The report recommendations are not rules or regulations, and its contents do little to concretely signal new enforcement direction. Still, the report is a helpful indicator of agency thinking in general, and of the agency's increased interest in mobile privacy issues.

Distilled, the agency wants mobile app firms to provide:

• Clear, simple privacy policies;
• Complete and accurate disclosures of how information will be used, including just-in-time notice where appropriate; and
• Options for end-user control over the access to and use of private information

Just-in-time notice is notice offered to users immediately before the app accesses sensitive data. For example, users of Apple's iPhone may be familiar with the warning that appears when an app or website is attempting to use the phone's geolocation capabilities:

This is an instance of "just-in-time" notice.

The report's recommendations with respect to "just-in-time" notice are complicated, however, by its recommendation to increased policing by app platforms. Platforms -- the agency's word for app store operators associated with classes of mobile devices -- are in a privileged position to understand the functionality of the apps being offered in their respective app stores. Platforms can typically tell, for example, what parts of the mobile device an app will potentially be accessing. Based on this privileged knowledge, the staff report recommends that platforms develop and offer "platform-level" privacy disclosures that give app-store consumers the ability to understand the privacy-profile of a given app. This capability could be combined with other features such as, for example, allowing consumers access to app privacy policies in advance of downloading and installing a particular app on their mobile device. Platforms could also provide services that compared app privacy policies with the platform's own privileged knowledge about the app.

If recommended platform-level privacy measures like these are put in place, however, then the staff report suggests that "it is important that these app-level disclosures not repeat the platform-level disclosures." Here, the FTC discourages some forms of just-in-time disclosure as duplicative:

For example, an app should be able to rely on the platform's disclosure that geolocation data will be collected by the app . . . and need not repeat the same disclosure and consent process. If the app developer decides to share that geolocation data with a third party, the app developer should provide a just-in-time disclosure and obtain affirmative consent from users for that data sharing.

The agency report also supports "do not track" initiatives that would allow users to restrict ad networks from building targeted consumer profiles of particular users.

Operators in the mobile app development space should keep in mind the overarching emphasis of the staff report on the point of view of the end-user: does he know how his data is being treated? Can he find out easily? Does he have convenient control over that data's use?

• Rapid technological change is prompting an evolution in traditional notions of privacy.  While the law – state, federal, EU – is evolving much more slowly, changes are underway and regulators and legislators need (and want) to hear from stakeholders;
• No one wants to stifle technology and the new economy jobs it creates, but many current privacy disclosures and practices (or the lack thereof) risk making the “privacy bargain” (personal information in return for free content/services) so one-sided that prescriptive regulation becomes inevitable; 
• Companies lacking a robust compliance program governing collection, protection and use of personal information (be they customers, employees, vendors, or others) may face significant risk of a data breach or legal violation, resulting litigation, and a hit to their bottom lines.

The huge attendance at this year’s summit by a wide range of companies, technical professionals, and inside and outside counsel from all over the world reflects the growing importance of these issues.  Following are highlights from some of the conference panels I attended featuring the FTC:

Collection Versus Use

Regulation of data collection versus data usage was a central theme at a panel that had hoped to discuss the FTC’s final version of its 2010 framework for protecting consumer privacy (still no word on when the final report will be issued).  Disagreeing with a fellow panelist from George Washington University who said the FTC should simply focus on how collected consumer data is used, FTC Commissioner Julie Brill expressed serious concerns about the “unmitigated collection” of consumer data for all manner of purposes that then exists in perpetuity.  Referencing a recent New York Times article about the ability to predict whether someone is pregnant out of “relatively innocuous information,” Brill said she is most concerned about vast amounts of information being collected and then used to compile profiles of consumers.  Brill urged companies not to think about privacy just in terms of compliance but to think about it as “risk management” at the corporate executive level, pointing out that the more information a company collects the greater the potential liability if it is breached.  Brill also emphasized the collection versus usage theme in the context of “do-not-track” proposals being developed by industry, saying it is very important that do-not-track address both the collection and use of consumer information; to ignore the collection element would only yield a “do-not-target” mechanism, which is not what the FTC called for in its preliminary framework. 

Liability and Proactivity

Brill also said that failure to have a “privacy by design” program in place would not be automatic grounds for a violation of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices.” Brill said that the FTC looks at companies’ practices and processes when evaluating a potential privacy-related enforcement action, insisting over her co-panelist that such actions are not subject to strict liability.  Nonetheless, Brill encouraged companies to be forward-thinking, saying that standards in the realm of privacy and data security have evolved and the reasonable steps a company is expected to take will become more comprehensive in the future.  Similarly, Brill encouraged privacy professionals to help their clients realize that privacy and data security issues are not going away; ignore a problem and you’ll end up sitting across from the FTC in an enforcement action.  Finally, Brill also warned that many data brokers do not even realize that they come under the Fair Credit Reporting Act.

COPPA and Mobile Privacy

The FTC is continuing to review its rules with respect to children’s growing use of mobile devices and online services.  Referring to the “long tail” in the app industry and the fact that so many apps lack privacy policies as found in FTC’s February report, Commissioner Brill said she wanted to get the message out that the Children’s Online Privacy Protection Act applies to mobile device applications.  Brill described COPPA, which requires parental consent for collection and use of children’s personal information, as an appropriate “speed bump” for particular types of users, while private sector panelists characterized COPPA as more of an obstacle to the possibilities created by new online and mobile platforms that requires fine tuning.  The issue of how to treat teens, currently not covered by COPPA, was also discussed.  Brill could not comment on specifics due to the review underway, but thinks that teens require some sort of special protection and said some commenters believe COPPA should be extended up to age 18.

In a separate panel, Christopher Olsen, assistant director of privacy and identity protection in the FTC's Bureau of Consumer Protection, similarly warned that companies need to do a better job providing information about their mobile apps’ data collection; that the same privacy and security principles apply in the mobile and non-mobile environments.  The FTC undertakes its own inspections of mobile apps, testing developers’ claims, in addition to considering consumer and NGO complaints and congressional concerns.  With all the different players involved in the mobile device space – from app developers to telecom carriers to add networks to device manufacturers – contract provisions play a large role in how information is collected and used.  Olsen stressed that compliance with such provisions – making sure someone is actually monitoring – will be an important issue going forward.

Finally, the FTC will hold a mobile payments workshop on April 26 and a “Public Workshop to Explore Advertising Disclosures in Online and Mobile Media” on May 30.  The latter will inform FTC’s thinking on updating guidance to businesses about disclosures in online advertising.

Facial recognition technology traces its origin to government-funded research in the 1960s.  The technology works by using an algorithm to create a unique numerical code from distinguishable landmarks on faces, sometimes called nodal points.  The technology measures approximately 80 nodal points, such as the distance between eyes, nose width, eye socket depth, and jaw line length.  The unique code or “biometric template” created by facial recognition software from a photograph can be stored in a database and later compared to other photographs to create a match. 

There are several applications of facial recognition technology in law enforcement that most would agree are useful.  Police in Tampa, Florida have made over 500 arrests after identifying suspects by taking photographs at a traffic stop and comparing the images to a mugshot database.  In 2010, the Massachusetts state police obtained over 100 arrest warrants for creating false identities and revoked 1,860 licenses using facial recognition software against the state’s driver’s license registry.  In Britain, Scotland Yard is using facial recognition software to identify suspects from the recent riots in London.    

Facial recognition can also provide modern convenience.  Since 2002, Australians have been able to use self-processing e-passports at airport customs checkpoints.  Advertisers have generated more relevant billboard advertisements based on the age and gender of passers-by.  Even Facebook uses facial recognition to suggest the identity of friends to tag in a photo, and programs like iPhoto and Picassa allow users to organize photographs by faces.  

The technology is not foolproof, and there are other applications that are outright alarming.  The ability to successfully identify a person by matching two photographs is dependent on the quality of the images.  If the person in the photograph is not directly facing the camera with open eyes and in front of a plain, light-colored background, the performance of the facial recognition software declines.  Thus, while you can obtain a high-quality picture from a driver’s license database, pictures taken without the cooperation of the subject (e.g. through surveillance cameras) rarely meet the ideal standard.  Although the technology has improved over the last ten years, there is an inherent error rate because it is reliant on statistics.  Accordingly, either matches that should be made do not occur or false identifications happen.   

A driver in Boston recently had his license revoked because his picture closely matched the picture of another driver.  Although his license was returned, it took days of wrangling for him to prove his identity.  At least 34 other states are using similar technology.  There are no current reported statistics on the number of false positives, but Massachusetts alone issues 1,500 suspension letters per day using the system. 

On August 4, 2011, researchers from Carnegie Mellon’s CyLab presented the results of three experiments from which they concluded that it is possible to use facial recognition software to identify strangers and then determine sensitive information about that person, including their Social Security number.

In one experiment, the researchers were able to identify members of Match.com, who used pseudonyms on the dating site to protect their identities, by comparing their profile photograph to photographs on Facebook. 

In the second experiment, they took photographs of college students that they were able to successfully match one-third of the time to the student’s Facebook profile (in less than three seconds). 

In the third experiment, the researchers used a custom iPhone application to predict a stranger’s Social Security number (generally just the first five digits) by matching a photograph to a Facebook profile picture in conjunction with information about the stranger’s state and year of birth gathered online.  The lead researcher, Alessandro Acquisiti, said: “A person’s face is the veritable link between their offline and online identities.” 

In addition to the obvious privacy concerns, there are security and personal liberty concerns.  According to a report, one in 750 passengers scanned at an international airport in the United States is falsely identified, and some of the falsely identified individuals may have been temporarily detained by the FBI.  In locations where biometric data like facial recognition is used to gain entry to a secured area or through customs, the failure of those institutions to safeguard that data in a computer system can lead to unauthorized persons gaining access. 

Although it is not yet possible to consistently and accurately identify all of the faces in a crowd, the technological limitations are likely to continue to fade.  The billions of images tagged on social networking sites and associated data provide an easily accessible source of personal information to match with other offline data collected by data aggregators, which can be turned into detailed personal profiles and sold to companies for use in behavioral advertising targeted directly to you through your smartphone or cable box.   It may become possible to search for a person online using an image of their face just as easily as it is now to enter a name in a search engine.  On the law enforcement side, the FBI will begin testing its Next Generation Identification facial recognition system in January 2012 in four states.  The system, which will also use biometric indicators (e.g. iris scans and voice recordings) to identify suspects, will match a photo of an unknown person against mug shots.   

Facial recognition technology has not gone unnoticed by lawmakers and regulators.  The FTC is hosting a workshop to explore beneficial uses of the technology and the associated privacy and security concerns on December 8, 2011.  And U.S. Senator John Rockefeller has asked the FTC to provide a report on the findings from its workshop to his Commerce Committee.    

This article, which was published in the December 2011 CBA Report, is republished with permission.

The complaint alleges that Pepsi’s subsidiary Frito-Lay engaged in deceptive and unfair digital marketing practices in violation of §5 of the FTC Act through a social media marketing campaign (contests, video games, concerts) targeted at teens because: (1) the marketing campaign is disguised as entertainment instead of advertising; (2) Pepsi fails to adequately protect the personal information it collects from teens and it collects personal information from teens without giving meaningful notice and consent; and (3) its use of viral marketing through Facebook and Twitter endorsements by teens violates the FTC’s Endorsement Guidelines.  The complaint also alleges that the campaign contains material misrepresentations and omissions because consumption of Doritos harms the health of teens. 

We are following the FTC’s response to this complaint because the arguments made by the complaint could conceivably apply to the use of social media by many large brands. 

The privacy policy seeks to provide mobile app developers with language that can be quickly and completely understood by a mobile app user., although it makes no mention of how it should best be displayed on a small screen.  To that end, the policy serves as a model or starting point for most mobile application developers and is annotated to provide guidance to those considering implementing a privacy policy.  While the policy is designed to address core privacy issues and data processes of most mobile applications, the MMA encourages those who plan to implement the policy to consult an attorney or data privacy specialist to ensure that it is tailored to each application or company.

The policy prods mobile application developers to clearly explain how user information is collected, used and retained, and what third parties have access to information obtained by mobile apps.  For example, the policy spells out the difference in how information is obtained, such as what information is user provided and what information is automatically collected.  In addition, the policy covers whether the application collects the precise real time location information of the device, such as for check-in services.  Mobile application developers are encouraged to disclose whether third parties see or have access to information obtained by the application, and how automatically collected data is used for ad targeting.  Finally, the policy addresses opt out rights, data retention, rights of children, and security procedures.

The MMA policy serves as a way for the marketing industry to address the fact that “more than 58% of U.S. mobile users worried that their data can be easily accessed by others,” said Alan Chapell, Co-chair of the MMA Privacy & Advocacy Committee.  Establishing a privacy policy helps “establish and maintain consumer trust.”

Members of the marketing industry are encouraged to read the proposed policy and submit comments on the MMA website through November 18, 2011.   

Authorship Credit: Jennifer D. Johnson

• FTC Commissioner J. Thomas Rosch, concerned with the downsides of “do not track” such as loss of relevancy and free content, advocated for the FTC to learn more about current business practices before the FTC takes more regulatory steps.  Commissioner Rosch suggested that information collected by the FTC could then be used to create whitelists and blacklists based on the categories of ad networks. "Such lists could be used by the do not track mechanisms being implemented by browsers," he said.
• The FTC announced plans in May to update its Dot Com Disclosures guidelines, which were issued 11 years ago, to address social media, mobile devices and other newer platforms.  The FTC received 40 comments.  As some of the excerpts from the comments listed below highlight, because of the nature of the technology involved (smartphones, persistent cookies, aggregation, re-tweets), striking a balance between protecting consumers without unduly burdening the industry will be difficult:
  • "The revised business guide should make clear that businesses should honor consumers' expressed privacy preferences, and that businesses should not use technical means of any kind to circumvent or otherwise make ineffective consumers' actions taken to protect their privacy. . . . A model disclosure approach would prohibit a website from using the term “privacy policy” unless that website’s practices comport with common understandings of the protections that privacy policies offer.  Specifically, if websites share personal information with third parties, their online disclosure of their practices should not be labeled “privacy policy.” . . . Over the next ten years, the major consumer protection problems with disclosure will surround two popular marketing techniques: the use of “free” and negative option offers.” Chris Hoofnagle, director of the Berkeley Center for Law & Technology's information privacy programs.
  • “In the computing continuum world, the requirement for a “clear and conspicuous” disclosure means different things depending on the context. A statement from staff that any number of technological means, such as jump-linking or mouseovers or hyperlinks, would satisfy the disclosure requirement would help ensure that the agency’s online disclosure guidance document can adapt to technological change and achieve appropriate consumer protection regardless of the device on which a disclosure is made. . . . Finally, we suggest that the staff examine how the use of dashboards affects a business’s obligation to make disclosures or disclaimers. For instance, many consumers are aggregating information from a variety of sources onto dashboards, such as Mashable; as a result, consumers often are not even visiting the websites of individual businesses.”  Intel Corporation.
  • “We ask that the Staff update the Dot Com Disclosure Guide to include representative examples of such alerts or cues as may be used within the different Web access channels, including representative examples that can be applied to the mobile environment, which is not well-suited to the disclosure methods recommended in the original Guide. For example, the Guide calls for providing explicit disclosures or instructions in the body of the message, yet this may not be possible or an effective means to communicate an important point due to a mobile device’s smaller screen size or character limitations in the space provided in the medium. Further, consumers may not be well-served by scrolling through lengthy text to reach a disclosure at the bottom of a web page on a mobile device’s screen.  . . . Sprint would welcome guidance by the Staff as to examples of reasonable efforts that companies might take in providing material disclosures where the company’s offer is re-posted, excerpted, and aggregated by third parties without the company’s express knowledge or assent.”  Sprint Nextel Corporation
  • The Center for Democracy & Technology "In response to a growing population of users who remove cookies and take other 'good housekeeping' measures for the express purpose of preventing tracking, many companies have devised new means for tracking users, some of which are impossible for users to block," the group wrote. "The Commission's updated guidelines should clarify that certain online data collection practices are considered deceptive and that participating companies should transparently explain their practices."
  • “The Commission should promote broad general guidelines for advertising as a whole while letting the expertise within the industry develop the specific means of compliance.  In the constantly evolving medium of interactive advertising, applying unique and highly proscriptive rules to certain media will restrict the entire advertising ecosystem, especially as advertisers increasingly incorporate many different advertising media into single campaigns. . . . Self-regulation continues to be the appropriate approach for addressing specific concerns with online advertising against the broader backdrop of general advertising principles promoted by the Commission.  . . . Mobile marketing and advertising is a nascent industry that is just now beginning to enter the mainstream but has already become an important contributor to the economy.  IAB cautions that rigid regulations at this time would be premature and could stifle the growth of mobile advertising.”  Interactive Advertising Bureau.  
• The FTC announced in an August 15 advisory opinion letter that it does not have unfair competition concerns regarding the advertising industry's proposed online behavioral advertising self-regulatory “accountability program.”
• The Article 29 Working Party, however, expressed concern about online behavioral advertising industry proposals for obtaining consent to use cookies.  The Art. 29 Party of data protection officials from the 27 European Union member states and representatives of the Internet Advertising Bureau (IAB) Europe and the European Advertising Standards Alliance (EASA) are scheduled to meet on September 14 to discuss online advertising issues, including efforts to comply with the 2009 amended EU e-Privacy Directive.
• August 29 was the deadline for IAB members to implement the IAB’s self-regulatory behavioral advertising guidelines. 

Below is a summary of recent tracking litigation.  Although the plaintiffs bringing these claims have generally been unsuccessful, advertisers have undoubtedly considered the cost of defending these lawsuits when evaluating their current practices and deciding on whether to adopt new ones.  In a related post next week, we will address issues raised in the public comments submitted to the FTC regarding its plans to update its Dot Com Disclosures guidelines.   

• On August 1, two California residents filed a potential class action against KISSmetrics and websites operators, including Hulu, Spotify, and Spokeo, related to their use of ETag technology provided by  KISSmetrics.  The plaintiffs claim KISSmetrics Etag technology continues to track consumers even after they delete cookies from their computers.  To support their ECPA, trespass, and California state law claims, the plaintiffs contend that their personal information is a personal asset to which online third parties have no presumptive right of access, and that the loss of such information lessened the economic value of their information, reduced the performance of their computers, and violated their privacy rights.  (Kim v. Space Pencil, Inc. et al., N.D. Cal., No. 3:11-cv-03796). 
• Insurers of internet marketer NebuAd Inc. agreed to pay $2.4 million to settle a potential consumer class action over NebuAd’s alleged use of deep packet inspection in conjunction data provided by ISPs to deliver online behavioral advertising.  (Valentine v. NebuAd Inc., N.D. Cal., No. 3:08-cv-5113, Aug. 16 proposed settlement agreement filed). 
• The ISPs who worked with NebuAd were pursued in separate suits.  The ISPs were successful in challenging the claims on the basis of standing, lack of harm, and consent.  For example, in one action that followed a similar path as the others, after the consumer’s Computer Fraud & Abuse Act (“CFAA”), invasion of privacy, and trespass to chattels claims were dismissed, the ECPA claim against the ISP was dismissed because the court found that the ISP did not have access to the consumer’s communications.  The court also found that, even if improper interception of communications had occurred, the consumer consented to the interception because the ISP disclosed that it would use “the websites you visit or online searches that you conduct to deliver or facilitate the delivery of targeted advertisements” in its privacy policy followed by an opt-out link.  (Kirch v. Embarq, 10-2047-JAR (D. Kan. Aug. 19, 2011).
• Interclick, an advertising network company that purchases ad display space on websites for its customers, and four of its customers (McDonald’s, CBS, Mazda, and Microsoft) were sued by a consumer for allegedly violating the CFAA, invading her privacy, and misappropriating personal information through the use of “flash cookies” that “respawned” browser cookies she deleted and “history sniffing” to see other websites she visited.  On August 17, 2011, the court dismissed the CFAA claims because the unquantified alleged harm (repairs to her computer, collection of personal information without her permission, and slowing her network) failed to meet the CFAA’s $5,000 minimum statutory threshold.  All claims against Interclick’s customers were dismissed, with the court noting that there were no allegations directed to them.  The court did permit the plaintiff to continue with a state law deceptive trade practices claim and a trespass to chattels claim.           
• A potential class action was filed against online data tracking service comScore, Inc. in Illinois federal court based on allegations of siphoning confidential information, including passwords, credit card numbers and Social Security numbers, from unsuspecting users through comScore software that scans all files on users' personal computers and modifies security settings. (Dunstan, et al. v. comScore Inc, case no. 11-cv-5807 (N.D. Ill. Aug.23, 2011)). 

The Vermont law was aimed at curtailing the use of “detailing” by pharmaceutical companies to promote their drugs to doctors.  Data mining companies purchase prescriber-identifying information collected by pharmacies when they process prescriptions, which they aggregate and analyze (typically with patient data de-identified and encrypted) and then use to produce reports on the prescribing behavior of individual doctors.  Pharmaceutical sales representatives use the reports to more effectively convince doctors to prescribe higher-profit brand-name drugs. 

To combat detailing, the Vermont law: (1) prohibited pharmacies and health insurers from selling prescriber-identifying information or allowing it to be used for marketing without the prescriber’s consent; and (2) barred pharmaceutical manufacturers and marketers from using prescriber-identifying information for marketing without the prescriber’s consent.  The restrictions were subject to a broad list of exceptions, including allowing such data to be used for research, patient education on treatment topics, law enforcement, and other purposes provided by law. 

Applying heightened scrutiny, the Court found that the Vermont law impermissibly enacted content- and speaker-based restrictions on the sale, disclosure, and use of prescriber-identifying information.  Because the law only restricted one type of speech (marketing) by one type of speaker (pharmaceutical companies), the law violated the First Amendment.  The Court noted that there is a strong argument that prescriber-identifying information is speech for First Amendment purposes, not conduct.  In so doing, the argument that information used to develop a commercial message was simply a commodity with no greater First Amendment protection than beef jerky was rejected.   Rather, the Court stated that: “Facts, after all, are the beginning point for much of the speech that is essential to advance human knowledge and to conduct human affairs.”  Although it recognized that technology has created “serious and unresolved issues with respect to personal privacy,” the Court stated that content-based discrimination cannot be used to advance the government’s opinion in the privacy debate. 

Although it applied heightened scrutiny, the Court found that the law would still fail under a lesser standard because Vermont did not show that the law was designed to directly advance a government interest.  Vermont did not argue that the law was designed to prevent false or misleading speech, and Vermont essentially conceded that the law did not advance confidentiality interests.  If Vermont’s interest was truly the privacy of patient information, the Court stated that it could have done so by only allowing disclosure of prescriber-identifying information in a few narrow and well-justified circumstances, citing HIPAA as an example.  The Court added that: “Privacy is a concept too integral to the person and a right too essential to freedom to allow its manipulation to support just those ideas the government prefers.”       

Vermont and supporters of its law attempted to frame it as a law protecting the privacy of sensitive medical data, and critics of the decision have argued that the Supreme Court chose to protect corporate interests instead of individual privacy rights.  But the law at issue in Sorrell v. IMS was not really designed to protect individual medical records—it was designed to promote the use of generic drugs to lessen Vermont’s health care costs.  The privacy implication of this decision is the recognition of the collection and dissemination of data as commercial speech protected by the First Amendment.  As the versions of Do Not Track legislation, designed to address the privacy concerns associated with behavioral advertising, and electronic health record laws are discussed at the federal and state levels, lawmakers will have to walk a tightrope to create a law that achieves the desired purpose without unduly restricting speech. 

If a government attempts to follow the road map articulated by the Court of only allowing disclosure of certain information in a few narrow and well-justified circumstances, a government would risk stifling technology and innovation.  Banning most or even all disclosures of personal information is not realistic because of the value associated with the data, especially “big data.”  For example, in the healthcare industry, a research study released in May 2011 by McKinsey Global Institute (and discussed here) predicted that in ten years there will be an opportunity to capture $300 billion annually in new value, “with two-thirds of that in the form of reductions to national health care expenditure.”  In the public sector, the McKinsey study projected that use of geolocation data will create $100 billion in revenue to service providers over the next ten years and as much as $700 billion in annual value to customers.          

In May 2011, Rep. Edward J. Markey (D-Mass.) and Rep. Joe Barton (R-Texas) introduced a children’s online privacy bill, the “Do Not Track Kids Act of 2011.”  The bill would amend and expand the protection offered by the Children’s Online Privacy Protection Act of 1998 (COPPA).  COPPA, which was created before Facebook and the proliferation of smartphones, only prohibits the collection of personally identifiable information from children under 12 without parental consent (read the FTC’s FAQs about COPPA here).  The bill would expand the protection of COPPA by covering online and mobile applications, unique persistent identifiers like IP addresses, and it would establish new privacy rules for minors under 18.  According to the press release from Rep. Markey:

  The “Do Not Track Kids Act of 2011” strengthens privacy protections for children and teens by:

• Requiring online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for collection of personal information;
• Requiring online companies to obtain parental consent for collection of children’s personal information;
• Prohibiting online companies from using personal information of children and teens for targeted marketing purposes;
• Establishing a “Digital Marketing Bill of Rights for Teens” that limits the collection of personal information of teens, including geolocation information of children and teens;
• Creating an “Eraser Button” for parents and children by requiring companies to permit users to eliminate publicly available personal information content when technologically feasible.

The bill adopts many of the principles set forth in the Common Sense Media white paper, Protecting Our Kids’ Privacy in a Digital World.

The FTC has been collecting comments on the costs and benefits of the regulations implementing COPPA since April, including whether COPPA is broad enough to apply to mobile applications, mechanisms for obtaining parental consent, and Safe Harbor.  The FTC is also seeking public comment on a proposed safe harbor program submitted by Aristotle International, Inc. for Commission approval under COPPA.

The study, Big data: The next frontier for innovation, competition, and productivity, is a 156-page effort that looks at the proliferation of large datasets and finds that data can create “significant value for the world economy.”  The source of data include customer transactions, networked sensors and actuators (the so-called “Internet of Things”), social media sites, smartphones, PCs, and laptops.  And after identifying the techniques and technologies used capture and analyze big data, the study concludes that “[a]nalyzing large data sets—so called big data—will become a key basis of competition, underpinning new waves of productivity growth, innovation, and consumer surplus as long as the right policies and enablers are in place.”

The study cites examples of companies that have effectively used big data to create economic value through increased productivity and customer loyalty, including Tesco’s use of customer loyalty card data, Wal-Mart’s use of vendor-managed data to optimize its supply chain, and Amazon’s use of customer data to make “you may also like” recommendations.  McKinsey looked at five domains—health care, retailing, the public sector, manufacturing, and personal location data.  From this research, the study identified five ways to leverage big data: (1) Making big data more accessible in a timely manner; (2) Using data and experimentation to expose variability and improve performance; (3) Segmenting populations to customize actions; (4) Replacing and supporting human decision-making with automated algorithms; and (5) Innovating new business models, products, and services.

For the healthcare industry, after making certain assumptions (e.g. necessary IT investment, analytical capabilities, privacy protections, and economic incentives), the study predicts that in ten years there will be an opportunity to capture $300 billion annually in new value, “with two-thirds of that in the form of reductions to national health care expenditure.”  In the public sector, the study projects that the EU could use “big data levers” to increase productivity and efficiency that would result in administrative cost savings of up to $446 billion.  In retail, “pioneers” are projected to have the ability to reduce operating margins by up to 60%.  Similarly, the manufacturing sector could use big data to reduce costs and increase innovation.  Lastly, the study projects that use of geolocation data will create $100 billion in revenue to service providers over the next ten years and as much as $700 billion in annual value to customers.  

In response to skeptics who suggest that the economic benefit of big data is still wishful thinking and that productivity gains driven by data analytics has peaked, the authors of the study suggest that economic statistics will not show productivity gains for a few years, similar to the delay in measuring the productivity gains from the use of computers. 

On May 10, 2011, the Senate Committee on the Judiciary, Subcommittee on Privacy, Technology and the Law held a hearing entitled "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy."  Witnesses from Google and Apple were “grilled on over their so-called "Locationgate" problems.”

On May 13, 2011, Representatives Markey and Barton introduced the “Do Not Track Kids Act of 2011,” which would amend the Children’s Online Privacy Protection Act of 1998 (COPPA).  Key provisions of the bill would expand COPPA to cover mobile applications and unique device identifiers (e.g. IP addresses), establish new privacy rules for minors under 18, prohibit targeted marketing to minors, and require express consent from parents or teens prior to the collection of geolocation information.

On May 17, 2011, Senator Patrick Leahy introduced a bill (ECPA Amendments Act of 2011) proposing amendments to Title II of the Electronic Communications Privacy Act (ECPA), which is known as the Stored Communications Act (SCA).  Two provisions related to geolocation data would require the government to obtain express owner consent or a warrant prior to accessing “geolocation information” directly from an “electronic communications device” or indirectly from a service provider except in emergencies.   Also on May 17, the FCC announced that it was seeking public comments on location based services.

The European Union’s Article 29 Working Party released an opinion on May 18, 2011, which held that geolocation data is personal information governed by the EU Data Protective Directive.  The opinion also set forth a list of best practices for obtaining user consent to collect geolocation data.

 On May 19, 2011, the Senate Subcommittee on Consumer Protection, Product Safety and Insurance held a hearing on consumer privacy and protection in the mobile marketplace following recent concerns that companies are secretly collecting geolocation data.  During the hearing, witnesses from Facebook, Apple, and Google  were again grilled regarding privacy policies and practices for mobile apps.  Senator Kerry pressed the witnesses from Facebook, Apple, and Google to support his Commercial Privacy Bill of Rights Act and Senator Rockefeller did the same for his Do Not Track bill.  David Vladeck also testified that the FTC is “looking for good enforcement targets” as it investigates mobile privacy, including violations of COPPA.  The FTC is  also seeking public comments on its enforcement of COPPA.

Following the Senate hearing, the Center for Democracy & Technology and the Future of Privacy Forum released a statement in response to the Senate hearing, announcing that they are working with mobile app stakeholders to develop best practices and privacy principles for mobile devices.  The statement identified six fundamental user privacy issues that it would address: (1) having a privacy policy for every mobile app; (2) providing users with meaningful choice regarding collection, disclosure, and use; (3) minimizing data that is collected; (4) having appropriate data security; (5) educating users about data that is collected; and (6) incorporating privacy by design.

The FTC would be given one year to establish standards for implementing and enforcing a Do-Not-Track mechanism.  The standards would apply to online service providers, including providers of mobile applications and services.  If an individual expresses a Do-Not-Track preference, online service providers may only collect and use personal information from that person if: (1) it is necessary to provide a service requested by the individual and the information is anonymized or deleted after providing the service; or (2) the individual affirmatively consents after receiving “clear, conspicuous, and accurate notice on the collection and use of such information.” 

The Act directs the FTC to consider six factors when implementing the Do-Not-Track standards: (1) the appropriate scope of covered conduct and persons; (2) technical feasibility and cost associated with the mechanism; (3) existing mechanisms; (4) how to make the public aware of the mechanism; (5) whether and how information could be collected on an anonymous basis so that it is not subject to the rules; and (6) standards by which personal information can be collected and used to provide a service requested by the user even if the user expressed a Do-Not-Track preference.

The FTC would be authorized to enforce the Do-Not-Track rules by treating violations as unfair and deceptive acts or practices.  Moreover, state attorneys general may bring a civil enforcement action with penalties for non-compliance of up to $16,000 per day and a maximum total liability of $15,000,000—three times the cap on penalties proposed by Rep. Speier’s bill.  Lastly, no private right of action is created, non-profit organizations are not exempt, and the FTC would be required to conduct a biennial review to assess the effectiveness of the rules and their effect on online commerce.

Unlike Rep. Speier’s bill, Rockefeller’s bill does not address preemption of inconsistent state laws.  Preemption will be an interesting issue to follow in conjunction with the pending Do-Not-Track legislation in California. 

According to a summary of the bill released by Senator Kerry, the three primary privacy rights are:

(1) The right to security and accountability—requiring collectors of information to implement security measures to protect the information they collect and maintain;

(2) The right to notice, consent, access, and correction of information—requiring clear notices of collection practices, the ability to opt-out of collection and transfer of data to third parties for behavioral advertising, consent to collect sensitive PII, and the ability for persons to correct their information and request the cessation of its use; and

(3) The right to data minimization, distribution constraints, and data integrity—requiring collectors to limit collection to only data that is necessary, binding third parties by contract to only use transferred data in accordance with the privacy rights, and to establish procedures that ensure that the information is accurate.

Senator Kerry’s summary also states that the bill would direct state attorneys general and the FTC to enforce the provisions.  A private right of action would be precluded.  Additionally, the FTC would be permitted to approve safe harbor programs allowing a participant to be exempt from some requirements of the bill.  Finally, the Department of Commerce would be directed to assist in developing the safe harbor program as well as engaging in a research component for privacy enhancement and improved information sharing. 

The new regulations will apply to any person engaged in interstate commerce that stores or collects any of the following online data regarding an individual: (1) online activity, including web sites visited and time of access; (2) IP address; and (3) personal information, including name, e-mail address, phone number, or financial account information.  Covered entities would have to disclose their collection and sharing practices, including identifying by name who they share information with.  The bill would allow the FTC to exempt commonly accepted commercial practices like the collection of information for billing purposes.

Failure to comply with the new regulations would constitute an unfair or deceptive trade practice.   In addition to the FTC, state attorneys general would have the authority to bring a civil action to enforce violations of the new Do Not Track regulations.  Civil penalties would be calculated by multiplying the number of days a covered entity was not in compliance by an amount up to $11,000 per day, up to a maximum total liability of $5,000,000.      

Speier also introduced the “Financial Information Privacy Act of 2011” on February 11.  According to her press release:

“The Financial Information Privacy Act of 2011 would finally give consumers the ability to control the sharing of their own financial information. The bill mirrors legislation Speier successfully steered to passage in California that prevents financial institutions from sharing or selling personally identifiable nonpublic information with affiliates without an opportunity to opt-out, or in the case of unaffiliated third parties, a requirement that consumers opt-in. This bill gives consumers control of their personal financial information and provides meaningful but workable privacy protection.”

(1) FTC Issues Long-Awaited Consumer Privacy Policy Report

On December 1, the FTC published the Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers

The FTC’s press release provides a summary of the preliminary report.  The best practices framework recommended in the preliminary report for businesses that collect or use consumer data include:

• simplifying choices for consumers, providing consumers with greater transparency, and following the Fair Information Practice Principles;
• creating a “Do Not Track” mechanism to give consumers a choice to avoid online tracking;
• extending protection to information collected offline;
• dispensing with the distinction between PII and non-PII because technology allows data fragments to be pieced together; and
• a “Privacy by Design” concept for businesses.

The preliminary report did not change the FTC’s continued focus on self-regulation.  Finally, the preliminary report contained an appendix with 64 questions on which it invited comment by January 31, 2011.  A final report will be issued later in 2011 based on the comments. 

 (2) Department of Commerce Calls for a “Privacy Bill of Rights”

On the heels of the FTC’s preliminary report, the Department of Commerce Internet Policy Task Force released a green paper titled: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  The press release contains a summary.

The Baker Hostetler Data Privacy Monitor covered this green paper here.  The four broad policy recommendations of the task force are:

• Enhance consumer trust online through recognition of revitalized Fair Information Practice Principles.
• Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through collaborative efforts of multi-stakeholder groups, the FTC, and a Privacy Policy Office within the Department of Commerce.
• Encourage global interoperability.
• Ensure nationally consistent security breach notification rules.

(3) Behavioral Advertising Opt-Out Icon

As reported by the Baker Hostetler Data Privacy Monitor, a behavioral advertising industry group proposed a Self-Regulatory Program for Online Behavioral Advertising, which features an “Advertising Option Icon” that can be placed near online ads that collect data used to conduct behavioral advertising.  Users who click on the icon will receive a disclosure statement about the data collection and use practices associated with the ad along with the ability to opt-out of being tracked.

(4) Social Media

• Facebook faced several privacy issues, including an FTC complaint regarding its privacy policy, details of 100 million Facebook users were published online, and questions from U.S. Senators.
• Google apologized for collecting about 600 gigabytes of data snippets captured from e-mails and browsing history from Wi-Fi networks in more than 30 countries.
• In the first FTC action against a social network service, Twitter settled charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.

 (5)  HHS/HIPAA/HITECH

• White House Forms New Subcommittee to Review Online Privacy Issues
• HHS Withdraws Draft Of Final HIPAA Breach Notification Rule

(6) Massachusetts Data Security Regulations

Massachusetts’ aggressive new data security regulations (201 CMR 17.00 et seq.), which became effective on March 1, 2010, contain broad and imposing mandates that go further than any other state law or regulation.  Even companies that have no facilities or personnel in Massachusetts must comply with the strict mandates if they maintain personal information of any Massachusetts resident in connection with providing goods or services. 

All businesses covered by the statute must institute a written information security program.  That program must, among other things:

• Designate an employee to maintain the security program;
• Identify and evaluates internal and external security risks;
• Impose disciplinary measures for violations of the program rules;
• Oversee third-party service providers;
• Require regular monitoring and updating of the program; and
• Documents responsive actions taken in connection with any breach of security.

For many business, the most difficult compliance issues arises from the encryption mandates of 201 CMR 17.04, which requires the encryption of: (1) laptops containing personal information that leave the businesses premises; (2) personal information transmitted across the Internet or wirelessly; and (3) backup tapes on a prospective basis.

The Self-Regulatory Principles for Online Behavioral Advertising the new icon enhances were released in July 2009 by the online advertising industry to correspond with the guidelines for behavioral advertising issued by the U.S. Federal Trade Commission in February 2009.  The seven self-regulatory principles—education, transparency, consumer control, data security, consent before material changes, limiting collection of sensitive data, and accountability—were designed to address growing consumer concern about the collection and use of personal information.  According to Network Advertising Initiative spokesperson, Andrew Weinstein, the new icon is designed to provide “consistency to the visual icon, messaging and opt-out process across all of the participants in the online advertising industry.”  

OBA and social networks are not easy to regulate, but the self-regulatory approach to this industry has come under fire by privacy advocates who argue that the approach fails to offer consumers meaningful, informed choices and that the new opt-out program is a last-ditch effort to avoid new federal legislation.  Although the head of the FTC’s Bureau of Consumer Protection, David Vladeck, has recently expressed his disappointment in the industry’s self-regulatory efforts, he stated that he will continue to support self-regulation.  Mr. Vladeck also stated that the FTC is reviewing the viability of a “do-not-track” mechanism following the announcement by Senate Commerce Consumer Protection Subcommittee Chairman Mark Pryor, D-Ark., that he is working on such legislation.  The “do-not-track” mechanism would function like the national Do Not Call Registry by allowing consumers to opt-out of having their browsing activities tracked.