Archive for August, 2012

FTC v. Google V2.0 – Lessons Learned

Posted by fgilbert on August 13th, 2012

The Federal Trade Commission has published its long-awaited Proposed Consent Order with Google to close its second investigation into Google’s practices (Google 2). Under the proposed document, Google would agree to pay a record $22.5 million civil penalty to settle charges that it misrepresented to users of Apple Safari’s browser that it would not place tracking cookies on their browser, or serve targeted ads. It would also have to disable all tracking cookies that it had said it would not place on consumer’s computers, and report to the FTC by March 8, 2014 on how it has complied with this remediation requirement.

Google 2 Unique Aspects

Unlike most consent orders published by the FTC, the Google 2 Consent Order does not address primarily the actual violations privacy promises made. Rather, it addresses the fact that Google’s activities allegedly violate a prior settlement with the FTC, dated October 2011 (Google 1).

As such, beyond evidencing the FTC’s ongoing efforts to ensure that companies live up to the privacy promises that they make to consumers, Google 2 clearly shows that the FTC takes seriously the commitments that it requires from companies that it has previously investigated. When an FTC consent decree requires a 20-year commitment to abide by certain practices, the FTC may, indeed, return and ensure that the obligations outlined on the consent decree are met.

Privacy Promises are made everywhere

A significant aspect of the proposed Google 2 Consent Order and related Complaint, is that privacy promises are made in numerous places beyond a company’s online privacy statement. They are found, as well as, in other representations made by the company, such as through its regulatory filings, or in its marketing or promotional documents. In the Google 1 enforcement action, the FTC looked at the promises and representations made in Google’s Safe Harbor self-certification filings. In the Google 2 enforcement action, the FTC looked at the promises and representations made in Google’s statements that it complied with the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI).

Misrepresentation of compliance with NAI Code

In the third count of the FTC Complaint in Google 2, the FTC focuses on Google’s representation that it adheres to, or complies with the NAI Self-Regulatory Code of Conduct. The alleged violation of this representation allows the FTC to claim that Google violated its obligation under Google 1 to not “misrepresent the extent to which it complies with, or participates in, a privacy, security, or other compliance program sponsored by the government or any other entity”.

Evolution of the FTC Common Law

Google 2 shows a clear evolution of the FTC “Common Law” of Privacy. As the concept of privacy compliance evolves, the nature of the FTC’s investigations becomes more refined and more expansive. In its prior cases, the FTC first focused on violations of companies’ privacy promises made in their public Privacy Statements. Then, more recently, in several consent orders – including Google 1 – the FTC expanded the scope of its enforcement action to include violations of the Safe Harbor Principles outlined by the US Department of Commerce and the EU Commission. Now, with Google 2, the FTC expands again the scope of its enforcement actions to include potential violation of representations made of compliance with the NAI Self Regulatory Code of Conduct. This trend is likely to continue, and in future cases, we should expect to see an expansion of the FTC investigations into verifying compliance with statements made that a company follows other self-regulatroy industry standards.

What consequences for Businesses

Companies often use their membership in industry groups or privacy programs as a way to show their values, and to express their commitment to certain standards of practice. This was the case for Google with the Safe Harbor of Department of Commerce and of the European Union (Google 1), and with the Network Advertising Initiative (Google 2).

These promises to comply with the rules of a privacy program are not just statements made for marketing purposes. The public reads them, and so do the FTC and other regulators.

Privacy programs such as the Safe Harbor or the NAI Code have specific rules.  As shown in the Google 1 and Google 2 cases, failure to comply with the rules, principles and codes of conducts associated with membership in these programs could be fatal.

If the disclosures made are not consistent with the actual practices and procedures, such deficiency would expose the company to claims of unfair and deceptive practice; or in the case of Google, to substantial fines for failure to comply with an existing consent decree barring future misrepresentation.

If your company makes promises or statements about its privacy – or security – practices, remember and remind your staff that these representations may have significant consequences, and may create a minefield if not attended to properly; and

  • Look for these representations everywhere, and not just in the official company Privacy Statement; for example, look at the filings and self-certification statements, the cookie disclosures, the marketing or sales material, the advertisements;
  • Periodically compare ALL promises that your business makes with what each of your products, services, applications, technologies, devices, cookies, tags, etc. in existence or in development actually does;
  • Educate your IT, IS, Marketing, Communications, Sales, and Legal teams about the importance of working together, and coordinating efforts so that those who develop statements and disclosures about the companies policies and values fully understand, and are aware of all features and capabilities of the products or services that others in the Company are designing and developing;
  • If your company claims that it is a member of a self-regulatory or other privacy compliance program, make sure that you understand the rules, codes of conduct or principles of these programs or industry standards; and ensure that the representations of your company’s compliance with these rules, codes of conduct, principles are accurate, clear and up-to-date;
  • Ensure that ALL of your company’s products and services comply and are consistent with All of the promises made by , or on behalf of, the company in ALL of its statements, policies, disclosures, marketing materials, and at ALL times.

FTC v. Google 2012 – Misrepresentation of Compliance with NAI Code a Key Element

Posted by fgilbert on August 9th, 2012

Google was hit by a $22.5 million penalty as a result of an investigation by the Federal Trade Commission covering Google’s practices with users of the Safari browser. A very interesting aspect of this new case against Google (Google 2), is that it raises the issue of Google’s violation of the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI Code). This is an interesting evolution in the history of the FTC rulings. At first, the FTC focused on violation of privacy promises made in Privacy Statements, then it went on to pursue violation of the Safe Harbor Principles. In this new iteration, the FTC attacks misrepresentation of compliance with industry standard.

Misrepresentation of user’s ability to control collection or use of personal data

Two elements distinguish this case (Google 2) from most of the prior enforcement actions of the FTC. One is that the large fine results, not directly from the actual violations of privacy promises made in Google’s privacy policy, but rather from the fact that Google’s activities are found to violate a prior settlement with the FTC, dated October 2011 (Google 1).

In Google 1, Google promised not to misrepresent:

  • (a) The purposes for which it collects and uses personal information;
  • (b) The extent to which users may exercise control over the collection, use and disclosure of personal information; and
  • (c) The extent to which it complies with, or participates in, a privacy, security, or other compliance program sponsored by the government or any other entity.

According to the FTC complaint in Google 2, Google represented to Safari users that it would not place third party advertising cookies on the browsers of Safari users who had not changed the default browser setting (which by default, blocked third party cookies) and that it would not collect or use information about users’ web-browsing activity. These representations were found to be false by the FTC, resulting in a violation of Google’s obligation under Google 1 (see paragraph (b) in bulleted list above.

Misrepresentation of compliance with NAI Code

The second, and more interesting element of the Google 2 decision, is the FTC analysis of Google’s representation that it adheres to, or complies with the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI Code). In the third count of the FTC Complaint in Google 2, the FTC focuses on Google’s alleged violation of the NAI Code.

This alleged violation allows the FTC to show that Google violated its obligation under Google 1 to not “misrepresent the extent to which it complies with, or participates in, a privacy, security, or other compliance program sponsored by the government or any other entity” (see the requirement under (c) in the bulleted list above). The FTC found that the representation of Google’s compliance with the NAI Code was false, and thus violated its obligation in Google 1 not to make any misrepresentation about following compliance programs.

Evolution of the FTC Common Law

Google 2 shows an interesting evolution of the FTC “Common Law.” In its prior cases, the FTC first focused on violations of companies’ privacy promises made in their public Privacy Statements. Then, in several consent orders published in 2011, including Google 1, the FTC expanded the scope of its enforcement action to violations of the Safe Harbor of the US Department of Commerce and the EU Commission. Now, with Google 2, the FTC expands again the scope of its enforcement action to include, as well, violation of Industry Standards such as the NAI Code.

What this means for businesses

The Google 2 Consent Order has significant implications for all businesses.

Companies often use their membership in industry groups as a way to show their values, and to express their commitment to certain standards of practice. Beware which industry group or program you join; understand their rules. As a member of that group or program, you must adhere by its code of conduct, rules or principles. Make sure that you do, and that all of the aspects of your business do comply with these rules.

When a business publicizes its membership in an industry group or a self-regulatory program, it also publicly represents that it complies with the rules or principles of that group or program. For example, those of the Safe Harbor (as was the case under Google 1) or those of the NAI (as was the case under Google 2), or others. Remember that these representations may have significant consequences, and may create a minefield if not attended properly. To stay out of trouble, the company must also make sure that these representations are accurate, and that it does abide by these promises at all times, and with respect to all of its products.

When a company makes a public commitment to abide by certain rules, it must make sure that it does comply with these rules; otherwise, it is exposed to an unfair and deceptive practice action. Make sure that you periodically compare ALL promises your business makes, with what ALL of your products, services, applications, technologies, actually do.

Proposed Changes to FTC COPPA Rule

Posted by fgilbert on August 1st, 2012

The FTC has issued a NPRM seeking comments on proposed changes to the COPPA Regulations. These changes are intended to take into account the evolution of web technologies, such as plug-ins and the use third party cookies and ad networks; they would also clarify some of the requirements for websites that contain child-oriented material that may appeal to both parents and children. This new NPRM pertains to changes to the COPPA Regulation that diverge from previously proposed changes that the FTC presented in its September 2011 proposal.

  • Expansion of the definitions of “operator” and “website or service directed to children”

The proposed changes to the definitions of “operator” and “website or online service directed to children” would clarify that an operator that integrates the services of third parties that collect personal information from visitors of its site or service would itself be considered a covered “operator” under the Rule. Further, an ad network or plug-in would also be subject to COPPA if it knows or has reason to know that it is collecting personal information through a child-directed site or service.

  • Clarification of the definition of “personal information”

The proposed change the definition of “personal information” would make it clear that a persistent identifier – e.g., a persistent cookie – would be deemed “personal information” subject to the Rule if it can be used to recognize a user over time or across different sites or services.

However, the use of tracking technologies or identifiers for authenticating users, improving navigation, for site analysis, maintaining user preferences, serving contextual ads, and protecting against fraud and theft would not be considered the collection of “personal information” if the collected data is not used or shared to contact a specific individual, e.g. for behaviorally-targeted advertising.

  • Mixed audience websites

The proposed changes would also clarify that mixed audience websites that contain child-oriented content and whose audience includes both young children and others, including parents, would be allowed to age-screen all visitors in order to provide COPPA’s protections only to users under age 13. However, those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience would still be required to treat all users as children

  • Text of the Notice of Proposed Rule Making

The text of the Notice of Proposed Rule Making is available at http://www.ftc.gov/os/2012/08/120801copparule.pdf