This
• Print
• Share Link

In the United States, regulators and policy makers are taking a close look at the issues surrounding behavioral advertising and how to protect the privacy of consumers.  A vigorous debate is occurring over self-regulation versus the asserted need for legislation or regulation.  So it is interesting to see what is going on in Europe in the realm of self-regulation. 

In the EU, a privacy and data protection certification seal for IT products and IT-based services is in place, called the EuroPrise Privacy Seal.  The EuroPrise Privacy Seal recently was awarded to a new German behavioral targeting system called Predictive Targeting Networking (PTN) 2.0 and offered by a company called Nugg.ad.  The Nugg.ad system addresses many of the privacy issues that regulators here and abroad have focused on, such as cookie expiration dates, logging of IP addresses, the notice given to consumers, and opt out.  

For more details, see this blog entry from the Future of Privacy Forum.  

• Email This
• Print
• Share Link

As recently reported in the New York Times and elsewhere, two prominent professors conducted a survey of American's feelings about online tracking for the delivery of tailored advertising.

The report on the survey shows that Americans have very strong feelings about tailored advertising and takes issue with the policy arguments in favor of the consumer value of online customization based on past user activity.  However, the authors suggest steps forward for industry based on “respect” and “information reciprocity”.

The Future of Privacy Forum will be hosting the authors of the study, Professors Chris Hoofnagle and  Joseph Turow, for a teleconference with Q&A on Tuesday, October 6th at Noon ET.

Readers of our blog are invited to participate.  To request call-in information, please email Heidi@futureofprivacy.org
 

• Email This
• Print
• Share Link