Posted on December 1, 2010 by Bret Cohen

FTC Releases Long-Awaited Privacy Report: "Protecting Consumer Privacy in an Era of Rapid Change"

The FTC today released a long-awaited Staff Report (though in preliminary form) that examines the status of privacy law and enforcement by the agency and proposes a framework for greater  consumer privacy protections in the products and services developed by businesses.   The Report, which follows a series of public roundtable discussions on privacy held by the FTC over the past year, is comprehensive in identifying many pressing privacy issues.

The Report starts by providing a background on the FTC's notice-and-choice and harms-based approach to privacy, and its recent privacy enforcement actions.  It discusses the limitations of the current model (for example, the burden on consumers in reading and understanding privacy policies).   It summarizes the results of the roundtables, and then details a framework to guide commercial entities that collect or use consumer data. 

The framework contains three top-level maxims:

  • Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.  This includes incorporating substantive privacy protections -- such as data security and retention practices -- into business processes (such as is touted in the Privacy by Design model developed by the Privacy Commissioner of Ontario, Dr. Ann Cavoukian), and maintaining comprehensive data management procedures throughout the lifecycle of products and services.
  • Companies should simplify consumer choice, not just through notice about privacy practices prior to the use of a product or service in a lengthy privacy policy, but by offering choice at a time and in a context in which the consumer is making a decision about his or her data (such as when the consumer is presented with a targeted online behavioral advertisement).  
  • Companies should increase the transparency of their data practices, such as by clarifying, shortening, and standardizing privacy notices; providing reasonable access to the consumer data they maintain; providing prominent disclosures and obtaining affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected; and working to educate consumers about commercial data privacy practices.

One specific proposal contained within the Report is a "Do Not Track" mechanism that the FTC contemplates could be advanced either by legislation or enforceable industry self-regulation.  Do Not Track would require businesses to comply with a consumer's centralized opt-out of online behavioral tracking.  Notably, no specifics are provided on what such legislation or self-regulation might look like.  The Future of Privacy Forum, a think tank founded and co-chaired by Hogan Lovells privacy lead Chris Wolf presented a program shortly after the FTC Report was released on how technology and existing law could empower consumers who wish not to be tracked.  For a detailed description from the FPF about how Do Not Track would work, check out their summary here.

Though concurring with the report, Commisioner William Kovacic submitted a separate opinion opining that the call for new controls on online tracking was premature.  Commissioner Thomas Rosch also concurred, stating that while he thought the Report served a purpose as a "hortatory exercise" suggesting desirable best practices, he disagreed with its suggestion that the FTC's current notice-and-choice model is inherently flawed and needs to be discarded in favor of a theoretical, untested new framework.

The Report also contains an appendix posing dozens of questions for interested parties to address with respect to the proposals set forth.  In that way, the Report actually may be seen as continuing the process of examining privacy that started with the roundtables rather than finishing the examination process with decrees, as some may have expected.  

The staff seeks comments by January 31, 2011 on each component of the proposed framework and "how it might apply in the real world."  Based on the comments received, the FTC will issue a final report in 2011.
Tags: , , ,
Posted on September 3, 2010 by Christopher Wolf

If the Online Notice is Too Complex, Does That Open the Door to Tort Claims?

In an opinion piece appearing in today's Wall Street Journal, available here, Eric Felten describes an ongoing case in which a tort claim seeks to escape the limitation of liability language contained in an End User License Agreement (EULA):

A federal judge in Hawaii ruled last month that a man claiming to be addicted to a videogame can sue the game's maker for gross negligence in not warning him he could become a joystick junkie. Craig Smallwood alleges in his lawsuit that, as a result of playing the online game "Lineage II," he has "suffered extreme and serious emotional distress and depression, and has been unable to function independently in usual daily activities such as getting up, getting dressed, bathing, or communicating with family and friends."

Felten continues:

Silly as the suit may be, it isn't without legal ramifications. Steven Roosa, a lawyer doing research at Princeton's Center for Information Technology Policy, sounded almost giddy this week at the prospect that a court might chip away at the enforceability of End User License Agreements, or EULAs. These software license agreements often radically limit how, and for how much, customers can sue if they feel harmed by an electronic product.

Mr. Roosa cheered on his blog that the judge in Hawaii has opened an avenue for escaping the tyranny of these one-click, liability-limiting contracts. He called the judge's refusal to throw the case out in its entirety a "stunning defeat" not only for the maker of Lineage II, but for the whole business of locking customers into contracts that consist of miles of electronic fine print that hardly anyone ever reads.

Felten observes in his Journal article that "[n]o doubt we do live in a time of kudzu legalese, with weedy contractual tendrils crawling into every electronic transaction. It's alarming to think about everything we sign off on these days, with endless demands to click "I agree" as the non-negotiable price of entry into our electronic worlds. Alarming, because few of us ever peruse the legal documents to which we so regularly and glibly affix our electronic signatures."

Last April, the British retailer Gamestation set out to prove the point by including in its boilerplate some Mephistophelean contractual language: "By placing an order via this Web site," read the clause, "you agree to grant us a non-transferable option to claim, for now and for ever more, your immortal soul." In just one day, some 7,500 customers "agreed" to hand over their souls for a mess of virtual pottage. (emphasis supplied)

In the context of privacy policies, two weeks ago I was a panelist at the Privacy, Identity and Innovation 2010 conference in Seattle in the session "Competing on Privacy: Trade-offs, Transparency and Trust."  At the session, I observed  that privacy policies often are dense because companies need to protect themselves, but that alongside the legalese of the privacy policies can be layered notices with simple declarative sentences and even videos of people explaining in plain English how personal information is collected and used.

A blogger in the Seattle audience yelled out at me for admitting that I draft lengthy privacy policies, and I tried to get this concept across, explained in today's Journal article:

The proliferation of annoying and obnoxious license agreements has been driven, primarily, not by companies' desire to abuse their customers, but by a need to keep their rather more litigious customers from abusing them (and the legal system). As Jonathan Zittrain, who teaches both law and computer science at Harvard, puts it, "EULAs are, for most companies, a shield not a sword."

(I did not admit nor do I mean to suggest that the policies I draft are "annoying and obnoxious," just lengthy.)

So it is a given that legal notices almost inevitably will be complex but supplemental, simplified notices, even video notices, alongside the legalese will better inform consumers.  And it should thwart tort claims where a plaintiff claims "I had no idea this could be the result of my interaction with the web site."

 

Tags: , , , ,
Posted on August 20, 2010 by Christopher Wolf

What I Did on My Summer Vacation -- Talked About Privacy in Seattle

With much of the privacy regulatory and policy world on vacation, I took a few days outside of Washington to hear what people are thinking about where privacy law is going.  I have just returned from "Geek Week" in Seattle, WA, where I particiated in a new program entitled "pii2010" which "explore[d] the future of digital privacy, identity and innovation, and how to strike a balance between protecting sensitive information and enabling new technologies and business models. Hosted by technology analyst Larry Magid, it [was] an all-hands-on-deck conference where industry executives, technologists, consumer advocates, policy experts and other stakeholders [came] together as a group to examine critical issues.  "Lively" doesn't beging to describe the event, with audience members intervening at will and peppering the panelists with questions and "colorful" comments,  It was a little like a blog come to life.  One major take-away:  there are widely divergent views on the role of government and regulation in protecting online privacy. 

Washington Internet Daily provided a report of the event and my participation, a small excerpt of which is here:

Rumors of the death of the notice-and-choice privacy framework have been greatly exaggerated.Despite regular declarations from FTC officials over the past several months that the framework needs to be replaced, privacy advocates speaking to the pii2010 conference Thursday gave every indication that won't happen.

"For better or worse, we are stuck with a notice-and-choice paradigm" and must work within it, said Christopher Wolf, co-chairman of the Future of Privacy Forum. "I don't see how you get rid of choice," said Fran Maier, president of TRUSTe.  The likelihood of any privacy bill passing this year is "virtually nonexistent," and if Republicans retake at least one house of Congress in the midterm elections, it drops, Wolf said. The bills offered by Reps. Bobby Rush, D-Ill., and Rick Boucher, D-Va., chairmen of the House Commerce Consumer Protection and Communications subcommittees, are "incredibly complex," Wolf said. "I just see enormous wrangling" over their provisions from industry and activists. The bills have been helpful to "start conversation" with stakeholders, though, Maier said.

 

More likely is faster development of "common law" by the FTC, which has "really gotten into the weeds" on privacy-related issues, especially data security, said Wolf, who represents clients before the commission. The parties targeted in FTC investigations rarely put up much of a fight, as exemplified by Sears' conceding that its tracking software installed on customers' computers crossed the line, he said: There's no reason to think the commission will go easier on privacy disputes.

 

The Future of Privacy Forum is "trying to proselytize" for better self-regulation by industry, as with the "Power-I" icon being tested in online ads, but not trying to halt privacy legislation that gives companies a safe harbor for following best practices, Wolf said. The forum is running a "privacy papers for policymakers" competition whose winners will be announced Sept. 15 at a George Washington University law school event with David Vladeck, director of the FTC Consumer Protection Bureau, he said.

 

Tags: , , , ,