HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The FTC’s complaint (PDF) alleges that Facebook violated Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, by repeatedly failing to live up to the privacy promises it made to its now approximately 750 million users. The complaint sets forth the following instances in which Facebook allegedly made unfair or deceptive promises concerning its privacy practices:

• Deceptive Privacy Settings:  Although Facebook informed users that they could “control who can see” their profile information by using privacy settings to restrict access to their profiles, these settings did not prevent certain third party applications from accessing users’ profile information.
• Unfair and Deceptive Privacy Changes:  Facebook made changes to its website that made public information that users previously designated as private, without adequate notice to the users (much like what was alleged in the Google Buzz consent decree).
• Deception Regarding Application Access:  Facebook represented to users that third-party applications would only be able to access such user profile information that was necessary to operate the application, but in some instances applications were given nearly unlimited access to users’ profile information.
• Deception Regarding Sharing with Advertisers:  Facebook promised that it would not share users’ information with third-party advertisers, but it provided advertisers with information about its users.
• Deception Regarding “Verified Apps” Program:  Facebook claimed that it verified the security of applications that sought certification through the “Verified Apps” program, but it took no steps to verify the security of a “Verified” application beyond those which it may have taken regarding any other application.
• Deception Regarding Deletion of User Content:  Facebook represented to its users that their profile information, including photos and videos, would be inaccessible upon the deletion of their accounts, but Facebook continued to allow third parties to access this content after the users’ accounts were deleted or deactivated.

The FTC’s enforcement action against Facebook is yet another example of the FTC’s ongoing effort to ensure that websites live up to the privacy promises they make to consumers. Jon Leibowitz, Chairman of the FTC, remarked that “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” and noted that the “FTC action will ensure” that Facebook’s innovations will not come at the expense of consumer privacy.

US-EU Safe Harbor Framework Violations

The alleged violations of Section 5 of the FTC Act also include a failure to comply with the substantive privacy requirements of the US-EU Safe Harbor Framework ("Safe Harbor").  The Safe Harbor is a voluntary framework that allows companies to transfer personal data from the EU to the US in compliance with EU law.  Since at least 2009, Facebook has maintained self-certification with the Department of Commerce under the Safe Harbor program, under which it has declared its compliance with the seven Safe Harbor privacy principles in its public Privacy Policy and on the US Department of Commerce website.  In its complaint, the FTC alleged that Facebook, due to the failure to live up to many of the representations it made about its privacy practices, failed to comply with the Safe Harbor principles of Notice and Choice that required it to inform individuals about all the purposes for which it collected their data and to give those individuals a choice about how their information would be used.  

Terms of Proposed Settlement 

Under the consent decree (PDF), the FTC bars Facebook from further misrepresenting its privacy practices and requires it to: (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) establish and maintain a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information; and (iv) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree. 

In advance of the FTC’s announcement, Mark Zuckerberg, founder and CEO of Facebook, today posted an entry on The Facebook Blog detailing the measures that Facebook will take to protect the privacy of its users. These measures include the creation of two new corporate officer roles:  Chief Privacy Officer – Policy, and Chief Privacy Officer – Products. Zuckerberg stated that the new corporate officer positions “will further strengthen the processes that ensure that privacy control is built into our products and policies.”

ScanScout

ScanScout, which claims it is the “web’s largest in-stream video ad network,” agreed to settle FTC charges that it violated Section 5 of the FTC Act by failing to live up to representations made in its website privacy policy. The FTC’s complaint states that ScanScout’s privacy policy claimed that users could “opt out of receiving a cookie by changing [their] browser settings to prevent the receipt of cookies.”  Despite this representation, ScanScout used Flash cookies—which are locally stored files associated with the Adobe Flash Player—to track user behavior, which could not be blocked by changing browser settings as indicated in the privacy policy. The FTC deemed ScanScout’s inaccurate description of the ways that consumers could opt out of tracking to be a deceptive act or practice that violated Section 5 of the FTC Act.  The privacy policies of many websites and Internet-based applications state that consumers can opt out of tracking by disabling cookies, so these companies should reexamine whether they (or their web vendors) also use Flash cookies, HTML5, ETags, or any other methods to track website users that would not cease when users disable traditional HTML cookies.

Under the consent decree (PDF), the FTC barred ScanScout from misrepresenting its online information practices, including how consumers’ data is collected, used, shared, and disclosed, and required ScanScout to implement measures aimed at providing consumers with more effective notice of how their data is used and simplified methods by which consumers may opt out of such use. 

As a corollary, the FTC yesterday released a consumer education article, entitled “Cookies: Leaving a Trail on the Web (PDF),” which explains how cookies can monitor online activity and how users can control this monitoring, including a section on controlling Flash cookies.

Skid-e-Kids

Skid-e-Kids, the self-proclaimed “Facebook and Myspace for kids,” agreed to settle FTC charges that it violated the COPPA Rule and made deceptive claims in violation of Section 5 of the FTC Act. 

The COPPA Rule requires that any collection, use, or disclosure of personally identifiable information of a child under 13 be preceded by verifiable parental consent. The FTC’s complaint (PDF) alleges that Skid-e-Kids collected personally identifiable information from approximately 5,600 underage users without first obtaining parental consent, a violation of the COPPA Rule. This enforcement action comes on the heels of the FTC’s recent proposal to amend the COPPA Rule aimed at keeping pace with developments in the online world, including the advent of social networks and the development of smartphone and geolocation technology.

The complaint also alleges that Skid-e-Kids represented in its privacy policy that a child’s account would not be activated until it received parental consent. Nevertheless, Skid-e-Kids registered children and activated their accounts without parental consent, and subsequently collected personally identifiable information from those registered child users. The FTC found that Skid-e-Kids’ failure to live up to the representations made in its privacy policy constituted a deceptive act or practice that violated Section 5 of the FTC Act.   

Under the consent decree (PDF), the FTC barred Skid-e-Kids from misrepresenting the details of its collection, use, and disclosure of children’s personal information. The settlement also required Skid-e-Kids to delete the information collected; provide links to a government website that educates consumers on children’s privacy issues on the Skid-e-Kids website, in notices sent to parents, and in its privacy policy; and employ a third-party oversight mechanism that will ensure future compliance with COPPA. In addition, the settlement imposed a civil penalty of $100,000 on the operator of the website, though all but $1,000 of which was suspended.

Applicability of COPPA to Evolving Technologies

The FTC used this proposed rule to clarify its position that the COPPA Rule applies to a host of current technologies that could be considered “online services.” This includes “mobile applications that allow children to play network-connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements or interact with other content or services[;] . . . Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location based services.” The FTC concedes that some SMS and MMS text messages would not constitute “online services” as they do not cross the public Internet, however there is technology that allows users to send text messages utilizing “online services,” and these message would be covered by the COPPA Rule.

The FTC has already begun enforcing the COPPA Rule more broadly to account for developing technologies. Just last month, the FTC reached a settlement with a mobile app developer for violations of the COPPA Rule. That settlement, coupled with the FTC’s express recognition of the need for rule changes to address new technologies and services, suggests that the FTC will likely enforce the COPPA Rule much more broadly than it has in the past. This means that any media that is targeted at children under the age of thirteen will have to analyze whether it can be considered an “online service” and take appropriate steps to comply with COPPA if necessary.

Definition of “Personal Information"

One of the most significant proposed changes to the COPPA Rule is to the definition of “personal information.” The definition of “personal information” is important as the COPPA Rule only applies to operators whose websites or online service are directed to children or who have actual knowledge that they are collecting personal information from a child under the age of thirteen. The proposed definition of “personal information” adds or changes the following categories of information:

• Online contact information – the FTC proposes to include not only a child’s email address but also “any other substantially similar identifier that permits direct contact with a person online,” such as an instant messenger name, a video chat name or a VOIP identifier.
• Screen names or user names – however, the FTC would not consider screen or user names that are only used to support internal operations to be “personal information."
• Persistent identifiers, including Internet Protocol (IP) addresses, customer numbers held in cookies, processor or device serial numbers, or unique device identifiers – however, the FTC would not consider these persistent identifiers that are only used to support internal operations to be “personal information.” This is a major change from the current COPPA Rule, which requires that a persistent identifier be associated with individually identifiable information to be considered “personal information.”
• Identifiers that link activities of a child across different websites or online services – this category is “intended to serve as a catch-all category covering the online gathering of information about a child over time for the purposes of either profiling or delivering behavioral advertising to that child.”
• Photographs, videos, or audio files that contain a child’s image or voice – the FTC proposes this change from the current standard which includes photographs only when they are combined with “other information such that the combination permits physical or online contacting.”
• Geolocation information sufficient to identify a street name and name of a city or town.

Taken together, these proposed changes will significantly expand the scope of the COPPA Rule to operators that were not previously subject to the Rule. For one, the requirement that persistent identifiers only be used for internal operations or be considered “personal information” will force any operator having services directed to children or having knowledge that it is collecting information from children under 13 that wishes to provide targeted advertising to children to receive parental consent, even where such advertising is not based on what has been traditionally considered personally identifying information. The proposal also brings geolocation data into the definition of “personal information,” which will similarly require mobile apps or operators offering mobile apps to comply with the COPPA Rule. This proposed change will likely have the most significant effect on businesses as it would not only subject a wider array of entities to the COPPA Rule, but also may make it more difficult for a website or online service to determine whether it is subject to the COPPA Rule. 

Parental Notice

In the proposed rule, the FTC attempts to streamline the process by which operators are required to provide parents with notice of their privacy practices and the FTC tries to make the process easier for both operators and parents to understand. This change aligns with the FTC’s recent efforts to encourage businesses to provide consumers with more straightforward, understandable notice and choice about information practices. The proposed rule requires that a link to a notice of information practices must be prominently and clearly labeled and placed on a website’s homepage and at each page where personal information is collected in close proximity to the information request. The FTC both simplifies and expands the requirements for what must be included in the privacy policy, requiring they include:

• Contact information for each operator – the current Rule allows multiple operators to select one operator to have their contact information listed.
• What information is collected from children, and whether the website allows children to make this information publicly available.
• How the operator uses the collected information.
• The operator’s disclosure practices for collected information.
• The fact that parents can review and delete or refuse the further collection of a child’s personal information, and the procedures for doing so.

The current COPPA Rule requires operators to send parents a direct notice, which informs the parent of a website’s information practices. The proposed rule reorganizes these provisions and includes specific information that an operator must address in different circumstances, including:

• when affirmative parental consent is needed for the collection, use, or disclosure of a child’s personal information;
• when a child’s online activities do not involve the collection, use, or disclosure of personal information;
• when an operator intends to communicate with a child multiple times; and
• when an operator collects a child’s personal information in order to protect a child’s safety.

While these proposed provisions may ultimately make compliance with the notice provisions easier for covered operators, these changes could require operators to expend time and resources to adjust current practices to comply with any new requirements. 

Parental Consent Mechanisms

The FTC proposes taking away one of the most popular parental consent mechanism under the current COPPA Rule – email plus. Currently, operators who collect personal information and do not disclose this information to external parties can utilize this consent mechanism by sending a parent an email and then using another step – such as another email at a later date – to confirm the consent. However, in the proposed rule, the FTC suggests that this consent mechanism is prone to abuse (such as when a child simply provides his or her own email address) and has inhibited the development of better, more reliable parental consent mechanisms. Therefore, the FTC has proposed the elimination of the email plus method of parental consent.

The FTC has also proposed new methods of parental consent, including allowing parents to send electronic scans of signed consent forms, using video-conferencing to signal consent, and providing government-issued ID numbers that the operator can check against a database. If an operator collects government-issued ID numbers, the FTC proposes that this information must be promptly deleted after the verification is complete.

The FTC also hopes to spur industry to develop new methods of obtaining parental consent. To this end, the FTC has proposed creating a procedure by which an operator can seek FTC approval of a consent mechanism through a notice and comment process. The FTC also proposes to allow FTC-approved Safe Harbor programs to create consent mechanism that their members can utilize.

The changes proposed by the FTC to the parental consent process could have a major impact on operators. Many websites currently rely on email plus to obtain consent from parents when the website will only be using the personal information collected from a child for internal purposes. The email plus method is often preferred as it is the easiest parental verification method to implement and it is also the least costly. The FTC proposal would require all operators to implement more robust parental verification methods. This change could mean that all of the operators currently using email plus will have to overhaul their parental verification practices. 

Confidentiality and Security Requirements

The current COPPA Rule requires operators to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” The proposed rule would require operators to also ensure that their service providers and any third parties to whom they disclose personal information have reasonable procedures in place.

Safe Harbor Program

The FTC has proposed some changes to the COPPA Safe Harbor program. These changes include:

• requiring that entities that apply to be Safe Harbor self-regulatory bodies submit comprehensive information to the FTC about their ability to run an effective safe harbor program;
• establishing more rigorous oversight of operators by Safe Harbor self-regulatory bodies, including annual, comprehensive reviews of operators’ information practices;
• requiring Safe Harbor self-regulatory bodies to submit regular reports to the FTC, including the results of annual operator reviews.

As discussed above, the proposed changes to the COPPA Rule are far-reaching and may have significant impacts on businesses current practices. Comments on the proposed rule must be submitted to the FTC by November 28, 2011.

• NLRB Increases Enforcement Activity Against Discipline of Employees for Use of Social Media (May 26, 2011):  The National Labor Relations Board (NLRB) has recently expressed an interest in investigating actions taken against employees for their use of social media, including issuing administrative complaints against a car dealer that fired an employee for posting concerns on his Facebook page about the dealer's handling of a sales event, and against a nonprofit social services organization for terminating five employees that commented on Facebook about the organization's work load, staffing issues, and commitment to its clients.  These contrast against a memorandum issued by the NLRB that advised that a discharge of a newspaper reporter for posting "unprofessional and inappropriate" social networking messages to a work-related social media account did not violate the law.
• CAN-SPAM Held to Apply to Social Media Messaging (April 1, 2011):  The U.S. District Court for the Northern District of California's issued an opinion in Facebook v. MaxBounty that held that messages sent through social networking sites must comply with the federal CAN-SPAM law regulating commercial email advertising.
• FTC Announces Proposed Google Buzz Settlement:  First Time FTC Requires Comprehensive Privacy Program (March 30, 2011):  The Federal Trade Commission (FTC) announced a proposed settlement with Google relating to charges that Google used deceptive practices and violated its own privacy policies when it launched its social network Google Buzz.  For the first time ever, the FTC required that a company institute a "comprehensive privacy program" and to receive affirmative consent from consumers to any new or additional uses of previously collected data.
• FTC Enforces Against Obscure Privacy Disclosures in New Consent Decree (December 6, 2010):  The FTC entered into a consent decree with a developer of parental web-monitoring software that, without consent from parents, captured childrens' website history, chat conversations, and instant messages and incorporated them into a marketing service that provided companies with the ability to access what consumers are saying or thinking by providing aggregate consumer opinions from user-generated social media websites.  Though the company disclosed that information may be used to "improve our services" and "conduct research," the language was in the thirtieth paragraph of a policy that was contained in a small scroll box, and the FTC took the position that the failure to clearly notify parents of the usage of their childrens' data constituted a deceptive trade practice.
• NLRB Files Complaint for Employer's Allegedly Overbroad Social Media Policy (November 8, 2010):  The NLRB kicked off its recent flurry of social media activity by issuing an administrative complaint against a company for terminating an employee who, after an incident at work, criticized her supervisor on her Facebook page.  Lafe Solomon, the NLRB's acting general counsel, said, "This is a fairly straightforward case under the National Labor Relations Act -- whether it takes place on Facebook or at the water cooler, it was employees talking jointly about working conditions, in this case about their supervisor, and they have a right to do that."  The case settled early this year.
• Twitter Consent Order Evidences Broader Scope of FTC Information Security Enforcement (July 1, 2010):  The FTC entered into a consent order with social networking service provider Twitter, alleging that lapses in Twitter's data security practices resulted in unauthorized individuals gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses.  Unlike the FTC's prior data security consent orders under the FTC Act, there was no allegation of any unauthorized access to traditionally identified forms of sensitive personal information, such as Social Security numbers, financial account numbers, government ID numbers, consumer reports, or medical conditions.
• FINRA Issues Guidance on Social Networking Sites (February 9, 2010):  The Financial Industry Regulatory Authority (FINRA), an industry self-regulatory orgnaization, issued guidance to member companies on the use of blogs and social networking sites to engage in company-sponsored communications with the public.  While FINRA exercises oversight of the securities industry, the recommendations are good advice for any business that is considering communicating with or marketing to consumers through social media.
• Two Hogan & Hartson Advisories on the Use of Social Media (September 28, 2009):  We were even covering social media back before we were Hogan Lovells!  We issued an update (PDF), still relevant today, setting forth the considerations that arise when social media is used by three different groups -- an entity itself, the employees of that entity, and third parties in reference to the entity.  Also, the FDA in 2009 held a two-day public hearing at the end of that year on how pharmaceutical companies use the web and social media.  Despite it being almost two years since that hearing, the FDA just this March delayed an expected guidance on the use of social media to market pharmaceuticals.  News earlier this week that Facebook will prevent pharmaceutical companies from disabling the comments feature on their pages has caused consternation, as the FDA has implied in past statements that user comments maybe able to be ascribed to pharmaceutical companies for regulatory purposes.  Stay tuned.

The FTC has noted that businesses may have a particular interest in children’s identity theft for a couple of reasons, which include raising awareness about this important issue and helping to stop an activity that can have significant economic consequences to businesses.

The forum will be held at the FTC’s Conference Center at 601 New Jersey Avenue in Washington, DC. Additional information including a tentative agenda, is available on the FTC's website.

Another Letter to the Editor in response to the Times privacy story was that of Mark Rotenberg, Executive Director fo the Electronic Privacy Information Center in which Mr. Rotenberg observed:

It is hardly surprising that Europe is taking the lead; the United States has been slow to update its privacy laws... It would be tempting for American policy makers to say that privacy concerns are unique to Europe. But the better approach would be to understand the problems and begin to develop solutions.

In a  week in which 

• federal  "Do Not Track" legislation is being introduced
• hearings on location privacy are being held in the US Senate, and
• the FTC obtained an agreement from "two companies that maintain large amounts of sensitive information about the employees of their business customers, including Social Security numbers, [] to settle Federal Trade Commission charges that they failed to employ reasonable and appropriate security measures to protect the data,"

and in a year in which

• the Executive Branch for the first time expressed support for a "Privacy Bill of Rights", a comprehensive privacy law
• the FTC issued a draft Report proposing substantial changes for the protection of privacy,
• the Department of Commerce assumed a leading role in calling for new privacy protections,
• Senators Kerry and McCain, among others, proposed new legal protections for privacy,
• Industry self-regulation to provide greater privacy protections increased dramatically, amd
• the FTC proposed a consent decree with Google calling for a "Comprehensive Privacy Program,"

it does not appear that American policy makers consider privacy concerns either to be unique to Europe or that Europe is the only place where new rules are in focus.

Notably, a Data Protection Authority from the EU wrote in response to Chris' letter (requesting anonymity):

I have the similar view as yours after my visit to the US...IMHO aggressive NGOS + committed privacy officers within the agencies provide equal protection (but in a different way) as our - sometimes bureaucratic - "independent" agencies.
 

The issue of what approach to the protection of personal privacy is best is likely to persist.  Hogan Lovells Practice Director Chris Wolf has been invited to (and will) participate in the "eG8 Forum," a two day forum on the future of the Internet  to be held in Paris at the end of this month, organized by President Sarkozy of France in connection with the G8 Summit he is hosting.  The gathering will be attended by international tech leaders.  (Google chairman Eric Schmidt, Facebook COO Sheryl Sandberg and Wikipedia founder Jimmy Wales are reportedly planning to participate.)  A main focus of the event is the Internet and Privacy.

At the eG8 program, Chris plans to emphasize the points made in his Letter to the Editor of the Times, that there is  "the convergence in international standards of privacy" and he will work to eliminate the "impression that privacy is less of a policy concern in the United States than it is in the European Union."  To that end, Chris will work to promote greater international cooperation and harmonization of approaches to the protection of personal privacy.

Section 5 Violations

In its complaint, the FTC alleges that Google users were not given adequate notice that information that was previously private would be shared publicly through Buzz. The choices presented to users were “Sweet! Check out Buzz” or “Nah, go to my Inbox.” 

According to the FTC, the Google process did not give users a full picture of the information sharing that was done through Google Buzz, which included the public display of lists of people a user chatted or emailed with most often. This automatic generation of lists of “followers” led to the generation of lists for certain users that included: “individuals against whom [a user] had obtained [a] restraining [order]; abusive ex-husbands; clients of mental health professionals; clients of attorneys; children; and recruiters [the user] had emailed regarding job leads.” 

The FTC also noted that even if a user clicked “Nah, go to my inbox,” he might still be enrolled in certain Buzz features. The FTC also alleges that privacy controls for Google Buzz were complicated and difficult to locate, making it hard for users to control privacy settings or to turn off the Buzz service. According to the FTC, these representations gave some users a mistaken belief that they had opted out of or exercised control over Buzz functionality. This failure adequately to disclose exactly how Buzz worked and what a user must do not to have his data shared amounted to a deceptive act or practice in the eyes of the FTC.

The FTC based its Section 5 allegations of deceptive acts or practices on the fact that Google’s actions when it launched Buzz violated terms in its own privacy policies. At the time Buzz was launched, Google’s Gmail privacy policy made the following representation:

"Gmail stores, processes and maintains your messages, contact lists and other data related to your account in order to provide the service to you."

In addition, the following representation was included in Google’s privacy policy that applies to all of Google’s products:

"When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use."

The FTC alleges that Google did not use information received from users who signed up for Gmail only for the purpose of providing the user with Gmail service, but rather Google used this information to populate Google Buzz. Additionally, the FTC alleges that Google did not seek user consent before using information provided by Gmail users for Google Buzz.

U.S.-EU Safe Harbor Framework Violations

Since 2005, Google has maintained self-certification with the Department of Commerce under the U.S.-EU Safe Harbor Framework (“Safe Harbor”). The Safe Harbor is a voluntary framework that allows a U.S. company to transfer E.U. data lawfully to the U.S. in compliance with the E.U. Data Directive’s adequacy standard, which requires EU Member States to have laws that prohibit transfers of data to countries outside of the EU unless the European Commission has made a determination that a country’s laws ensure adequate data protection. In order to join the Safe Harbor, Google certified that it complied with seven principles that have been deemed to meet the EU’s adequacy standard. 

The FTC alleges that Google’s actions when launching Buzz did not adhere to certain Safe Harbor principles, including the notice and choice principles. The notice principle requires a company to inform individuals about the purposes for which it collects and uses personal information. The choice principle requires that a company must allow individuals to exercise certain choices about the way their data is used. The FTC claims that Google did not give Gmail users notice or choice about data that was collected by Gmail and subsequently used for Google Buzz. Notably, this is the first time the FTC has alleged violations of the privacy requirement imposed by self-certification to the U.S.-EU Safe Harbor Framework.

Terms of Proposed Settlement

The FTC released a consent order, which outlines the terms of the settlement between the FTC and Google. The proposed settlement bars Google from making any misrepresentations relating to: (i) Google’s collection and use of user data; (ii) the extent to which Google users can exercise control over the collection, use, or disclosure of data; and (iii) the extent to which Google is in compliance with the U.S.-EU Safe Harbor Framework or other government-sponsored compliance programs. 

The proposed consent order also requires Google to clearly and prominently disclose any “new or additional” data sharing with third parties of personal information that Google has previously collected across all of Google’s products and services. 

This disclosure is not limited to just “material” new or additional data sharing and must include the identity of the third parties and the purpose for Google’s sharing the data. Google must also obtain affirmative consent from Google users before sharing this information.

Google is also required to establish and maintain a comprehensive privacy program. This is the first time the FTC has required a company to implement a comprehensive privacy program. This privacy program must be documented in writing and be reasonably designed to address privacy risks and protect the privacy and confidentiality of user data. According to the FTC’s analysis of the consent order, the order requires Google to:

• designate an employee or employees to coordinate and be responsible for the privacy program;
• identify reasonably-foreseeable, material risks, both internal and external, that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;
• design and implement reasonable privacy controls and procedures to control the risks identified through the privacy risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls and procedures;
• develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from respondent, and require service providers by contract to implement and maintain appropriate privacy protections; and
• evaluate and adjust its privacy program in light of the results of the testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on the effectiveness of its privacy program.

Within 180 days, and every two years thereafter for the next twenty years, Google must obtain a privacy assessment and report from a “qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.” Further, Google will be subject to certain compliance and reporting requirements, allowing the FTC to inspect copies of various documents for various time periods, including:

• “widely disseminated [privacy] statements” for three years;
• consumer complaints alleging unauthorized collection, use, or disclosure of personal information for six years;
• documents that “contradict, qualify, or call into question Google’s compliance with the consent order” for five years; and
• materials relied on to prepare the privacy assessment discussed above for three years.

The consent order would apply for twenty years, subject to extension if Google is found to be in violation of the order.

Consenting Opinion of Commissioner J. Thomas Rosch

Commissioner Rosch accepted the proposed consent agreement, however he wrote a separate concurring statement to indicate that he has concerns about the provision that requires Google to notify and obtain affirmative consent before any new or additional uses of previously collected data. Commissioner Rosch points out that Google’s privacy policy did not indicate that it would obtain opt-in consent from consumers. He fears that this requirement goes beyond what Google has promised consumers in its privacy policy and that this requirement may be contrary to public interest. He explains:

"In short, on the face of it, Part II seems to be contrary to Google’s self-interest. I therefore ask myself if Google willingly agreed to it, and if so, why it did so. Surely it did not do so simply to save itself litigation expense. But did it do so because it was being challenged by other government agencies and it wanted to “get the Commission off its back”? Or did it do so in hopes that Part II would be used as leverage in future government challenges to the practices of its competitors? In my judgment, neither of the latter explanations is consistent with the public interest."

Google Response to Proposed Settlement

Alma Whitten, Google’s Director of Privacy, Product & Engineering, released a statement on the Official Google Blog. Whitten wrote:

"[W]e don’t always get everything right. The launch of Google Buzz fell short of our usual standards for transparency and user control—letting our users and Google down. While we worked quickly to make improvements, regulators—including the U.S. Federal Trade Commission—unsurprisingly wanted more detail about what went wrong and how we could prevent it from happening again. Today, we’ve reached an agreement with the FTC to address their concerns. We’ll receive an independent review of our privacy procedures once every two years, and we’ll ask users to give us affirmative consent before we change how we share their personal information.

We’d like to apologize again for the mistakes we made with Buzz. While today’s announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward."

Comments on Consent Order

A description of the consent agreement will be published by FTC in the Federal Register. The agreement is open for public comment for thirty days – through May 1, 2011. After the comment period, the FTC will decide whether to make the proposed order final. 

Electronic comments can be submitted here.

• The FTC is directed to make rules requiring reasonable security measures to protect covered information by a covered entity which is defined as "any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period" and is subject to FTC jurisdiction, as well as non-profits and telecommunication common carriers.
• Covered entities are required to have proportionate  manegerial accountability for the adoption and implementation of policies consistent with the proposed Act, to have a process to respond to nonfrivolous complaints and to "describe its programmatic means of its compliance with the requirements of the Act" upon request from the FTC.
• The FTC is charged with conducting a rulemaking on how covered entities shall provide readily accessible notice regarding the collection and use of personal information and any changes in such collection and use.
• Opt out options must be provided to individuals for any purpose "not authorized by the individual" other than to process a transaction, to "operate the covered entity that is providing a transaction", to prevent or detect fraud, to investigate a possible crime, to engage in first-party marketing (defined as marketing by the entity that driectly collected the information") or for the improvement of service, necessary for internal operations, including customer satisfaction surverys.
• Opt in  consent will be required as to sensitive personal information other than to process a transaction or prevent fraud, as to PII previously collected if there is a material change in practices, and the transfer to third parties for an "unauthorized use" or public display.
• Reasonable access by individuals to their PII is mandated.
• If an individual terminates a service or relationship with the covered entity, or if the covered entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.
• Third parties are prohibited from using PII for which opt in consent is required except in limited circumstances and specific contracts are required for transfers of covered information by covered parties to third parties and the contracts shall provide that "the third party will not combine information that is not personally identifiable... with other information in order to identify individuals with that information."  Transfers to "unreliable third parties" is prohibited.
• Covered entities are ordered by the draft law "to seek" to engage in data minimization and minimized retention
• State attorneys general are given civil action authority to enforce the law, in addition to the FTC's enforcement authority under Section 5 of the FTC Act.
• Monetary penalties are specified with a $2 or $3 million dollar cap on liability depending on the nature of the violation
• No private rights of action are allowed and state laws, except those dealing with health or financial information, data breach notification or fraud are preempted
• The "Co-Regulatory Safe Harbor Programs" provision of the draft law instructs the FTC to set requirements for programs administered by "non-governmental organizations" to implement the requirements of the Act , to offer means of opting out and  to implement a "comprehensive information privacy program."  Such programs, for which annual reports are required,  would be supervised and enforced with penalties by the FTC.  Covered entities that participate in approved Safe Harbor Programs are to be exempted from the major provisions of the law "if the Commission finds that the safe harbor program requires compliance with requirements that are the substantially the same (sic) as, or more protective of privacy than, the requirements of the provision from which the exemption sis (sic) granted."
• The FTC may host a web site where consumers can access Safe Harbor opt out tools.
• The Department of Commerce is directed to "contribute to the development of commercial privacy policy" by convening stakeholders to develop codes of conduct in support of Safe Harbor programs, to expand "interoperability" between the US commercial data framework and other national and regional privacy frameworks, and to conduct research to improve privacy protection under the Act.

As an online advertising network, Chitika matches advertising space on websites that participate in its network (publishers) to advertisers that seek to target online advertisements to consumers more likely to respond to them. As alleged in the FTC’s complaint, Chitika is able to facilitate targeted online advertising through the use of a tracking cookie that it places on the web browsers of consumers when they visit a participating network publisher’s website (or where a cookie has previously been set on a consumer’s browser, Chitika retrieves the cookie upon a user’s return to a participating publisher’s website). Chitika adds a consumer’s web browsing activities and sometimes search terms to the cookies. Chitika is then able to sell advertising space on the publisher websites to advertisers seeking to target consumers whose browsing activities identify a desired target audience.

Chickita’s alleged deceptive practices arise from its website privacy policy disclosures. Although Chickita’s activities were not visible to an average consumer visiting its network publisher websites, the company maintains a privacy policy on its own website.  That policy explained its use of cookies and offered consumers the choice to opt-out of Chitika cookies through a button labeled “Opt-Out.” Upon clicking that button, Chitika set an “opt-out cookie.” While in effect, the opt-out cookie prevented Chitika from setting new tracking cookies, did not allow new information to be added to previously set cookies, and did not allow existing tracking cookie data to be used for ad targeting. However, from at least May 2008 through February 2010, the opt-out cookie expired after 10 days. The FTC alleged that the privacy policy as well as a statement on the Chitika website stating “You are currently opted out” after a consumer clicked the “Opt-out” button were false and misleading. 

After being contacted by the FTC, Chitika changed the expiration date on its cookies from 10 days to 10 years prospectively, effective March 1, 2010. This change had no affect on cookies set before that date. Regarding specific measures under the settlement terms and proposed order, the order lasts for twenty years and Chitika:  

o        will not misrepresent the extent of its data collection and consumers’ ability to control that collection and subsequent use or sharing of data;

o        must place a “clear and prominent notice with a hyperlink on the homepage of its website that states: ‘We collect information about your activities on certain websites to send you targeted advertisements. To opt out of Chitika’s targeted ads, click here’”; 

o        shall, for a one year period include an additional disclosure on its homepage near the disclosure above stating “[i]f you opted out of our targeted ads before March 1, 2010, the opt-out has expired and you must opt out again to avoid targeted ads.”

o        must ensure that the mechanism to prevent further targeted ads remains in place for five years from the opt-out;

o        will disclose near the opt-out mechanism “(1) that Chitika collects information about consumers’ activities on certain websites to deliver targeted ads; (2) that by opting out, Chitika will not collect this information to deliver such ads; (3) consumers’ current choice status (i.e., whether opted in or opted out of tracking); and (4) that consumers’ choice is specific to the browser they are using”;

o        must ensure that within any behaviorally targeted ad there is a link titled “Opt out?”, when consumers place their cursor over the link it clearly and visibly states “Opt-out of Chitika’s targeted ads,” and when clicked, the link takes consumers to the opt-out mechanism;

o        is prohibited from “using, selling, or transferring ‘any information that can be associated with a Chitika user or a Chitika user’s computer or device’ that the Company obtained prior to March 1, 2010, Chitika must delete such information from its cookies, and Chitika must delete any other information in its files that could be used with such information to associate “a particular consumer or that consumer’s computer or device.”

This settlement is particularly noteworthy in that businesses have been looking for signals as to how network advertisers can convey clear and concise choice to consumers consistent with FTC expectations. While the settlement terms addressing consumer disclosures are clearly remedial actions for Chitika, they provide some guidance outside of the frameworks established by self-regulatory programs, such as the Advertising Option Icon established by the Digital Advertising Alliance. Also, while the FTC’s Complaint notes that Chitika’s cookies include unique identification numbers for tracking, there were no allegations that personally identifiable information was involved and the FTC did not identify as deceptive any privacy policy statements referring to tracking being anonymous. Although this settlement involves a straightforward deceptive practices action, this further highlights the FTC’s view that the distinction between personally identifiable information and non-personally identifiable information is diminishing.

In October 2009, the district court ruled in favor of the ABA and enjoined the FTC from enforcing the Rule "against lawyers engaged in the practice of law." After the FTC appealed the district court's ruling, the Red Flag Program Clarification Act of 2010 ("Clarification Act") -- which amended the definition of "creditor" as used in the Red Flags Rule and the FACT Act -- was signed into law. 

In its March 4 ruling, the Court of Appeals held that the enactment of the Clarification Act served to moot the ABA's claims. As explained by the Court in its opinion, the Clarification Act narrowed the definition of "creditor" to mean entities that not only accept deferred payments but also (i) obtain or use consumer reports, (ii) furnish information to consumer reporting agencies, or (iii) advance funds with an obligation of future repayment. Thus, the Court found, "the FTC's assertion that the term 'creditor' . . . includes 'all entities that regularly permit deferred payments for goods or services . . . such as lawyers or health care providers' . . . is no longer viable." In addition, the Court noted that the legislative history of the Clarification Act "confirms Congress' intention to bar the regulation of lawyers based solely on deferred billing practices."

The Court observed that the FTC could pursue notice-and-comment rulemaking to promulgate new rules pursuant to which it might regulate lawyers and law firms. The Clarification Act left open this possibility by allowing the FTC to determine through rulemaking that a particular type of entity is a creditor under the Rule, based on a finding that the entity offers accounts that are "subject to a reasonably foreseeable risk of identity theft." However, the Court found as "merely hypothetical possibilities" this possibility -- as well as the prospect that the FTC would pursue a new enforcement policy against lawyers and law firms. Thus, the Court could not identify any currently-actionable dispute.

For the time being, attorneys who accept deferred payments for their services will remain outside the coverage of the Red Flags Rule (which became effective for non-financial institution creditors on December 31, 2010), provided they do not engage in the specific additional activities listed above. However, attorneys should note that they do not enjoy a blanket exemption from the Rule, and whether the FTC will engage in new rulemaking under the Clarification Act to broaden the scope of the Rule remains to be seen. And, of course, it is incumbent upon attorneys as part of their ethical duties to clients, to safeguard the information provided to them, including information which if released improperly could lead to identity theft.

Self-regulatory efforts to date under the commission's “notice and choice” approach have been inadequate, the commissioners said. Most consumers do not read or understand the long, opaque, complicated privacy policies that have emerged, they added.

The proposed best practices framework would apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The FTC report recommended:

• privacy by design;
• simplified choice for the collection and use of consumers' data for practices other than “commonly accepted practices[,]” through industry-driven “do-not-track” systems;
• greater transparency, including shorter and more clear privacy policies, and policies to permit consumers access to data about themselves;
• prominent notices and opt-in consent for the use of consumer data in a materially different manner than claimed at the time of collection; and
• expanded consumer education.

FTC staff encouraged all interested parties to submit written comments on the proposal, and provided specific questions to guide the input. Comments are due Jan. 31, 2011.

Among other things, the regulators asked how “commonly accepted” practices should be defined; whether “choice” could ever be offered on a take-it-or-leave-it basis, particularly for free e-mail and storage services; how a do-not-track system should be designed; the potential impact of a do-not-track system on both advertisers and consumers; and whether additional notice and choice systems should be explored in the context of social media, particularly for teenaged users.'

In a press event following the publication of the report, FTC Chairman Jon Leibowitz said that the principles should serve as an updated rules-of-the-road to guide the industry's self-regulatory efforts in this space.

The commission supports a “do-not-track” system in principle, Leibowitz said, but has not taken a position on legislation to achieve that goal. Industry could facilitate the ubiquitous deployment of browser-based tracking opt-out systems, Leibowitz said. But he added that legislative action could be needed if industry does not take added steps to give consumers more control over how data about their online activities is collected and used.

Rapid Reaction

In response to the report, at least three lawmakers—Sen. John D. Rockefeller IV (D-W.Va.), Sen. John Kerry (D-Mass.), and Rep. Joe Barton (R-Texas)—pledged continued focus to online privacy in the next legislative session, echoing remarks they have made on several occasions following the November federal elections.

Robert Gellman, a privacy and information policy consultant in Washington, D.C., told BNA that he viewed the report “as mostly a warmed over notice-and-choice, with a bit of updating here and there.”

“Industry will do the minimum possible to avoid real threats of regulation,” Gellman said. “There's nothing in the report that threatens industry any more than yesterday.”

Christopher Wolf, a privacy attorney with Hogan Lovells in Washington, D.C. and co-chair of the Future of Privacy Forum policy group, told BNA he was impressed with the breadth of the report, adding that it was important not to view the FTC's pronouncements as the end of the process. “I give the Commission high-praise for their comprehensive nature in identifying the real problems in privacy,” he said. “But I think we need to understand that this is the beginning of the discussion, not the conclusion, as some thought it might be after a year of roundtables.”

Continued Emphasis on Self-Regulation

Free content on the internet is supported by advertising, which is more effective—and valuable—when it is targeted toward a viewer's interests, industry groups contend.

Internet companies have for some time collected data about and analyzed consumers' online activities, through browser-based cookies, Flash cookies, and analysis of content transmitted through their services. The businesses have used that information to target consumers with advertising.

Most businesses now notify consumers about those activities, in one way or another, through a privacy policy. The FTC has said that consumers should be expressly notified about the tracking, to ensure that they are not unfairly or deceptively tracked (14 ECLR 1339, 9/16/09).

The FTC has been exploring its role in regulating online companies' data-collection, sharing, and usage practices. Amidst widely publicized complaints from consumer groups about internet practices that they perceive to be egregious privacy violations—complaints that often involve leading social networks, search services, and data brokers that hold large stores of data—the commission has strongly encouraged industry to step up its self-regulatory efforts (14 ECLR 203, 2/18/09).

To date, the commission has relied mostly on self-regulatory initiatives to advance its consumer protection mission in the area of online privacy. But the commission has warned that if industry fails to address these incidents, they could face added regulation down the road.

The commission has pursued enforcement actions, under its Section 5 authority to act to protect consumers against unfair and deceptive trade practices, in situations involving what regulators have called “clear” violations (14 ECLR 819, 6/10/09).

It has otherwise guided industry toward privacy-enhancing practices through recommended “principles” (13 ECLR 24, 1/2/08); town hall and roundtable events geared toward discussions of potentially problematic activities (12 ECLR 720, 8/8/07; 14 ECLR 1689, 11/25/09); and other statements that vaguely foreshadow possible future regulation (15 ECLR 482, 3/24/10).

Internet businesses have commended the FTC's focus on self-regulation, and have said that heavy-handed regulation could impede online innovation and stifle internet commerce. But consumer groups continue to complain that the commission is not doing enough to protect consumers' online privacy.

This report continues the commission's focus on self-regulation, Leibowitz noted.

Leibowitz said that the commission plans to step up its privacy enforcement actions in the coming weeks and months against companies “that cross the line with consumer data and violate consumers' privacy—especially when children and teens are involved.”

Corporate Best Practices, Legislative Guidance

“We propose a new framework to guide businesses as they formulate best practices, and to guide Congress as it develops privacy legislation,” Leibowitz added. “From my perspective, and speaking only for myself, a legislative solution will surely be needed if industry does not step up to the plate.”

However, for now, at least in the area of online tracking, Leibowitz said that industry could be better suited than Congress to get a solution implemented quickly.

Leibowitz would not comment on any specific legislative proposal, other than to say the Commission's position was unlikely to incur a significant change prior to a “do-not-track” hearing scheduled for Dec. 2 by the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, where David Vladeck, the FTC Bureau of Consumer Protection's director, will testify.

“We don't have a position on do-not-track legislation right now,” Leibowitz remarked. At this point, the commission is focused on encouraging the industry to develop technological solutions to facilitate the broad deployment of persistent, browser-based controls that consumers can use to block data collection about their online activities, he added.

Leibowitz noted that several companies, including Microsoft, Google, Mozilla and Apple, have experimented with those systems.

Leibowitz said that online privacy issues are receiving bipartisan attention, and that the commission would work with lawmakers on both sides of the aisle in addressing policy matters related to internet privacy.

Privacy by Design, Industry Driven Do-Not-Track

First, the report recommends that companies adopt a “privacy by design” approach, and “bake in” privacy protections into their everyday practices, Leibowitz noted.

Those protections should include, according to the report: 1) providing reasonable data security for consumer data; 2) collecting only the data required for a specific business purpose; 3) retaining data only long enough to fulfill that purpose; 4) safe data disposal; and 5) implementation of reasonable data accuracy procedures.

“Such concepts are not new, but the time has come for industry to implement them systematically[,]” the regulators said. “Privacy by design” has been supported by many large online companies, including Microsoft, Google, and Facebook (12 ECLR 1081, 11/7/07).

The report distinguishes between “commonly accepted” data practices—for which no consumer choice would be required—and other practices, for which “consumers should be able to make informed and meaningful choices.”

“Commonly accepted” practices, in the preliminary report, would include—product and service fulfillment, internal operations, fraud prevention, legal compliance, and first-party marketing. The FTC sought comment about the scope of that category.

Regarding the delivery of choice-centered mechanisms for non-“commonly accepted” practices, Leibowitz said he generally supported an opt-out system, with the exception of sensitive information.

The most practical universal choice mechanism would likely be the placement of a persistent setting, the report said. The setting would be “similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted ads.”

The setting should control both data collection and use, Leibowitz said.

Simplified Notices Proposed

The commission pointed out that privacy policies created under its notice-and-choice model have become long, opaque, and lack uniformity that would enable consumers to compare privacy practices across companies.

“Consequently, consumers face a substantial burden in reading and understanding privacy policies and exercising the limited choices offered to them[,]” the report said. That difficulty was illustrated in the recent Sears Holdings case (14 ECLR 819, 6/10/09), the regulators added.

In that enforcement action, the commission charged that the company's “buried” disclosures were inadequate to inform consumers about its data-collection about all their online activities, regardless of the sensitivity of the transactions at issue.

In the report, the commissioners recommended that:

privacy notices should provide clear, comparable, and concise descriptions of a company's overall data practices. They should clearly articulate who is collecting consumer data, why they are collecting it, and how such data will be used. Companies should standardize the format of their notices, as well as the terminology used. This could allow consumers to make choices based on privacy and will potentially drive competition on privacy issues.

It is well-settled under existing FTC Act caselaw and policy that companies must provide prominent disclosures and obtain opt-in consent before using consumer data in a manner that is materially different from the purpose for which it was collected, the commissioners noted, pointing to Gateway Learning Corp., No. C-4120 (F.T.C. Sept. 10, 2004)(9 ECLR 622, 7/14/04).

The regulators sought comment on what types of changes companies view as “material.”

Mere Principles, but Some Potentially Binding

Leibowitz pointed out that the report contains mere “principles,” and do not carry the force of regulations.

Jessica Rich, deputy director of the Bureau of Consumer Protection, however, added that portions of the guidance could have regulatory force. “To the extent that they draw on existing actions—such as those related to data security and material changes to privacy policies—they are enforceable now,” Rich said. “There are elements of this that reflect law.”

Leibowitz pointed out that the report is preliminary, and could be updated in response to public comments. The final report is expected to be published sometime in 2011.

 Do We Need Legislation in This Space?

Immediate reactions to the report from lawmakers, attorneys, and consumer groups praised the FTC's activities in this area, and largely encouraged lawmakers to use the report to inform legislative privacy efforts.

In a statement, Kerry said that the report demonstrates that self-regulation has not adequately protected consumers, and that he is in the process of drafting online privacy legislation.

“During the process of drafting legislation, I've concluded that consumers should have three nonnegotiable rights[,]” Kerry wrote. “ First, all firms must put procedures in place to secure personally identifiable information. Second, consumers have a right to know in clear and concise terms what firms intend to collect, why, and how it will be used. Third, consumers should be given a simple mechanism for opting out of the process.”

Barton, ranking member of the House Energy and Commerce Committee, said that the committee will take a closer look at online privacy policies. “Millions of people put their information into the hands of Web sites like Facebook because they believe what they're told about walls protecting their privacy[,]” Barton wrote.

Rockefeller suggested that the Commission may need more authority to address online privacy issues. “The FTC's report makes it clear that self-regulation has largely failed, online companies must be more accountable, and our national privacy policy must better serve consumers[,]” he wrote.

Rockefeller added that “Americans need greater control over how their personal information is collected and used, and the FTC needs the authority to take action against companies who fail to provide consumers with basic privacy protections.”

“I want the Internet economy to prosper, but it can't unless the people's right to privacy means more than a right only to hear excuses after the damage is done. In the next Congress, the Energy and Commerce Committee and our subcommittees are going to find out if Internet privacy policies really mean anything, and if necessary, how to make them stick[,]” Barton added.

Mixed Views on Merits of Self-Regulation

Wolf said that self-regulation could achieve the privacy goals offered by the commission. “On the whole I don't take as dim a view of self-regulation as the commission does,” Wolf added.

“There have been may advances in technology that allow for more control by consumers to allow them to protect their information.” Technological advances, and not legislation, will achieve the right balance in privacy protection, Wolf remarked, drawing parallels between the privacy discussion and the anti-spam legislation from last decade.

Wolf suggested that the benefits of tracking for targeted advertising weigh in favor of a continued self-regulatory approach. “In 2003 Congress passed the CAN-SPAM Act, but the law didn't solve the problem,” he said. “Now while spam has no merit at all, tracking can have benefits to some consumers.”

On the other hand, Francoise Gilbert, managing director of the IT Law Group in Palo Alto, Calif., told BNA that legislation could be beneficial to both consumers and companies.

“I am in favor of a law because it would establish a rule, and then if someone does not comply with those rules there is a possibility of recourse,” she said. “The guidelines are nice, and they make sense, but right now we don't have enforceability.”

Gilbert said she was surprised that the report itself did not address enforcement. “I think the report made very good progress towards principles that we see all over the world, particularly in Europe,” she said, “but there seem to be a few areas, such as in the areas of enforcement and accountability, where there is no overlap.”

In the press event, Leibowitz pointed out that companies who pledged, but did not, abide by self-regulatory standards could face enforcement actions under Section 5.

How Much Is at Stake for Online Companies?

It is unclear, at this juncture, how much of an economic impact a persistent opt-out system could have on the online advertising industry, Leibowitz said. The commission solicited comment on that issue.

A study commissioned by the Network Advertising Initiative released earlier this year reported that behaviorally targeted advertising is twice as effective as generic ads. Of the responding companies' combined $3.23 billion annual advertising revenues, nearly 18 percent was from behaviorally targeted ads(15 ECLR 520, 3/31/10).

When asked, Leibowitz would not comment about the effect enhanced privacy systems, as proposed in the report, might have on the online ad industry. However, he questioned statements indicating that adoption of a tracking opt-out would devastate the industry, pointing to a study published by online privacy certification group TRUSTe Nov. 16.

The report surveyed the consumer response to enhanced privacy notices and icons. It showed that less than one percent of customers completely opted out of ad networks, and even fewer changed their advertising preferences—such as by opting out of some, but not all ad networks.

By Amy E. Bivins and Tamlin Bason

Protecting Consumer Privacy in an Era of Rapid Change: A proposed Framework for Businesses and Policymakers, http://www.ftc.gov./os/2010/12/101201privacyreport.pdf.

Commissioner Jon Leibowitz's prepared statement at http://www.ftc.gov./speeches/leibowitz/101201privacyreportremarks.pdf.

NAI study at http://www.networkadvertising.org/pdfs/NAI_Beales_Release.pdf.

TRUSTe Report at http://www.truste.com/blog/?p=987.

Information about Dec. 2 “Do-Not-Track” hearing at http://energycommerce.house.gov.

http://www.bna.com>

Reproduced with permission from Privacy Law Watch, Dec. 2, 2010. Copyright 2010 by The Bureau of National Affairs, Inc. (800-372-1033)

The Report starts by providing a background on the FTC's notice-and-choice and harms-based approach to privacy, and its recent privacy enforcement actions.  It discusses the limitations of the current model (for example, the burden on consumers in reading and understanding privacy policies).   It summarizes the results of the roundtables, and then details a framework to guide commercial entities that collect or use consumer data. 

The framework contains three top-level maxims:

• Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.  This includes incorporating substantive privacy protections -- such as data security and retention practices -- into business processes (such as is touted in the Privacy by Design model developed by the Privacy Commissioner of Ontario, Dr. Ann Cavoukian), and maintaining comprehensive data management procedures throughout the lifecycle of products and services.
• Companies should simplify consumer choice, not just through notice about privacy practices prior to the use of a product or service in a lengthy privacy policy, but by offering choice at a time and in a context in which the consumer is making a decision about his or her data (such as when the consumer is presented with a targeted online behavioral advertisement).  
• Companies should increase the transparency of their data practices, such as by clarifying, shortening, and standardizing privacy notices; providing reasonable access to the consumer data they maintain; providing prominent disclosures and obtaining affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected; and working to educate consumers about commercial data privacy practices.

One specific proposal contained within the Report is a "Do Not Track" mechanism that the FTC contemplates could be advanced either by legislation or enforceable industry self-regulation.  Do Not Track would require businesses to comply with a consumer's centralized opt-out of online behavioral tracking.  Notably, no specifics are provided on what such legislation or self-regulation might look like.  The Future of Privacy Forum, a think tank founded and co-chaired by Hogan Lovells privacy lead Chris Wolf presented a program shortly after the FTC Report was released on how technology and existing law could empower consumers who wish not to be tracked.  For a detailed description from the FPF about how Do Not Track would work, check out their summary here.

Though concurring with the report, Commisioner William Kovacic submitted a separate opinion opining that the call for new controls on online tracking was premature.  Commissioner Thomas Rosch also concurred, stating that while he thought the Report served a purpose as a "hortatory exercise" suggesting desirable best practices, he disagreed with its suggestion that the FTC's current notice-and-choice model is inherently flawed and needs to be discarded in favor of a theoretical, untested new framework.

The Report also contains an appendix posing dozens of questions for interested parties to address with respect to the proposals set forth.  In that way, the Report actually may be seen as continuing the process of examining privacy that started with the roundtables rather than finishing the examination process with decrees, as some may have expected.  

The staff seeks comments by January 31, 2011 on each component of the proposed framework and "how it might apply in the real world."  Based on the comments received, the FTC will issue a final report in 2011.

1. reflects the terms of the relationship with the individual;
2. reflects the individual’s performance and other conduct with respect to the relationship; and
3. identifies the appropriate individual.

“Integrity” means that information furnished about an individual:

1. is substantiated by the data furnisher’s records at the time it is furnished;
2. is furnished in a form and manner that is designed to minimize the likelihood that the information may be incorrectly reflected in a report about the individual; and
3. includes any information in the furnisher’s possession that the Federal Trade Commission (“FTC”) has determined the absence of which would likely be materially misleading in evaluating the individual.  Regarding the last category, the FTC only has determined an individual’s credit limit with the furnisher, if applicable, must be reported, but it is possible that in the future the FTC could require furnishers to provide other categories of information.

Although this mandate is worded broadly, the regulation also specifically requires that data furnishers “consider” detailed guidelines (which are appended to the regulations) and “incorporate those guidelines that are appropriate.”  By requiring data furnishers to “consider” and “incorporate” these guidelines, the regulation requires data furnishers to conduct an audit of their current furnishing policies and procedures.  Moreover, the guidelines contain a list of specific components of policies and procedures that a furnisher “should address,” making these components de facto requirements of any written policies and procedures that result.  These components include:

• Using standard data reporting formats and standard procedures for compiling and furnishing data, where feasible, such as the electronic transmission of information about individuals to CRAs.
• Maintaining records for a reasonable period of time in order to substantiate the accuracy of any information about an individual that is subject to a direct dispute by the individual.
• Establishing and implementing appropriate internal controls to ensure accuracy and integrity, such as by implementing standard procedures and verifying random samples of information furnished to CRAs.
• Training staff that participates in activities related to data furnishing.
• Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of furnished data.
• Deleting, updating, and correcting information in internal records, as appropriate, to avoid furnishing inaccurate information.
• Conducting reasonable investigations of disputes.
• Designing technological and other means of communication with CRAs to prevent duplicative reporting, erroneous association of information with the wrong individual(s), and other occurrences that may compromise the accuracy or integrity of data furnished.
• Providing CRAs with sufficient identifying information about each individual about whom information is furnished to enable the CRA to properly identify the individual.
• Conducting a periodic evaluation of internal practices, CRA practices of which the furnisher is aware, investigations of disputed information, corrections of inaccurate information, means of communication, and other factors that may affect the accuracy or integrity of data furnished.

The regulation also specifies that policies and procedures must be appropriate to the nature, size, complexity, and scope of each furnisher’s activities.  In addition, the regulation requires that furnishers review their policies and procedures “periodically” and update them as necessary to ensure their continued effectiveness.

Direct Dispute Rules

In addition to the accuracy and integrity rules, the new regulations also contain rules requiring data furnishers in most cases to investigate disputes that individuals submit directly to them regarding the accuracy of information that the furnishers reported to a CRA.  Previously, the law encouraged individuals to submit their disputes through a CRA, rather than directly to data furnishers.

The new rules require data furnishers to conduct “a reasonable investigation” of any such dispute initiated by an individual over furnished data.  Data furnishers do not need to conduct such an investigation, however, if any of a number of exceptions apply, including if the dispute is about the consumer’s identifying information; the identity of past or present employers; inquiries or requests for a consumer report; information derived from public records; information related to fraud alerts or active duty alerts; or information provided to a CRA by another furnisher.

The rules require a data furnisher to respond to disputes received at any business address, unless the furnisher has previously specified an address to the individual submitting the dispute or a specific address is listed on the report of the CRA incorporating the disputed information.  After receiving a valid dispute notice from an individual, the data furnisher must conduct and complete an investigation within thirty days (unless the disputer provides additional information within that period).  If the investigation finds that the information reported was inaccurate, the data furnisher must promptly notify and provide corrections to each CRA to which the furnisher provided inaccurate information.

Compliance Steps

At minimum, data furnishers must establish written policies and procedures regarding the accuracy and integrity of the information relating to its employees that it provides to CRAs.  This will involve conducting a review of existing policies and procedures, both formal and informal, to determine if they comply with the guidelines appended to the regulations, and making modifications as needed.  Data furnishers also must consider the specific components of policies and procedures listed in the guidelines appended to the regulations, and include those specific components in written policies and procedures if applicable.  Further, data furnishers must adopt a process to review these policies and procedures periodically and update them as necessary to ensure their continued effectiveness.

To comply with the direct dispute rules, data furnishers should determine if they furnish any information to CRAs which is not subject to any of the exceptions in the regulation, and if they do, they must establish formal policies and procedures to ensure that they conduct a “reasonable investigation” of all direct disputes about individuals’ information provided CRAs.

• The bill would not only regulate the online collection of covered information from individuals, but also about individuals.  This means that the bill as written would apply to businesses that compile covered information about individuals from publicly available web sites without the express consent of the individuals.  Since these businesses do not have a relationship with the users of the web sites from which they collect information, it is almost impossible for them to make the necessary disclosures to or obtain the consent of these users.  This consequence of the bill could affect businesses such as search engines if they collect and index any “covered information” without the express consent of the subjects of the information.
• The disclosure and consent requirement would apply to both online and offline collection of covered information.  Disclosure would not be required for the collection of certain information offline, and, importantly, consent would not be required if the information is collected, used, or disclosed for purposes related to the operation of the web site or for administering a specific transaction between the user and the web site.  The latter exception allows web sites to collect covered information, including IP addresses, for the purposes of maintaining the security of their web sites, or for providing services to individuals that use the sites.
• Web sites would be required to provide mechanisms for individuals to withdraw previously granted consent to use their information for the purposes of marketing, advertising, or selling the information, and must honor this withdrawal of consent.
• Web sites would be required to ensure the accuracy of the information they collect, and the FTC would be directed to establish data security safeguards that web sites would need to follow to protect covered information they maintain.
• If enacted, the bill could be enforced by the FTC and state attorneys general, though it expressly disclaims a private right of action.  The bill also would preempt state laws regulating behavioral advertising.

Reaction to the bill’s announcement was mixed. One commenter described the bill as one that “would push American privacy legislation closer to the strict rules that the European Union uses, and would extend privacy protections both on the Internet and offline.”  On the other hand, some privacy advocacy groups believe the bill would not provide tangible benefits for consumers, citing the preemption of stronger state laws, the provision allowing marketers to retain information for 18 months without express user consent, and the bill’s utilization and tacit endorsement of the much-criticized notice-and-consent regime.

In the end, the bill is still only in discussion draft form, Boucher is "facing what may be the most difficult re-election of his 28-year career" this fall, and there are many steps it would need to take before reaching the floor of Congress, which it is highly unlikely to do in the current term.  Still, the release of this bill signals that Congress is taking the issue of online behavioral advertising seriously, and even if not enacted it could create momentum leading to other legislation or increased FTC regulation of online behavioral advertising (as it has warned it might do when releasing and revising its Online Behavioral Advertising Principles most recently in February 2009), or encourage similar federal or state regulation of the collection and use of personal information for marketing purposes.

Thanks to Elizabeth Khalil in the Hogan Lovells privacy group for contributing to this report.

In determining that Congress did not intend that the Rule would apply to lawyers, Walton first examined the language and purpose of the FACT Act and concluded that there was nothing in the legislative or administrative record where either Congress or the FTC made any factual findings that there was any problem of identity theft associated with the legal profession to warrant application of the Rule to attorneys.  He found that the terminology in the statute -- which authorizes the FTC to implement regulations to protect against identity theft and speaks in terms of "financial institutions," "creditors," "credit applications," "appraisal reports," and theft with respect to "account holders at, or customers of" relevant entities -- implied that the FACT Act was created to apply to entities involved in banking, lending, or financial related business, and concluded that the FACT Act was created not to eliminate all types of identity theft, but rather identity theft specific to the credit industry.  He noted that attorneys do not maintain credit or debit accounts, and provide services to "clients" rather than "deposit account holders" or "consumers."

Citing authority that the "hallmark of credit" is the right of one party to make deferred payment, Walton specifically objected to the classification of attorneys as "creditors" given that they do not grant any right to any debtor to incur and defer payment of debts and do not regularly extend, renew, or continue credit (or arrange for the extension, renewal, or continuation of credit).  In passages that will assuredly be cited by other professional organizations contesting the applicability of the Rule, Walton declined to adopt the FTC's position that "the period of time between when a service is provided to when . . . a client [receives an invoice] for the service and the invoice is paid, amounts to a period during which credit was extended if there is any interval of time between the providing of the service and the payment of the invoice."  Instead, he remarked that "[i]nvoicing clients for services previously rendered, instead of demanding payment when service is provided is more likely an outgrowth of practicality and necessity, rather than an attempt to provide clients credit."

Despite concluding that Congress did not intend lawyers to be governed by rules promulgated under the FACT Act, Walton, "to make it absolutely clear that the Commission . . . acted beyond its authority," held that the FTC's conclusion of applicability the Red Flags Rule to lawyers was not even a permissible construction of the statute.  Among the deficiencies in the interpretation, Walton noted that it would be "unreasonable" to expect attorneys to bill for services other than periodically, criticized the FTC's classification of a one-month billing cycle as being determinative of who constitutes a creditor as "completely arbitrary" and "seem[ingly] plucked out of thin air," and stated that the FTC had not provided any legislative, regulatory, or other evidentiary findings that would support a conclusion that identity theft in the attorney-client context was a problem.  He also held that there were procedural deficiencies in the rulemaking process itself, given that the FTC did not provide any indication that the definition of "creditor" was to include attorneys who invoice their clients until almost a year and a half after the final Rule was released.

Finally, Walton cited prudential concerns specific to the legal profession in declining to apply the Rule to lawyers.  He accepted the ABA's arguments that state-level authorities, and not the federal government, have historically regulated the conduct of attorneys, and he declined to infer the Congress would do so in the absence of specific language indicating its intent to do so.  He also discussed how application of the Rule would create barriers for attorneys to build the level of trust necessary for clients to feel that they can openly communicate with their attorneys, given that questions by an attorney at the onset of the relationship designed to confirm that a client is who he or she purports to be could be construed by as a challenge to the client's integrity and undercut the ability to develop a relationship of trust.

Overall, this was a resounding defeat in the FTC's effort to broadly apply the Red Flags Rule to any individual or entity who renders services on a deferred payment basis.  As a result of the ruling, on October 30 the FTC officially delayed enforcement of the Rule for a fourth time, this time until June 1, 2010.  In the meanwhile, it faces a lawsuit from the American Institute of Certified Public Accountants that the Rule does not apply to accountants, and given Walton's language limiting his interpretation of the Rule as applying only to "banking, lending, or financial related business," it is hard to see how that litigation would not be successful.  In addition, the FTC's stated scope of applicability of the Rule has been widely decried by other large professional organizations such as the American Medical Association, and this ruling would seem to settle many of those potential conflicts as well.  Still, the FTC has not yet announced its enforcement strategy since this decision, and businesses still unsure regarding whether the Rule will apply to them should contact legal counsel for guidance.