HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The Report and Order imposes four key new requirements:

1.  Telemarketers will now be required to obtain prior express written consent before placing robocalls (although such consent can be obtained electroncially, consistent with the E-SIGN Act). 

2.  The "established business relationship" exception to the FCC's existing telemarketing rules will no longer apply to telemarketing robocalls.

3.  Telemarketers placing robocalls will be required to include on each call an automated, interactive opt-out mechanism so that the called party can cease further calls with a telephone key press.

4.  The existing standards for the number of robocalls that may be dropped or abandoned (i.e., "dead air" calls) will be measured on a “per campaign” standard.  The current rules allow telemarketers to average the number of dropped or abandoned calls over multiple campaigns.

The Robocall Report and Order does not impose any new obligations on non-telemarketing or "informational" calls, such as calls regarding flight delays and school closings.  It also does not extend the new requirements to calls by or on behalf of tax-exempt non-profit organizations and calls for political purposes.

Even though the FCC's goal in adopting the new requirements was to harmonize its rules with the FTC's TSR, there are a few notable differences.  Although the FTC's robocall restrictions only apply to prerecorded telemarketing messages, the new FCC rules will apply to both prerecorded telemarketing messages and autodialed telemarketing calls.  The scope of the FTC’s authority to regulate telemarketing activities is also more limited than the FCC's authority.  For example, unlike the FTC, the FCC has jurisdiction over banks, federal credit unions, and federal savings and loans; and "common carriers" (e.g., telephone companies, airlines), when engaged in common carrier activity.  Those entities will be subject to the new FCC telemarketing rules.  In addition, the FTC's rules apply only to interstate telemarketing calls.

The decision maintains existing restrictions on the delivery of autodialed informational calls and prerecorded informational messages to wireless telephone numbers (which currently require callers to obtain prior express consent, but not prior express written consent). 

One particularly noteworthy element of the Markey bill is the definition of monitoring software that spurs a host of new regulations.

The term monitoring software means software that has the capability automatically to monitor the usage of a mobile telephone or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.

This broad definition would encompass a wide array of mobile apps and services available today.

Under the draft Mobile Device Privacy Act, the FTC would have one year to issue regulations requiring carriers and device retailers to disclose at the point of sale in a clear and conspicuous manner the fact that monitoring software is installed, the type of information the software is capable of collecting and transmitting, the identity of parties with which the information will be shared, and how the information will be used.  If the monitoring software is installed after the consumer purchases the device or service, the entity installing the software or providing the software download (e.g., carrier, equipment manufacturer, operating system provider, website operator, or other online service provider) would have to make the disclosure. 

The bill would also require parties to obtain express consent from consumers before the monitoring software begins collecting and transmitting data.

In addition, the bill would impose new information security requirements.  The FTC would have one year to adopt regulations requiring recipients of the monitoring data to establish information security policies and procedures to protect the data.  Parties that enter into agreements to share the monitoring data would have to file those agreements with the FTC and the Federal Communications Commission (FCC).

The Markey bill would also establish joint FTC and FCC enforcement, with the FCC having enforcement authority over commercial mobile service providers, mobile broadband service providers, and mobile telephone manufacturers and the FTC having authority over other parties.  The bill also provides for state attorney general suits and a private right of action.

The FTC’s complaint (PDF) alleges that Facebook violated Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, by repeatedly failing to live up to the privacy promises it made to its now approximately 750 million users. The complaint sets forth the following instances in which Facebook allegedly made unfair or deceptive promises concerning its privacy practices:

• Deceptive Privacy Settings:  Although Facebook informed users that they could “control who can see” their profile information by using privacy settings to restrict access to their profiles, these settings did not prevent certain third party applications from accessing users’ profile information.
• Unfair and Deceptive Privacy Changes:  Facebook made changes to its website that made public information that users previously designated as private, without adequate notice to the users (much like what was alleged in the Google Buzz consent decree).
• Deception Regarding Application Access:  Facebook represented to users that third-party applications would only be able to access such user profile information that was necessary to operate the application, but in some instances applications were given nearly unlimited access to users’ profile information.
• Deception Regarding Sharing with Advertisers:  Facebook promised that it would not share users’ information with third-party advertisers, but it provided advertisers with information about its users.
• Deception Regarding “Verified Apps” Program:  Facebook claimed that it verified the security of applications that sought certification through the “Verified Apps” program, but it took no steps to verify the security of a “Verified” application beyond those which it may have taken regarding any other application.
• Deception Regarding Deletion of User Content:  Facebook represented to its users that their profile information, including photos and videos, would be inaccessible upon the deletion of their accounts, but Facebook continued to allow third parties to access this content after the users’ accounts were deleted or deactivated.

The FTC’s enforcement action against Facebook is yet another example of the FTC’s ongoing effort to ensure that websites live up to the privacy promises they make to consumers. Jon Leibowitz, Chairman of the FTC, remarked that “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” and noted that the “FTC action will ensure” that Facebook’s innovations will not come at the expense of consumer privacy.

US-EU Safe Harbor Framework Violations

The alleged violations of Section 5 of the FTC Act also include a failure to comply with the substantive privacy requirements of the US-EU Safe Harbor Framework ("Safe Harbor").  The Safe Harbor is a voluntary framework that allows companies to transfer personal data from the EU to the US in compliance with EU law.  Since at least 2009, Facebook has maintained self-certification with the Department of Commerce under the Safe Harbor program, under which it has declared its compliance with the seven Safe Harbor privacy principles in its public Privacy Policy and on the US Department of Commerce website.  In its complaint, the FTC alleged that Facebook, due to the failure to live up to many of the representations it made about its privacy practices, failed to comply with the Safe Harbor principles of Notice and Choice that required it to inform individuals about all the purposes for which it collected their data and to give those individuals a choice about how their information would be used.  

Terms of Proposed Settlement 

Under the consent decree (PDF), the FTC bars Facebook from further misrepresenting its privacy practices and requires it to: (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) establish and maintain a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information; and (iv) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree. 

In advance of the FTC’s announcement, Mark Zuckerberg, founder and CEO of Facebook, today posted an entry on The Facebook Blog detailing the measures that Facebook will take to protect the privacy of its users. These measures include the creation of two new corporate officer roles:  Chief Privacy Officer – Policy, and Chief Privacy Officer – Products. Zuckerberg stated that the new corporate officer positions “will further strengthen the processes that ensure that privacy control is built into our products and policies.”

The FTC has noted that businesses may have a particular interest in children’s identity theft for a couple of reasons, which include raising awareness about this important issue and helping to stop an activity that can have significant economic consequences to businesses.

The forum will be held at the FTC’s Conference Center at 601 New Jersey Avenue in Washington, DC. Additional information including a tentative agenda, is available on the FTC's website.

As an online advertising network, Chitika matches advertising space on websites that participate in its network (publishers) to advertisers that seek to target online advertisements to consumers more likely to respond to them. As alleged in the FTC’s complaint, Chitika is able to facilitate targeted online advertising through the use of a tracking cookie that it places on the web browsers of consumers when they visit a participating network publisher’s website (or where a cookie has previously been set on a consumer’s browser, Chitika retrieves the cookie upon a user’s return to a participating publisher’s website). Chitika adds a consumer’s web browsing activities and sometimes search terms to the cookies. Chitika is then able to sell advertising space on the publisher websites to advertisers seeking to target consumers whose browsing activities identify a desired target audience.

Chickita’s alleged deceptive practices arise from its website privacy policy disclosures. Although Chickita’s activities were not visible to an average consumer visiting its network publisher websites, the company maintains a privacy policy on its own website.  That policy explained its use of cookies and offered consumers the choice to opt-out of Chitika cookies through a button labeled “Opt-Out.” Upon clicking that button, Chitika set an “opt-out cookie.” While in effect, the opt-out cookie prevented Chitika from setting new tracking cookies, did not allow new information to be added to previously set cookies, and did not allow existing tracking cookie data to be used for ad targeting. However, from at least May 2008 through February 2010, the opt-out cookie expired after 10 days. The FTC alleged that the privacy policy as well as a statement on the Chitika website stating “You are currently opted out” after a consumer clicked the “Opt-out” button were false and misleading. 

After being contacted by the FTC, Chitika changed the expiration date on its cookies from 10 days to 10 years prospectively, effective March 1, 2010. This change had no affect on cookies set before that date. Regarding specific measures under the settlement terms and proposed order, the order lasts for twenty years and Chitika:  

o        will not misrepresent the extent of its data collection and consumers’ ability to control that collection and subsequent use or sharing of data;

o        must place a “clear and prominent notice with a hyperlink on the homepage of its website that states: ‘We collect information about your activities on certain websites to send you targeted advertisements. To opt out of Chitika’s targeted ads, click here’”; 

o        shall, for a one year period include an additional disclosure on its homepage near the disclosure above stating “[i]f you opted out of our targeted ads before March 1, 2010, the opt-out has expired and you must opt out again to avoid targeted ads.”

o        must ensure that the mechanism to prevent further targeted ads remains in place for five years from the opt-out;

o        will disclose near the opt-out mechanism “(1) that Chitika collects information about consumers’ activities on certain websites to deliver targeted ads; (2) that by opting out, Chitika will not collect this information to deliver such ads; (3) consumers’ current choice status (i.e., whether opted in or opted out of tracking); and (4) that consumers’ choice is specific to the browser they are using”;

o        must ensure that within any behaviorally targeted ad there is a link titled “Opt out?”, when consumers place their cursor over the link it clearly and visibly states “Opt-out of Chitika’s targeted ads,” and when clicked, the link takes consumers to the opt-out mechanism;

o        is prohibited from “using, selling, or transferring ‘any information that can be associated with a Chitika user or a Chitika user’s computer or device’ that the Company obtained prior to March 1, 2010, Chitika must delete such information from its cookies, and Chitika must delete any other information in its files that could be used with such information to associate “a particular consumer or that consumer’s computer or device.”

This settlement is particularly noteworthy in that businesses have been looking for signals as to how network advertisers can convey clear and concise choice to consumers consistent with FTC expectations. While the settlement terms addressing consumer disclosures are clearly remedial actions for Chitika, they provide some guidance outside of the frameworks established by self-regulatory programs, such as the Advertising Option Icon established by the Digital Advertising Alliance. Also, while the FTC’s Complaint notes that Chitika’s cookies include unique identification numbers for tracking, there were no allegations that personally identifiable information was involved and the FTC did not identify as deceptive any privacy policy statements referring to tracking being anonymous. Although this settlement involves a straightforward deceptive practices action, this further highlights the FTC’s view that the distinction between personally identifiable information and non-personally identifiable information is diminishing.