You Are Viewing Advertising

FTC v. Google 2012 – Misrepresentation of Compliance with NAI Code a Key Element

Posted by fgilbert on August 9th, 2012

Google was hit by a $22.5 million penalty as a result of an investigation by the Federal Trade Commission covering Google’s practices with users of the Safari browser. A very interesting aspect of this new case against Google (Google 2), is that it raises the issue of Google’s violation of the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI Code). This is an interesting evolution in the history of the FTC rulings. At first, the FTC focused on violation of privacy promises made in Privacy Statements, then it went on to pursue violation of the Safe Harbor Principles. In this new iteration, the FTC attacks misrepresentation of compliance with industry standard.

Misrepresentation of user’s ability to control collection or use of personal data

Two elements distinguish this case (Google 2) from most of the prior enforcement actions of the FTC. One is that the large fine results, not directly from the actual violations of privacy promises made in Google’s privacy policy, but rather from the fact that Google’s activities are found to violate a prior settlement with the FTC, dated October 2011 (Google 1).

In Google 1, Google promised not to misrepresent:

  • (a) The purposes for which it collects and uses personal information;
  • (b) The extent to which users may exercise control over the collection, use and disclosure of personal information; and
  • (c) The extent to which it complies with, or participates in, a privacy, security, or other compliance program sponsored by the government or any other entity.

According to the FTC complaint in Google 2, Google represented to Safari users that it would not place third party advertising cookies on the browsers of Safari users who had not changed the default browser setting (which by default, blocked third party cookies) and that it would not collect or use information about users’ web-browsing activity. These representations were found to be false by the FTC, resulting in a violation of Google’s obligation under Google 1 (see paragraph (b) in bulleted list above.

Misrepresentation of compliance with NAI Code

The second, and more interesting element of the Google 2 decision, is the FTC analysis of Google’s representation that it adheres to, or complies with the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI Code). In the third count of the FTC Complaint in Google 2, the FTC focuses on Google’s alleged violation of the NAI Code.

This alleged violation allows the FTC to show that Google violated its obligation under Google 1 to not “misrepresent the extent to which it complies with, or participates in, a privacy, security, or other compliance program sponsored by the government or any other entity” (see the requirement under (c) in the bulleted list above). The FTC found that the representation of Google’s compliance with the NAI Code was false, and thus violated its obligation in Google 1 not to make any misrepresentation about following compliance programs.

Evolution of the FTC Common Law

Google 2 shows an interesting evolution of the FTC “Common Law.” In its prior cases, the FTC first focused on violations of companies’ privacy promises made in their public Privacy Statements. Then, in several consent orders published in 2011, including Google 1, the FTC expanded the scope of its enforcement action to violations of the Safe Harbor of the US Department of Commerce and the EU Commission. Now, with Google 2, the FTC expands again the scope of its enforcement action to include, as well, violation of Industry Standards such as the NAI Code.

What this means for businesses

The Google 2 Consent Order has significant implications for all businesses.

Companies often use their membership in industry groups as a way to show their values, and to express their commitment to certain standards of practice. Beware which industry group or program you join; understand their rules. As a member of that group or program, you must adhere by its code of conduct, rules or principles. Make sure that you do, and that all of the aspects of your business do comply with these rules.

When a business publicizes its membership in an industry group or a self-regulatory program, it also publicly represents that it complies with the rules or principles of that group or program. For example, those of the Safe Harbor (as was the case under Google 1) or those of the NAI (as was the case under Google 2), or others. Remember that these representations may have significant consequences, and may create a minefield if not attended properly. To stay out of trouble, the company must also make sure that these representations are accurate, and that it does abide by these promises at all times, and with respect to all of its products.

When a company makes a public commitment to abide by certain rules, it must make sure that it does comply with these rules; otherwise, it is exposed to an unfair and deceptive practice action. Make sure that you periodically compare ALL promises your business makes, with what ALL of your products, services, applications, technologies, actually do.

New UK Cookie Rule Tough to Swallow

Posted by fgilbert on May 10th, 2011

The United Kingdom’s Information Commissioner’s Office (ICO) has published an “advice” that explains the new rule for the use of cookie technologies for websites and mobile applications that are subject to the UK laws. As of May 26, 2011, companies will no longer be permitted to rely on consent implied from browser settings. They must obtain the user’s prior affirmative consent to the use of most cookies.

The ICO’s Advice invites companies to promptly conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain users’ consent. The ICO makes it clear that it expects companies to come up with a plan of action that shows that they have considered their obligations and that they have a realistic plan to respond to the new requirements and achieve compliance.

According to the ICO’s press release, this Advice was published in order to prompt organizations to start thinking about the practical steps that they need to take to respond to this new requirement. The ICO intends to provide additional guidance as innovative ways to acquire users’ consent are developed.

The New Rule, in Brief

The new Cookie Rule requires that UK website and mobile applications obtain their visitors’ affirmative consent to the use of cookies. This rule results from the implementation of the 2009 Amendment to the 2002 EU’s Privacy and Electronic Communications Directive into the UK laws. It will amend Regulation 6 of the Privacy and Electronic Communication Regulations 2003 (PECR).

Businesses and other entities will be permitted to use cookie technologies only if the user of the site or application (a) has received clear and comprehensive information about the purpose for the cookie in question; and (b) has given his or her consent to the use of the cookie. Once a user has consented to the use of a particular cookie, there is no need to ask permission each time the website needs to access that cookie. Cookies that are “strictly necessary” for the service requested by the user are not subject to the prior consent requirement.

The new rule requires that website obtain informed, affirmative consent to the use of almost any cookies that it would wish to install on a user’s machine or mobile device. The restriction applies both to the installation of the cookie and the subsequent access to the information stored on the cookie. Except for a small category of cookies that are “strictly necessary” for the proper operation of a site, or for providing a service requested by the user, such as shopping-cart type feature, all other cookies, including those that are used for analytics purposes require prior specific consent. Of course, flash cookies are also subject to the notice and consent requirement.

Until browser technology has made progress, it will not longer be possible to rely on browser setting as a method to show user’s consent. Even though the rule allows consent to be signified by the users amending or setting controls on their browsers, the ICO’s Advice clearly states that given the current state of technology, using browser settings is NOT a satisfactory method for expressing consent. The ICO’s Advice discusses several methods that might be used to implement the notice and consent requirement.

The ICO envisions a sliding-scale approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice. The ICO also suggests a tailored approach as opposed to the “one-size-fits-all” approach, commonly used currently in website privacy policies. The different models for expressing consent proposed by the ICO tend to be specific to a particular type of cookies, and the particular circumstances of its use.

The Basic Requirement

The previous rule on using cookies by UK entities – which was set out in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) – required that users be informed about the existence of cookies, and be given the opportunity to refuse the storage of, or access to, the cookie information stored on their computers. Most companies provided the relevant information in their website privacy statement, and informed their users that, by changing their browser settings, they could arrange to block cookies.

Under the new rule, companies must still provide clear and comprehensive information about the use of cookies. However, the cookies may only be placed on a machine or device after the user has given his affirmative consent.

The Exceptions

  • Repeated uses: The consent need not be given each time. Under the new rule, if the same information is stored or accessed by the same entity, regarding the same user, on more than one occasion, the consent need to be obtained only once.
  • Transmission of communications: Notice and consent are not required for a limited number of cookie categories. Cookies that are required for the sole purpose of carrying out the transmission of communications over an electronic networks are exempt from the notice and consent requirement.
  • Cookies that are “strictly necessary” : Cookies that are “strictly necessary” for the provision of a service requested by the user are also exempt from the notice and consent requirement. According to the ICO’s Advice, “strictly necessary” means that the use of the cookie must relate to the service explicitly requested by the user. The exception is narrow. It would apply, for example, to a cookie that is used in ecommerce applications when a user has selected goods to purchase and clicks the ‘add to basket’ or ‘proceed to checkout’ button, to ensure that the site remembers what was chosen, and post the information on the check-out page. On the other hand, as explained by the ICO, the exception would not apply, for example, to cookies used to track users to make the website more attractive because it remembers the users’ preferences, or cookies are used to collect statistical information about the use of the website.

Browser Settings Not An Approved Method

The rule allows consent to be signified by the user amending or setting controls on his or her browser, or by using another application or program to signify consent. However, the ICO does not agree that using browser settings is currently a satisfactory method to express consent.

The ICO recommends that organizations refrain from using browsers as a means for obtained consent because currently most browser settings are not sophisticated enough to allow a website to assume that the user has consented to the use of cookies. In addition, mobile application and other technologies do not rely on browsers.

How to Implement the New Rule

The ICO anticipates a phased approach to the implementation of these changes, and recommends that companies use the following steps:

  • Identify what types of cookies are used and why: Companies should conduct an audit of their website to determine what cookies or data files are used and for which purposes. This would allow identifying which cookies are strictly necessary and might not need consent.
  • Assess how intrusive these cookies are: The most intrusive cookies should be addressed first. For example, cookies that involve creating detailed profiles of an individual’s browsing activity are intrusive – the more privacy intrusive an activity, the more priority should be given to getting meaningful consent.
  • Identify the best solution for obtaining consent: For each category of cookies or uses, the best method for gaining consent should be identified. The most privacy intrusive activities will require that the most information be provided to the user.

Suggested Methods for Obtaining Consent

The ICO’s Advice provides a detailed analysis of the different methods available to obtain the user’s consent. It recommends more specific, targeted approach. Cookies used for analytics purposes and cookies shared with third parties are likely to cause the most significant problems.

1 – Pop ups and similar techniques

Pop-ups may be used to ask for consent. However, this practice may be annoying if numerous cookies are used. Thus, the ICO cautions that the use pop ups or ‘splash pages’ may become frustrating if too frequent.

2 – Terms and conditions

Consent could be obtained when a user first registers or signs up. In this case, the ICO recommends to make users aware of the changes and specifically that the changes refer to the use of cookies, then asking them to tick a box to indicate that they consent to the new terms. Specific information should be provided.

3 – Settings-led consent

Some cookies are deployed when a user chooses how the site works for them each time they visit the site; for example, a particular language, the size of the text displayed on the screen, the color scheme, or a “personalized greeting”.

In these cases, consent could be gained as part of the process by which the user confirms what she wants to do or how she wants the site to work. At that time, the user should be told that by allowing the website to remember her choice, she is also consenting to set the cookie.

4 – Feature-led consent

In the same manner as above where the user conducts a specific activity, there are circumstances were tracking technologies are stored when a user chooses to use a particular feature of the site such as watching a video clip, or when the site remembers what the user did on previous visits, in order to personalize the content that the user is served.

In these cases, the user is often invited to open a link, click a button or agree to the functionality being ‘switched on’. The ICO suggests to ask for the user’s consent to set a cookie at this point.

As for prior example, it should be made clear to the user that by choosing to take a particular action, certain things will happen that will be interpreted as the user’s consent. If the anticipated use of tracking technology is complex or intrusive, it will be important to provide more specific information. In particular, as discussed below, users should be told whether some features are provided by a third party.

5 – Analytics and other functional uses

Many websites collect information about access to, and use of the site, and time spent on a page. While the ICO acknowledges that cookies used for analytics purposes might not appear to be as intrusive as others that might track a user across multiple sites, it nevertheless requires consent.

In this case, the ICO’s Advice suggests that companies should make information about the use of analytics cookies more prominent, particularly in the period immediately following implementation of the new Regulations. In addition, the ICO also suggests that website should give more details about the use of these cookies, such as a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.

If the information collected about website use is passed to a third party this information sharing must be made absolutely clear to the user. Any options available should be prominently displayed and not hidden away.

6 – Third party cookies

Finally, the ICO’s Advice addresses the use of third party cookies. When a website displays content from a third party from an advertising network or a streaming video service, this third party may send its own cookies to the user. While the process of obtaining consent for these cookies may be more complex, the ICO opines that nevertheless the user must be made aware of what is being collected and by whom. This is a challenging area for which the ICO expects that more research will be needed to find workable solutions.

How about the Remainder of the European Union?

The remainder of the European Union is also required to implement the new rules on the use of cookies that were outlined in the 2009 Amendment to the 2002 ePrivacy Directive.There is currently a lot of confusion throughout the European Union on how to interpret and implement this 2009 Amendment. The Advice published by the United Kingdom’s Information Commissioner’s Office clarifies the very confusing and controversial amendment.

It is highly likely that the ICO’s Advice will serve as guidance or a model to other data protection authorities who have been facing the same issues and need to implement the 2009 Amendment into their national laws. Thus companies that may not be subject to the UK laws, but otherwise do business in the European Union should read and understand the ICO’s Advice, as a way to prepare for their obligations to comply with the national laws of the countries where they operate.

Conclusion

The amendment to the UK rules comes into force on 26 May 2011. As a result of the implementation of this amendment into the UK laws, companies that operate websites in the UK must obtain informed consent from visitors to their websites and mobile applications in order to store and retrieve information on users’ computers through cookies or similar tracking technologies. Companies must provide clear and comprehensive information about the purpose for each cookie; and obtain the prior explicit consent to the use of the cookie. Until browser technology has made progress, browser settings can no longer be used as a method for expressing consent. While the ICO envisions a “sliding scale” approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice, it also expects companies to delve promptly into implementation of the rule.

At a minimum, companies should promptly update their website privacy statements to clearly and conspicuously explain how cookies are used. In a second phase, companies should conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain the requested consent.

The ICO has indicated clearly that it intends to enforce the new rule. While it concedes that full implementation will take time, the ICO wants companies to make every effort to start working on their use of cookie, and be prepared to provide tangible proof of their efforts to comply with the new rules.

What Limits for Behavioral Targeting

Posted by fgilbert on June 4th, 2010

An individual uses a travel site to check hotels in New York, but does not book any hotel room. Later the individual visits the website of a local newspaper to read about the Chicago Cubs baseball team. While on the newspaper’s website, the individual is served an advertisement from an airline featuring flights from Chicago to New York. The method used to develop the consumer’s profile – someone interested in travelling to New York from his home base in Chicago – in order to serve target ads is named “behavioral advertising” or “behavioral targeting.”

Behavioral targeting is a marketing technique that tracks a user’s online activities over time in order to build a profile of that individual and to deliver advertizing that is targeted to the assumed interests of this individual. The information about a user is collected through a combination of cookies and pixel tags. It could include what searches were conducted, what pages were visited, how long she stayed on a particular page, on which links or advertisements she clicked. This information may then be combined with other information about that individual, such as her geographic location. It is then shared with advertisement networks, which serve advertisements at websites across the Internet.

Many consumers and advocacy groups are concerned about the privacy issues that are associated with such practices. For example, the manner in which the consumer information is collected is not visible to the consumer. Further, sensitive information regarding health, finances, or children could be used for unanticipated purposes.

The Federal Trade Commission has conducted studies, published reports, and presented testimony before a Committee on Commerce, Science and Transportation in Congress. In December 2007, it published proposed “Online Behavioral Advertising Privacy Principles”, indicating that it was seeking comments. In February 2009, the FTC issued a report describing its ongoing examination of online behavioral advertising and setting forth revised proposed principles to govern self-regulatory efforts in this area. The 2009 Report is available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf.

The report discusses the privacy concerns raised by behavioral advertising. It notes that companies must still comply with all applicable privacy laws, some of which may impose requirements that are similar to those established by the principles. The report sets forth four revised principles.

Transparency and Consumer Control:

Websites are expected to provide clear, concise,consumer-friendly, and prominent notice regarding behavioral advertising, and an easily accessible way for consumers to choose whether to have their information collected for such purpose. The report encourages the development of creative and effective disclosure mechanisms that are separate from their privacy policies.

Reasonable Security and Limited Data Retention:

Companies are urged to provide reasonable security for any data they collect for behavioral advertising and to retain data no longer than is needed in order to fulfill a legitimate business or law enforcement need.

Affirmative Consent for Material Changes to Existing Privacy Promises:

Before a company can use previously collected data in a manner that is materially different from the promises that the company made when it collected the data, it should obtain affirmative express consent (opt-in consent) from the affected customers.

Sensitive Information:

Companies are urged to obtain affirmative express consentbefore collecting sensitive information for behavioral advertising. While financial information, information about children, health information, and Social Security numbers traditionally have been considered” sensitive information,” the FTC encourages stakeholders to develop more specific standards to address this issue.

Next steps: In its press release accompanying the report, the FTC notes that the February 2009 document is only part of an ongoing process, and that significant work in this area remains. The FTC intends to evaluate self-regulatory programs and to conduct investigations, where appropriate, to determine whether practices violate Section 5 of the FTC Act. In his comments accompanying the updated principles, FTC Commissioner Jon Leibowitz noted that “industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by our Commission…. Put simply, this could be the last clear chance to show that self-regulation can – and will – effectively protect consumers’ privacy in a dynamic online marketplace.”

Companies need to pay close attention to behavioral targeting issues and must update their privacy statements in order to reflect their actual practices accurately. To the extent that they do use behavioral advertising techniques and collect information about their user’s behaviors, they should give them the opportunity to choose whether to have their information collected for such purpose.