You Are Viewing FTC

FTC v. Myspace

Posted by fgilbert on May 8th, 2012

On May 8, 2012, Myspace agreed to settle Federal Trade Commission charges that it misrepresented its protection of users’ personal information.

The two majors issues at stake were misrepresentation of privacy practices, and misrepresentation of compliance with Safe Harbor principles.

Misrepresentation of Privacy Practices

Myspace assigns a persistent unique identifier, called a “Friend ID,” to each profile created on Myspace. A user’s profile may publicly display the user’s name, age, gender, picture, hobbies, interests, and lists of users’ friends. 

The Myspace privacy policy promised that it would not share a user’s personally identifiable information, or use such information in a way that was inconsistent with the purpose for which it was submitted, without prior notice to, and consent from, the user. It also promised that the information used to customize ads would not identify users to third parties and would not share non-anonymized browsing activity.

The FTC charged that Myspace provided advertisers with the Friend ID of users who were viewing particular pages on the site. Advertisers could use the Friend ID to locate a user’s Myspace profile and obtain personal information publicly available on the profile. Advertisers also could combine the user’s real name and other personal information with additional information to link broader web-browsing activity to a specific individual.

Misrepresentation of Compliance with Safe Harbor Principles

Myspace certified that it complied with the U.S.-EU Safe Harbor principles, which include a requirement that consumers be given notice of how their information will be used and the choice to opt out.

The FTC alleged that the way in which Myspace handled personal information was inconsistent with its representations of compliance with the Safe Harbor principles.

Proposed Settlement

The proposed settlement order would:

  • Bar Myspace from misrepresenting the extent to which it 
protects the privacy of users’ personal information
  • Bar Myspace from misrepresenting the extent to which it belongs to or complies with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor Framework.
  • Require Myspace to establish a comprehensive privacy program designed to protect consumers’ information;
  • Require Myspace to obtain biennial assessments of its privacy program by independent, third party auditors for 20 years.
  • Expose Myspace to a civil penalty of up to $16,000 for each future violation, if any, of the consent order.

The proposed settlement is open for comments; it will be finalized and will become effective after the end of the comment period.

 

Posted in FTC

Mobile App Privacy Webinar on April 19, 2012

Posted by fgilbert on April 17th, 2012

On Thursday April 17, 2012, at 10am PT / 1pm ET, I will be moderating and presenting at a one-hour webinar organized by the Practising Law Institute: “A New Era for Mobile Apps?  What Companies Should Know to Respond to Recent Mobile Privacy Initiatives”.

The webinar will start with an overview of the technologies and ecosystem that surround the operation and use of mobile application, presented by Chris Conley, Technology and Civil Liberties Attorney, ACLU Northern California (San Francisco).

Patricia Poss, Chief, BCP Mobile Technology Unit, Federal Trade Commission (Washington DC) will then comment on the two reports recently published by the Federal Trade Commission:  “Mobile Apps for Children” (February 2012) and the final report “Protecting Consumer Privacy in an Era of Rapid Change”, which both lay out a framework for mobile players (March 2012).

I will follow with an overview of the recent agreement between the California State Attorney General and six major publishers of mobile apps, which sets up basic rules and structures for the publication and enforcement of mobile app privacy policies, and the Consumer Privacy Bill of Rights, which was unveiled by the White House in February 2012.  I will end with suggestions for implementing privacy principles in the mobile world.

To register for this webinar, please visit PLI website.

 

ID Theft Consumer Complaints to FTC Declining

Posted by fgilbert on February 28th, 2012

The Federal Trade Commission annual report on complaints filed by consumers, released on February 28, 2012, provides a list of the top consumer complaints received by the agency in 2011. For the 12th year in a row, identity theft complaints topped the list.

Of more than 1.8 million complaints filed in 2011, 279,156 or 15 percent, were identity theft complaints. In the past three years, the number of identity theft complaints has significantly declined: from 20% in 2009 to 15% in 2011.

The report also indicates that the number of complaints for credit card fraud has declined by 3 percentage points since 2009, from 17 percent in 2009 to 14 percent in 2011. It is clear that, despite their shortcomings, the security breach disclosure laws have contributed to raising companies and consumers’ awareness, and to identifying security incidents faster and more easily. As a result, credit card companies have been in a better position to promptly block stolen cards or credit card numbers.

On the other hand, the number of identity theft complaints related to tax- or wage-related fraud has doubled since 2009, jumping from 12.7% percent to 24.1 percent in 2011. This area clearly needs more attention. Proper measures need to be identified to reduce this type of fraud.

Complaints Number Percent
Identify Theft 279,156 15 percent
Debt Collection 180,928 10 percent
Prizes, Sweepstakes, and Lotteries 100,208 6 percent
Shop-at-Home and Catalog Sales 98,306 5 percent
Banks and Lenders 89,341 5 percent
Internet Services 81,805 5 percent
Auto Related Complaints 77,435 4 percent
Imposter Scams 73,281 4 percent
Telephone and Mobile Services 70,024 4 percent
Advance-Fee Loans and Credit Protection/Repair 47,414 3 percent

The 103 page Report breaks out complaint data on a state-by-state basis and contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. Florida, Georgia, and California have received the highest number of identity theft complaints (computed per capita), while Maine, and North & South Dakota received the smallest number of identity theft complaints.

Posted in FTC

FTC issues Report on Kids Privacy & Mobile Apps

Posted by fgilbert on February 16th, 2012

On February 16, 2012, the FTC released a new Report on Privacy issues in Mobile Apps. There are good lessons to be drawn from the document, both for mobile apps developers and for companies that operate websites. What is true for mobile apps is generally also true for websites.

Among other things, the report recommends:

  • Everyone – stores, developers and third parties providing services – should play an active role in providing key information to parents.
  • Information about data practices should be provided in simple and short disclosures.
  • It should be clear whether the app connects with social media
  • It should be clear whether it contains ads.
  • Third parties that collect data also should disclose their privacy practices.
  • App stores also should take responsibility for ensuring that parents have basic information.

The full report is available at: http://www.ftc.gov/opa/2012/02/mobileapps_kids.shtm


Never too Small to Face an FTC COPPA Action

Posted by fgilbert on November 9th, 2011

Some companies think that they are small and can fly under the radar, and need not worry about compliance.  They should rethink their analysis of their legal risks after the recent FTC action against a small social networking site.

On November 8, 2011 the FTC announced a proposed settlement with the social networking site www.skidekids.com, which collected personally information from children without obtaining prior parental consent, in violation of COPPA, and made false statements in its website privacy notice, in violation of the FTC Act.

In this case, the personal information of 5,600 children was illegally collected. This was much less than the violations identified in some of the recent FTC COPPA enforcement actions. For example, the 2006 action against Xanga revealed that Xanga had collected 1.7 million records, the 2008 action against Sony, that Sony had collected 30,000 records, and the 2011 action against W3 Innovations identified 50,000 illegally collected records.

The Problem

The social networking site Skid-e-kids targeted children ages 7-14 and allowed them to register, create and update profile information, create public posts, upload pictures and videos, send messages to other Skid-e-kids members, and “friend” them.

According to the FTC complaint, the website owner – a sole proprietor – was prosecuted for:

  • Failing to provide sufficient notice of its personal data handling practices on its website;
  • Failing to provide direct notice to parents about these practices; and
  • Failing to obtain verifiable parental consent.

In addition, these practices were found to be misleading and deceptive, which in turn was deemed to violate Section 5 of the FTC Act.

The site online privacy statement claimed that the site requires child users to provide a parent’s valid email address in order to register on the website and that it uses this information to send parents a message that can be used to activate the Skid-e-kids account, to notify the parent about its privacy practices, and that it can use the contact information to send the parent communications about features of the site.

According to the FTC, however, Skid-e-kids, actually registered children on the website without collecting a parent’s email address or obtaining permission for their children to participate. Children who registered were able to provide personal information, including their date of birth, email address, first and last name, and city.

The Proposed Settlement

The proposed Consent Decree and Settlement Order against Jones O. Godwin, sole owner of the site www.skidekids.com is available at http://www.ftc.gov/os/caselist/1123033/111108skidekidsorder.pdf. The proposed settlement would:

  • Bar Skid-e-Kids from future violations of COPPA and misrepresentations about the collection and use of children’s information.
  • Require the deletion of all information collected from children in violation of the COPPA Rule;
  • Require that the site post a clear and conspicuous link to www.onguardonline.gov, the FTC site focusing on the protection of children privacy, and that the site privacy statement as well as the privacy notice for parents also contain a reference to the On Guard Online site;
  • Require that, for 5 years, the company engaged qualified privacy professionals to conduct annual assessments of the effectiveness of its privacy controls or become a member in good standing of a COPPA Safe Harbor program approved by the FTC;
  • Require that, for 8 years, records be kept to demonstrate compliance with the above.

A lenient fine … subject to probation

An interesting aspect of the proposed settlement is that the settlement, in effect, imposes only a $1,000 fine to the defendant. The fine is to be paid within five days of the entry of the order. However, if Skid-e-Kids fails to comply with some of the requirements of the Settlement, it will have to pay the full $100,000 fine that is provided for in the settlement.

Specifically, a $100,000 will be assessed if:

  • The defendant fails (a) to have initial and annual privacy assessment (for a total of 5 annual assessments) conducted by a qualified professional approved by the FTC and identifying the privacy controls that have been implemented, how they have been implemented and certifying that the controls are sufficiently effective; or (b) to become a member in good standing of a COPPA Safe Harbor program approved by the FTC for 5 years; or
  • The disclosures made about the defendant’s financial condition are materially inaccurate or contain material misrepresentations.

The Lesson for Site with Children Content

This new case is a reminder that the COPPA Rule contains specific requirements that must be followed, no matter the size of the site, when intending to collect children personal information. The COPPA rule defines procedures and processes that must be followed rigorously.

Among other things, the COPPA Rule requires websites that are directed to children and general audience websites that have actual knowledge that they are collecting children information to:

  • Place on its website a conspicuous link to its privacy statement;
  • Provide specified information in the website privacy statement, describe in clear terms what personal information of children is collected, how it used, and explain what rights children and parents have to review and delete this information;
  • Provide a notice directly to the parents, which must include the website privacy statement, and inform the parents that their consent is required for the collection and use of the children’s information by the site, and how their consent can be obtained;
  • Obtain verifiable consent from the parents before collecting or using the children’s information;
  • Give parents the option to agree to the collection and use of the children’s information without agreeing to the disclosure of this information to third parties.

In addition, we suggest also including, clearly and conspicuously, (a) in the website privacy statement; (b) in the notice to parents; and (c) at each location where personal information is collected a notice that invites the user to visit the On Guard Online website of the Federal Trade Commission for tips on protecting children’s privacy online: www.onguardonline.gov/topics/kids-privacy.aspx.

 

 

 

Lessons Learned from the Google FTC Settlement

Posted by fgilbert on October 25th, 2011

The Decision and Order settling charges by the Federal Trade Commission that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010 became final as of October 24, 2011. Google is barred from future privacy misrepresentations, is required to implement a comprehensive privacy program, and must submit to independent privacy audits every other year, for the next 20 years.

The finalization of the Order gave me an opportunity to refresh my recollections about the terms of the settlement, and reflect upon them.  There are, indeed, many lessons to learn from the FTC – Google settlement:

What is a Comprehensive Privacy Program

The Google settlement order is the first one where the FTC requires a company to implement a comprehensive privacy program to protect the privacy of consumers’ personal information. As a result, there is now FTC guidance on the components of a comprehensive privacy program: from designating an individual responsible for the program, to identifying and assessing the risks that could result from the unauthorized collection, use or disclosure of personal information, to designing and implementing reasonable privacy controls and procedures, and training the personnel and supervising service providers.

What Personal Information is to be Protected

The Google settlement applies to “covered information.” The size of the universe of personal information to be protected is significant. It is much broader than “sensitive information” i.e. social security numbers, credit card and financial information, identity information, and the like, a limited, narrow group of personal information that too many view as the only personal information that must be protected. The “covered information” (or protected information) in the Google order encompasses all of the information that is collected from or about an individual, including, but not limited to, an individual’s:

  • First and last name;
  • Home or other physical address, including street name and city or town;
  • Email address or other online contact information, such as a user identifier or screen name;
  • Persistent identifier, such as IP address;
  • Telephone number, including home telephone number and mobile telephone number;
  • List of contacts;
  • Physical location; or
  • Any other information from or about an individual consumer that is combined with the above.

In other words, if you collect it, you have to protect it. This is a reminder that personal information need not be confidential, secret, or strategic to require protection.

How to Make a Material Change to a Policy

There is also specific guidance on how to implement a change in policy with respect to the sharing of personal information. If the personal data handling practices that were in effect when the company collected personal information change, the company must:

  • Obtain express, affirmative users’ consent before sharing their information with third parties, and
  • Prominently disclose, separate from any privacy policy, terms of use or similar document:  that the user’s information will be disclosed to one or more third parties; the identity or specific categories of such third parties; and the purpose(s) for sharing this information.

Safe Harbor Promises Must be Kept

The Google settlement order is also the first time that the FTC has alleges violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework. Safe Harbor promises must be kept. It not enough to fill out a form and ignore the commitments made.

Privacy Promises Must be Kept

Misrepresenting the extent to which the privacy and confidentiality of personal information is maintained is not acceptable. A company may not misrepresent the purposes for which it collects and uses the information, and the extent to which consumers may exercise control over the collection, use, or disclosure of personal information. When promises are made, they must be kept.

If one Product fails, the Entire Company will Bear the Consequences

Finally, the FTC Settlement does not cover just the Google Buzz and Gmail products. It applies broadly to all products and services of Google. For a large company like Google, the repercussions of a single error are extensive and significant. Do not assume that a little mistake can only have little consequences.

Now, Google has twenty years to think about what it could have done better, and how it could have avoided to be elected to the FTC’s Hall of Shame. May the lessons from the FTC Google settlement order be learned by other companies.

 

Posted in FTC

FTC proposes changes to the COPPA Rule

Posted by fgilbert on September 15th, 2011

On September 15, 2011, the Federal Trade Commission published for comments its proposed amendment to the current COPPA Rule, which is codified as 16 CFR Part 312. This proposed amendment is based on the information and comments collected during several public round tables and other consultations with the public and stakeholders in 2010. The text of the Proposed Amendment can be found at http://www.ftc.gov/os/2011/09/110915coppa.pdf. Written comments must be received on or before November 28, 2011.

The Commission proposes modifications to the Rule in the following areas:

  • Definitions;
  • Parental notice and consent mechanisms;
  • Confidentiality and security;
  • Self-regulatory safe harbor programs.

What Will Not Change

While the proposed amendment would make some significant changes in some areas, a number of issues that had raised questions will not be affected. For example:

  • The definition of “child” will not change. The Rule will continue to protect children under 13, and not minors or other teens.
  • The amendment does not propose a clarification of what constitutes “actual knowledge” that a site is collecting information of children. This is unfortunate, since this question is the source of many problems for companies.

Several Revised Definitions

The proposed amendment would modify and clarify a number of definitions of crucial terms. Some of these clarifications will likely be welcomed by the service providers. Other changes significantly expand the scope of the defined terms, to take into account the changes and advances in technology and online practices. For example, the proposed amendment addresses the now ubiquitous use of behavioral targeting and location information. Several definitions are affected.

Definition of “Personal Information”

The proposed amendment would expand the definition of “personal information.” The new definition would include a customer identification number held in a cookie, an IP address, a processor or device number, or a unique device identifier that is used for functions other than internal operations of the website. Among other things, this addition would cover tracking cookies used for behavioral advertising.

The proposed amendment would also add geolocation information as well as photographs, videos and audio files that contain a child’s image or voice to the definition of personal information protected under COPPA.

Definition of “Collection”

The new definition of “collection” would clarify that the Rule covers the online collection of personal information both when an operator requires the personal information and when the operator merely prompts or encourages a child to provide such information.

The revised definition would permit a website operator to allow children to participate in interactive communities without parental consent, provided that the operator take reasonable measures to delete “all or virtually all” children’s personal information before it is made public, and to delete it from its records.

Definition of “Release of Personal Information”

The amendment would define the term “release” of personal information separately from the definition of “disclosure.” A “release” would be the sharing selling, renting, or transfer of personal information to a third party.

Definition of “Online Contact Information”

The definition of “Online Contact Information” would be expanded to include instant message user identifier, VoIP identifier, and video chat user identifier.

Parents’ Notice and Consent Requirements

The amendment would provide much needed improvements to the rules that pertain to giving notice to parents and custodians and obtaining their consent.

Methods to be Used to Provide Parental Notice

COPPA requires that the parents be notified both on the operator’s website and in a notice delivered directly to the parent whose child seeks to register on the site or service. The proposed amendment would streamline the parental notice requirement. Key information would be presented to parents succinctly in a “just-in-time” notice, in addition to being presented in a privacy policy.

There are also proposed changes to the content of the notice. For example, all operators of a website would have to provide contact information including name, physical and email address, and telephone numbers. In addition, the amendment would streamline the content requirements for the notice.

Parental Consent Mechanisms

The proposed amendment would add new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database.

Concurrently, the proposed amendment would eliminate the “email – plus” method of parental consent which allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.

Confidentiality and Security Requirements

The amendment would strengthen the existing confidentiality and security requirements and would introduce new data retention and disposal requirements.

Data Retention and Deletion

The amendment would introduce a data retention and deletion requirement, which would require the data to be retained only for as long as is necessary to fulfill the purposes for which it was collected. In addition, the proposed amendment would require the operator of a website or service to delete the child’s personal information by taking reasonable measures to protect against unauthorized access to, or use of the information in connection with its disposal.

Service Providers

The amendment proposes adding a requirement that operators ensure that service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it.

This requirement is consistent with similar requirements that are in place in most – if not all – laws, regulations, rulings, and standards that address the protection of personal information. In all cases, the data custodian who gives access to personal information to a third party is responsible for ensuring that the third party protects the data with privacy, confidentiality, and security measures at least as stringent as those that the data custodian is required to use.

Safe Harbor

Finally, the amendment would strengthen the COPPA Safe Harbor Programs. It would modify the criteria for approval of self-regulatory guidelines and introduce new reporting and record keeping requirements. The amendment would require the Safe Harbor Programs to audit their members at least annually and report periodically to the Commission the results of these audits.

Comments Invited

The FTC has invited comments to the proposed amendment. These comments must be received by November 28, 2011.

Conclusion

The proposed amendment to the COPPA rule provides numerous significant additions and clarifications to the existing Rule. It takes into account changes in practices and technologies to adapt to the new forms of using online services. It also takes into account some of the obstacles encountered and questions asked by online services – and their advisors – when trying to implement some of the provisions of COPPA. While the amendment would improve and simplify the procedures to be used to notify parents and obtain their consent, it remains to be seen whether companies will be able to provide elegant and reliable methods for signing up children with their parents’ consent.

Failure to Protect against SQL Injection Attack deemed an “Unfair Practice”

Posted by fgilbert on May 4th, 2011

A proposed Federal Trade Commission consent order applicable to Ceridian Corporation, establishes that failure to protect against potential SQL injection attacks is an “unfair practice” actionable under Section 5 of the FTC Act. Despite representations that it maintained “worry-free safety and reliability” and that it had a security program designed in accordance with the ISO 27000 standard, the company’s security system had several flaws. Among other things, Ceridian failed to use readily available defenses to SQL attacks. When a successful SQL attack caused the exposure of sensitive personal information of nearly 28,000 individuals, the FTC initiated an enforcement action.  This action lead to the development of the proposed FTC consent order, which was published on May 3, 2011.

Ceridian operates the Powerpay website, and provides payroll processing, payroll-related tax filing, benefits administration, and other human resource services. Customers enter their employees’ personal information, Social Security numbers, dates of birth, home addresses, bank account and other information on the website. This information is transmitted to Ceridian’s computer network, where payroll amounts are computed, payroll checks are processed, and direct deposits initiated.

Ceridian stored personal information in clear, readable text for an indefinite period of time, and failed to employ reasonable measures to detect and prevent unauthorized access to personal information. Hackers executed an SQL injection attack on the Ceridian system. These deficiencies allowed the SQL injection attack to succeed, and the personal information of individuals to be exposed.

The proposed FTC consent order is consistent with prior consent orders issued in similar circumstances. What makes the Ceridian case interesting is the list of acts and deficiencies that the FTC identifies as having created vulnerabilities and that should have been avoided. The FTC complaint against Ceridian notes in particular the following security deficiencies:

  • Storing information in clear, readable text;
  • Storing information indefinitely, and for longer than needed;
  • Failure to assess the vulnerability of the system to known or reasonably foreseeable attacks such as SQL injection attacks;
  • Failure to use readily available, free, or low-cost defenses to SQL attacks; and
  • Failure to employ reasonable measures to detect and prevent unauthorized access to personal information.

This list provides examples of the minimum measures that the FTC expects from a security system intended to protect personal information such as financial information or social security numbers. Of note, in particular, is the need to have in place systems and defenses that resist SQL injection attacks and other known or reasonably foreseeable attacks.
The proposed consent decree establishes a 20-year supervision period, during which Ceridian will be required to obtain and provide, or make available to the FTC, on a biennial basis, an assessment and report from a qualified third-party professional, certifying that it has in place a security program that meets or exceeds specified requirements, and that provides reasonable assurance that the security, confidentiality, and integrity of personal information in the company’s custody is protected. The security program must contain administrative, technical, and physical safeguards appropriate to Ceridian’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Ceridian to:

  • Designate one or several employees to coordinate and be accountable for the information security program;
  • Identify material risks to the security, confidentiality, and integrity of personal information and assess the sufficiency of any safeguards in place to control these risks;
  • Design and implement reasonable safeguards to control these risks;
  • Regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
  • Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information of Ceridian’s clients;
  • Require service providers by contract to implement and maintain appropriate safeguards; and
  • Evaluate and adjust its information security programs in light of the results of testing and monitoring, and of any material changes to operations or business arrangements.

For over 10 years the Federal Trade Commission has had an active, leading role in defining the basic requirements for the collection, use, storage, disclosure and protection of personal information. During this period, the consent decrees issued by the Federal Trade Commission have identified the security practices that the FTC deems unacceptable. These consent decrees provide a clear view on the expectation of the regulators.  With Ceridian, it is now established that protecting against SQL injection attacks is an essential, basic, requirement for a reasonable information security program.

Posted in FTC

FTC’s Privacy Framework: Similarities with EU Privacy Directives

Posted by fgilbert on December 10th, 2010

On December 1, the FTC issued its long awaited report in which it outlines a Proposed Framework for businesses and policy makers for the protection of personal data. The Proposed Framework would reach a broad range of commercial entities, both online and offline, that collect, maintain, share, or use consumer data. The protection would apply not only to what has traditionally been named “personally identifiable information” that can be reasonably linked to an individual, as this has been done in the past, but also to data that can be reasonably linked to a specific computer or device. (FTC Report, p. 42).

The proposed Framework is divided into three principles:  (a) implementation of “Privacy by Design”, (b) simplification of choices for consumers; and (c) providing greater transparency.

Each of these principles, if adopted and followed by US businesses, would bring the United States closer to the practices that have been in place in Western Europe and many APAC countries for many years, and that are increasingly adopted elsewhere, such as in the Americas (Canada, Mexico, Argentina, Uruguay, etc.). However, significant gaps would remain.

Privacy by Design

Referring to the concept of “Privacy by design” coined by Ann Cavoukian, the Information and Privacy Commissioner of Ontario (Canada), the FTC Proposed Privacy Framework would require companies to build privacy protections into their everyday business practices. In addition, companies would be expected to promote privacy throughout their organizations, and at every stage of the development of their product and services

Privacy Protections

The Framework would require at least the following privacy protections:

  • Providing reasonable security for consumer data;
  • Collecting only the data needed for a specific business purpose;
  • Retaining data only as long as necessary to fulfill that purpose;
  • Safely disposing of data no longer being used; and
  • Implementing reasonable procedures to promote data accuracy.

There are significant similarities between these principles and the rules that already exist in data protection laws in effect throughout the European Union and many countries on all continents. For example, Article 17 of the 1995 EU Data Protection Directive requires security measures. Further, ensuring data accuracy and limiting collection and retention of personal data are among the Principles Relating to Data Quality listed in Article 6 of the EU Data Protection Directive. Thus, the adoption of these privacy protections would take United States companies significant closer to their counterparts in the 50 + countries that have adopted data protection laws.

Comprehensive Data Management Procedures

The proposed FTC framework would also require companies to develop a reasonable privacy program and comprehensive data management procedures throughout the life cycle of their products and services. This program would include, for example:

  • Assign personnel to oversee privacy issues;
  • Train employees on privacy issues; and
  • Conduct privacy impact assessments when developing new products and services.

Such concepts are not new, and they are consistent with prior guidelines that the FTC has provided in its consent orders, such as in its 2002 Final Consent Order in its case against Eli Lilly and Company.

As it has done in its prior communications, the FTC explains that implementation can be scaled to each company’s business operations. For example, a small amount of non-sensitive consumer data would require less stringent or comprehensive measures than vast amounts of consumer data. Companies that engage in the business of selling consumer data would be subject to higher scrutiny.

Putting in place an appropriate privacy program may require significant efforts for companies that have not yet appreciated the value of personal information, and the need to protect personal information of employees, customers and others who contribute to the wealth of the business, through their work, their purchases, or otherwise.

The concept of a comprehensive data management process is also one of the components of the recent “Communication 609” published in early November 2010 by the European Commission. The Communication, which is intended to outline proposed changes to the current EU data protection framework, would also require that national laws provide for the appointment of a “Data Protection Official” for companies over a certain size, and for the conduct of a Privacy Impact Assessment before launching a new product or service. (See Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions: A comprehensive approach on personal data protection in the European Union, http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf.). Thus, in this respect, the Proposed FTC Framework and the proposed changes to the EU practices are consistent with each other.

Simplified Choices

Second, the proposed Framework would require companies to make it easier for consumer to understand their privacy practices and exercise choices, if any. The FTC provides a two-prong approach:

  • Collection of data for “commonly accepted” purposes would not require prior consent of the data subject;
  • For data practices that are not “commonly accepted,” consumers should be able to make informed and meaningful choices.
  • Commonly Accepted Purposes

The FTC Report (see, page 43 of the report) provides examples of what would be “commonly accepted” purpose: product and services fulfillment; internal operations, fraud prevention, legal compliance and public purpose, and first party marketing. The view is that these practices are obvious from the nature of the transaction (e.g. delivery of a product) or sufficiently accepted or necessary for public policy reasons. Thus, it is not necessary to encumber the flow of data.

This concept is consistent with the view taken by the national laws of the EU Member States where the collection and processing of personal information (other than sensitive information) is permitted when it is necessary for the performance of a contract between the data subject and the entity collecting the data, for compliance with a legal obligations, or to protect public interest or the vital interest of the data subject. (See, e.g., Article 7 of the 1995 EU Data Protection Directive).

There is, however, a significant difference between the FTC view and the European view, in that the FTC Framework would allow the collection and processing of personal information for “first party marketing”, while this practice is restricted in the European Union to only the marketing of a similar product or service than that which the customer purchased previously. (See, e.g., Article 13, of the 2002 e-Privacy Directive). Thus, the US approach would be significantly more protective of business interests

Choice Required for Other Practices

For data practices that are not “commonly accepted,” the FTC Framework would require that privacy choices be clearly and concisely described and offered to consumers at the time when the consumers are making decisions about their data, such as when entering personal data or before accepting a product or service.

The current draft of the Proposed Framework is not yet clear as to the direction it will follow with respect to the collection and processing of sensitive information. The final Framework is likely to suggest restrictions to the collection and processing of sensitive information, and to specify what constitutes “sensitive information.”

While the concept of “sensitive data” has not yet been defined by the FTC or otherwise, in practice, the United States has identified “sensitive data” very differently than the rest of the world. Existing US laws – such as the laws pertaining to security breach disclosures – have mostly focused on identity theft, and have provided heightened protection to financial information and identity information, for instance. The rest of the world has generally identified as “sensitive,” information that pertains to our most intimate activities or thoughts, such as sexual preference, medical condition, or religious or philosophical beliefs.

In its Communication 609, the European Commission has announced that it would likely expand the definition of “sensitive information”, to include other types of information, such as genetic information. There has not been any expression of intent to include in this category any financial or identity information.

Greater Transparency

The third component of the FTC proposed Framework would focus on increasing the transparency of companies’ data handling practice. This would be achieved though several vehicles:

  • Clearer, shorter, and more standardized privacy notices;
  • Reasonable access to data maintained by the business;
  • Prominent disclosures and affirmative express consent required when making material changes; and
  • Consumer education.
  • Privacy Notices

The FTC Report comments that privacy policies could play an important role in promoting transparency, accountability, and competition among companies if the policies are clear, concise, and easy-to-read. Thus, it would require that companies improve their privacy policies in order to allow a comparison of the data practices and choices across companies.

This requirement for simplicity and clarity is very similar to the call for ensuring that informed consent be provided that the EU Commission recently made in its Communication 609. In this document, the EU Commission commented that the opacity of privacy policies online makes it difficult for individuals to be aware of their rights and to give informed consent. Like the FTC, Communication 609 stresses the need for individuals to be well and clearly informed, in a transparent way, of the data controller’s data handling practices. The information must be easily accessible, easy to understand, and must be made using clear and plain language.

It is not surprising that both the United States and the European Union would express the same frustrations. In both regions, privacy notices have become lengthy, complex documents, that the average customer has trouble deciphering.

Access to Data

The FTC report also proposes providing consumers with reasonable access to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers. Because of the significant costs associated with access, however, the report suggests that the extent of access might be proportional to both the sensitivity of the data and its intended use.

For many years, the right of access and correction has been absent from most privacy notices and privacy policies, except for those issued under HIPAA. On the other hand, the right of access and correction has been one of the most fundamental rights provided to individuals throughout the European Union, and in the non-EU countries that have followed the same principles.

Today, most US sites do not offer a right of access and modification; or this right is limited to the data that are published in the “my account” section of a site. It would be impossible, however to have access to the “dossier” that a company has created by compiling information about an individuals that would have been gathered through purchases from data brokers.

In contrast, many EU residents have enjoyed a right of access and correction for their data, for over 30 years. Nowadays, all EU residents enjoy a “right to know” (i.e. right to know whether an entity has data about them), a right of access, a right of correction, erasure, or blocking of data that are incomplete or inaccurate or have been collected or processed in violation of the applicable national law, and in some circumstances, a right to object to the processing of their data.

Further, in its Communication 609, the EU Commission has announced that the upcoming amendment to the data directives would provide enhanced rights for individuals, including: (a) requiring that access or correction be provided free of charge; (b) clarifying the right to prevent the processing of one’s data; and (c) the “right to be forgotten”.

The right of access to data and the associated rights have been one of the most significant differences between the United States and the rest of the world when comprising the privacy regimes throughout the world. With the proposed addition of a right of access and correction, the United States would be getting closer to the philosophies in effect in most the rest of the world.

Consent to Material Changes

In addition, under the Proposed Framework, all entities would be required to provide prominent disclosures and obtain affirmative consent for material, retroactive changes to data policies. For several years, the Federal Trade Commission has insisted that consumers should have the right to object to new uses of their information for purposes that had not been originally disclosed. For example, this requirement was expressed in the enforcement action against Gateway Learning, in 2004 (see, http://www.ftc.gov/opa/2004/09/fyi0454.shtm), and restated in several FTC documents (see, e.g., Behavioral Principles, http://www.ftc.gov/opa/2009/02/behavad.shtm).

This approach is consistent with the purpose limitation principle in effect in the EU (see, Article 6, 1995 Data Protection Directive), which requires that individuals consent to any new use of their personal information.

Consumer Awareness

Finally, the Proposed Framework would require that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. Increasing consumer understanding of the commercial collection and use of their information is important to facilitating competition on privacy across companies.

This approach is also consistent with the views recently expressed by the European Union in Communication 609. The Commission has also acknowledged that it was necessary to increase the public’s understanding and awareness of privacy issues. The Commission proposes to set aside a budget for an awareness campaign.

Conclusion

Borders used to create a wall between countries, and prevented the free flow of people, information and goods. Cloud Computing and the Internet have shattered this wall, and we now live in a borderless world. Nevertheless, countries have retained their identify and their sovereignty within their territory, which results in significant discrepancies in the way legal issues are handled. This has been the case, for example, for the protection of personal data throughout the world. The discrepancies in the data protection regimes throughout the world hamper the free flow of the personal data. This challenge also creates a challenge to global commerce. The more similar the laws are, the easier it is for people, goods and ideas to move freely, and for commerce to flourish.

With its proposed Privacy Framework, the Federal Trade Commission is outlining a structure that would take the protection of personal data and privacy rights in the United States closer to the regimes in effect in most of the world’s leading economic powers. This progress should be very favorable to electronic and traditional commerce. It is important to encourage the efforts of the Federal Trade Commission, so that all countries can better exchange people and goods, and interstate and international commerce can prosper.

Posted in FTC

December 2010 – BNA Privacy and Security Law Report

Posted by fgilbert on December 2nd, 2010

Francoise Gilbert was interviewed for the article “FTC Stands by Self-Regulatory Approach in Long-Awaited Consumer Privacy Report” (subscription required) in the Privacy and Security Law Report section of the BNA.

Posted in FTC