By Alice Cheng

Based on comments solicited last year, the Federal Trade Commission (FTC) has posted proposed revisions to the Children’s Online Privacy Protection Act (COPPA). The Act, which has not been updated since its inception in 1998, may be extended to include social networks and online advertisers.

According to the current regulations, COPPA applies only to website operators who know or have reason to know that users are under the age of 13, requiring the sites to obtain parental consent before any collection of data. In the past decade, an increased ability to harvest consumer information has necessitated revisions. In a FTC staff report conducted earlier this year, the Commission addressed a growing need for app stores and app developers to provide more information regarding their data collection practices to parents. With the proposed changes posted today, the FTC plans to update COPPA to respond to modern concerns surrounding social networking sites, advertising networks, and applications. Under the proposed changes, such third parties may be held responsible for unlawful data collection practices when they know or have reason to know that they are connecting to children’s websites. Mixed audience websites may have to screen all visitors in order for COPPA regulations to apply to users under 13 years of age. Additionally, restrictions on advertising based on children’s online activity may be tightened.

 The FTC will be accepting public comment to the proposed rules via the FTC website. Comments will be accepted until September 10, 2012.

By Alice Cheng

Last week, eight House members, including Congressional Bi-Partisan Privacy Caucus chairmen Ed Markey (D-Mass.) and Joe Barton (R-Tex.), sent letters to nine major data broker firms, asking for information on how they collect, assemble, maintain, and sell consumer information to third parties.

The letter references a recent New York Times article profiling data broker Acxiom, which may have spurred the lawmakers’ decision to target the firms. Data brokers are large firms that aggregate information about hundreds of millions of consumers, selling them to third parties for marketing, advertising, and other purposes.  Oftentimes, profiles of consumers are created to reflect spending habits, political affiliation, and other behavioral information. As the article explains, the issue with these activities is that they are largely unregulated, largely unknown to the general public, and are often be difficult to opt out of.

Privacy advocates, lawmakers, and often the Federal Trade Commission have made continued moves towards increased transparency of the activities of data brokers. A statement explains that, in sending the letter to the nine firms, the lawmakers in the Bi-Partisan Privacy Caucus seek to obtain information on the brokers relating to  “privacy, transparency and consumer notification, including as they relate to children and teens.”

By Alice Cheng

A recent survey conducted by the Future of Privacy Forum (FPF) examined whether popular free and paid mobile apps provided users with access to a privacy policy. The survey found that 61.3% of the 150 apps examined had a privacy policy, while more free apps than paid apps had privacy policies. While the numbers of apps with privacy policies are still low, these findings mark an overall increase from the previous year.

The FPF credits the consumer privacy efforts of various groups, including the Federal Trade Commission and the California Attorney General. The FTC has made continuous efforts to develop companies develop best consumer privacy practices, and has been involved in battling privacy violations. In February, California Attorney General Kamala Harris persuaded six major companies with mobile platforms (including Apple, Microsoft, and Google) to ensure that app developers include privacy policies that comply with the California Online Privacy Protection Act. More recently, Harris also announced the formation of the Privacy Enforcement and Protection Unit to oversee privacy issues and to ensure that companies are in compliance with the state’s privacy laws.

Together with the FPF survey results, these recent strides reflect a growing nationwide concern for information privacy. However, mere access to privacy policies does not ensure that consumers are aware of what happens to information collected about them. Many policies are long and onerous, and can be confusing for consumers. As many privacy laws focus on protecting the consumer’s privacy interests, providing a clear privacy policy is oftentimes a best practice for all companies.

The Federal Trade Commission fined an online data broker who allegedly sold consumer reports containing internet and social media data in the context of employment screenings without adhering to the Fair Credit Reporting Act’s consumer protections.

By Alice Cheng

Data broker Spokeo recently agreed to pay $800,000 to settle Federal Trade Commission (FTC) charges in what is the FTC’s first Fair Credit Reporting Act (FCRA) case involving the “sale of internet and social media data in the employment screening context.”

Spokeo, a social network aggregator website, has long been notorious for the comprehensive profiles (including name, address, email address, phone number, hobbies, ethnicity, religion, etc.) it compiles and sells to third parties. Personal information of individuals is collected both online and offline, and profiles have been used for employment screening purposes—a practice that the FTC has alleged is in violation of the FCRA.

The FTC recently took legal action against the company after receiving an initial complaint about its practices from the Center of Democracy & Technology in 2010. The FCRA violations include failing to make sure that the information was sold for legally permissible uses only, failing to ensure that the information was accurate, and failing to notify users of the consumer reports about their obligations under FCRA.

The FCRA is a federal law regulating the collection, dissemination, and use of consumer information (including consumer credit information) to promote the accuracy, fairness, and privacy of such information. In order to avoid violating FCRA regulations, Spokeo says it will no longer build “consumer reports” and will no longer sell its information for employment screening purposes.

Aside from potential FCRA violations, such widespread collection of data by data aggregators like Spokeo continues to be an ongoing privacy issue. The collection of personally identifiable information, such as social security numbers or driver’s license numbers, carry obvious concerns, but even the collection of “non-sensitive” information can be problematic. Aggregation of this data is commonly used by advertisers to target prospective customers, or as in Spokeo’s case, sold to any willing buyers. While it may not always be easy to pinpoint any concrete harm to consumers, many are nevertheless uneasy about such compilations.

While the FTC has been increasingly vigilant regarding big data concerns, little progress is being made in developing data protection regulations. Continual changes in technology, such as the move to cloud computing services, may also invite further complications to developing appropriate regulations.  Consumers need to be aware of what information is being collected and how it is used.  Businesses need to be aware of what laws, rules and regulations govern their collection and use of information so they can assure successful compliance.

With the recent introduction of Google Drive, cloud computing services are garnering increased attention from entities looking to more efficiently store data. Specifically, using the “cloud” is attractive due to its reduced cost, ease of use, mobility and flexibility, each of which can offer tremendous competitive benefits to businesses. Cloud computing refers to the practice of storing data on remote servers, as opposed to on local computers, and is used for everything from personal webmail to hosted solutions where all of a company’s files and other resources are stored remotely. As convenient as cloud computing is, it is important to remember that these benefits may come with significant legal risk, given the privacy and data protection issues inherent in the use of cloud computing. Accordingly, it is important to check your cloud computing contracts carefully to ensure that your legal exposure is minimized in the event of a data breach or other security incident.

Cloud computing allows companies convenient, remote access to their networks, servers and other technology resources, regardless of location, thereby creating “virtual offices” which allow employees remote access to their files and data which is identical in scope the access which they have in the office. The cloud offers companies flexibility and scalability, enabling them to pool and allocate information technology resources as needed, by using the minimum amount of physical IT resources necessary to service demand. These hosted solutions enable users to easily add or remove additional storage or processing capacity as needed to accommodate fluctuating business needs. By utilizing only the resources necessary at any given point, cloud computing can provide significant cost savings, which makes the model especially attractive to small and medium-sized businesses. However, the rush to use cloud computing services due to its various efficiencies often comes at the expense of data privacy and security concerns.

The laws that govern cloud computing are (perhaps somewhat counterintuitively) geographically based on the physical location of the cloud provider’s servers, rather than the location of the company whose information is being stored. American state and federal laws concerning data privacy and security tend to vary while servers in Europe are subject to more comprehensive (and often more stringent) privacy laws. However, this may change, as theFederal Trade Commission (FTC) has been investigating the privacy and security implications of cloud computing as well.

In addition to location-based considerations, companies expose themselves to potentially significant liability depending on the types of information stored in the cloud. Federal, state and international laws all govern the storage, use and protection of certain types of personally identifiable information and protected health information. For example, the Massachusetts Data Security Regulations require all entities that own or license personal information of Massachusetts residents to ensure appropriate physical, administrative and technical safeguards for their personal information (regardless of where the companies are physically located), with fines of up to $5,000 per incident of non-compliance. That means that the companies are directly responsible for the actions of their cloud computing service provider. Aaron Messing, an information privacy and technology attorney at OlenderFeldman LLP, notes that some information is inappropriate for storage in the cloud without proper precautions. “We strongly recommend against storing any type of personally identifiable information, such as birth dates or social security numbers in the cloud. Similarly, sensitive information such as financial records, medical records and confidential legal files should not be stored in the cloud where possible,” he says, “unless it is encrypted or otherwise protected.” In fact, even a data breach related to non-sensitive information can have serious adverse effects on a company’s bottom line and, perhaps more distressing, its public perception.

Additionally, the information your company stores in the cloud will also be affected by the rules set forth in the privacy policies and terms of service of your cloud provider. Although these terms may seem like legal boilerplate, they may very well form a binding contract which you are presumed to have read and consented to. Accordingly, it is extremely important to have a grasp of what is permitted and required by your cloud provider’s privacy policies and terms of service. For example, the privacy policies and terms of service will dictate whether your cloud service provider is a data processing agent, which will only process data on your behalf or a data controller, which has the right to use the data for its own purposes as well. Notwithstanding the terms of your agreement, if the service is being provided for free, you can safely presume that the cloud provider is a data controller who will analyze and process the data for its own benefit, such as to serve you ads.

Regardless, when sharing data with cloud service providers (or any other third party service providers)), it is important to obligate third parties to process data in accordance with applicable law, as well as your company’s specific instructions — especially when the information is personally identifiable or sensitive in nature. This is particularly important because in addition to the loss of goodwill, most data privacy and security laws hold companies, rather than service providers, responsible for compliance with those laws. That means that your company needs to ensure the data’s security, regardless of whether it’s in a third party’s (the cloud providers) control. It is important for a company to agree with the cloud provider as to the appropriate level of security for the data being hosted. Christian Jensen, a litigation attorney at OlenderFeldman LLP, recommends contractually binding third parties to comply with applicable data protection laws, especially where the law places the ultimate liability on you. “Determine what security measures your vendor employs to protect data,” suggests Jensen. “Ensure that access to data is properly restricted to the appropriate users.” Jensen notes that since data protection laws generally do not specify the levels of commercial liability, it is important to ensure that your contract with your service providers allocates risk via indemnification clauses, limitation of liabilities and warranties. Businesses should reserve the right to audit the cloud service provider’s data security and information privacy compliance measures as well in order to verify that the third party providers are adhering to its stated privacy policies and terms of service. Such audits can be carried out by an independent third party auditor, where necessary.

Today, the Federal Trade Commission (FTC) issued a final report setting forth best practices for businesses to protect the privacy of American consumers and give them greater control over the collection and use of their personal data, entitled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” The FTC also issued a brief new video explaining the FTC’s positions.  Here are the key take-aways from the final report:

• Privacy by Design. Companies should incorporate privacy protections in developing their products, and in their everyday business practices. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to ensure that such data is accurate;
• Simplified Choice. Companies should give consumers the option to decide what information is shared about them, and with whom. Companies should also give consumers that choice at a time and in a context that matters to people, although choice need not be provided for certain “commonly accepted practices” that the consumer would expect.
• Do Not Track. Companies should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.
• Increased Transparency. Companies should disclose details about their collection and use of consumers’ information, and provide consumers access to the data collected about them.
• Small Businesses Exempt. The above restrictions do not apply to companies who collect only non-sensitive data from fewer than 5,000 consumers a year, provided they don’t share the data with third parties.

Interestingly, the FTC’s focus on consumer unfairness, rather than consumer deception, was something that FTC Commissioner Julie Brill hinted to me when we discussed overreaching privacy policies and terms of service at Fordham University’s Big Data, Big Issues symposium earlier this month.

If businesses want to minimize the chances of finding themselves the subject of an FTC investigation, they should be prepared to follow these best practices. If you have any questions about what the FTC’s guidelines mean for your business, please feel free to contact us.

Messing began with a discussion of common methods that search engine optimization companies use to raise their client’s sites in the rankings. The top search spots are extremely competitive, and the difference between being on the first or second page can make a huge difference in a company’s bottom line. One of the ways that search engines determine the relevancy of a web page is through link analysis. Search engines examine which websites link to that page, and what the text of those links — the anchor text – says about the page, as well as the surrounding content, to determine relevance. In essence, these links and contents can be considered a form of online citations.

A typical method used by SEO companies to raise website rankings is to generate content, using paid affiliates, freelance bloggers, or other webpages under the SEO company’s control, in order to increase the website’s ranking on search engines. However, since this content is mostly for the search engine spiders, and not for human consumption, the content is rarely screened, which can lead to issues with government agencies, especially in the regulated industries. This content also rarely contains disclosures that the author was paid to create the content, which could be unfair and deceiving to consumers. SEO companies dislike disclosing paid links and content because search engines penalize paid links. Messing said, “SEO companies are caught between the search engines, who severely penalize disclosure [of paid links], and the FTC, which severely penalizes nondisclosure.”

The main enforcement agency is the Federal Trade Commission, which has the power to investigate and prevent unfair and deceptive trade practices across most industries, though other regulated industries have additional enforcement bodies. The FTC rules require full disclosure when there is a “material connection” between a merchant and someone promoting its product, such as a cash payment, or a gift item. Suspicious “reviews” or unsubstantiated content can raise attention, especially in regulated industries. “If a FTC lawyer sees one of these red flags, you could attract some very unwanted attention from the government,” Messing noted.

Recently, the FTC has increased its focus on paid links, content and reviews. While the FTC requires mandatory disclosures, it doesn’t specify how those disclosures should be made. This can lead to confusion as to what the FTC considers adequate disclosure, and Messing said he expects the FTC to issue guidance on disclosures in the SEO, social media and mobile devices areas. “There are certain ecommerce laws that desperately need clarification,” said Messing.

Messing stated that clients need to ask what their SEO company is doing and SEOs companies need to tell them, because ultimately, both can be held liable for unfair or deceptive content. He recommends ensuring that all claims made in SEO content be easily substantiated, and recommended building SEO through goodwill. “In the context of regulated industries,” he said, “consumers often visit healthcare or financial websites when they have a specific problem. If you provide them with valuable, reliable and understandable information, they will reward you with their loyalty.”

Messing cautioned companies to be careful of what information they collect for behavioral advertising, and to consider the privacy ramifications. “Data is currency, but the more data a company holds, the more potential liability it is exposed to.” Messing expects further developments in privacy law, possibly in the form of legislation. In the meantime, he recommends using data responsibly, and in accordance with the data’s sensitivity. “Developing policies for data collection, retention and deletion is crucial. Make sure your policies accurately reflect your practices.” Finally, Messing noted that companies lacking a robust compliance program governing collection, protection and use of personal information may face significant risk of a data breach or legal violation, resulting litigation, and a hit to their bottom lines. He recommends speaking to a law firm that is experienced in privacy and legal compliance for businesses to ensure that your practices do not attract regulatory attention.

I will be speaking at SES New York 2012 conference about emerging legal issues in search engine optimization and online behavioral advertising. The panel will discuss  Legal Considerations for Search & Social in Regulated Industries:

Search in Regulated Industries
Legal Considerations for Search & Social in Regulated Industries
Programmed by: Chris Boggs
Since FDA letters to pharmaceutical companies began arriving in 2009, and with constantly increasing scrutiny towards online marketing, many regulated industries have been forced to look for ways to modify their legal terms for marketing and partnering with agencies and other 3rd party vendors. This session will address the following:

• Legal rules for regulated industries such as Healthcare/Pharmaceutical, Financial Services, and B2B, B2G
• Interpretations and discussion around how Internet Marketing laws are incorporated into campaign planning and execution
• Can a pharmaceutical company comfortably solicit inbound links in support of SEO?
• Should Financial Services companies be limited from using terms such as “best rates?

• Moderator:
  Chris Boggs, SES Advisory Board; Director, SEO, Rosetta
• Speakers:
  Thomas C. Catan, Staff Reporter, Wall Street Journal
  Aaron Messing, Esq., CIPP, Attorney, OlenderFeldman LLP
  Jamie Peck, Managing Partner, Rosetta Healthcare
  Jud Soderborg, SEO Manager, Reprise Media

Looks like it will be a great panel. I will post my slideshow after the presentation.

(Updated on 3.22.12 to add presentation below)

I had the pleasure of attending Fordham Law School’s Center on Law & Information Policy (CLIP)’s Big Data, Big Issues Symposium today, which had a fascinating lineup of many of best thinkers in privacy. The Federal Trade Commission (FTC)’s  Julie Brill, delivered a very interesting keynote address about the benefits and dangers of big data, as well as the evolving privacy concerns. The address is well worth a read.

I had a chance to chat with Commissioner Brill after her speech, and asked her thoughts about privacy policies and terms of service that allow for unrestricted and unlimited use of data, such as the infamous Skipity policies. Commissioner Brill stated that, given that most users don’t read privacy policies and terms of service, the FTC is very concerned by these types of one-sided policies. She mentioned that  the aggregation and use of data outside of the context of collection is something that the FTC hopes to issue guidance on in the future, and may well be unfair and deceptive regardless of a consumer’s consent.

My takeaway from the chat is that consumer consent will not insulate a website from FTC scrutiny, and that the reasonable expectations of a consumer may dictate the FTC’s considerations of whether a policy is unfair or deceptive, especially given that so little attention is paid to these policies by consumers. However, at the same time, it is important that policies reflect the company’s actual practices.

The Internet is fraught with privacy-related dangers for companies. For example, Facebook’s IPO filing contains multiple references to the various privacy risks that may threaten its business model, and it seems like every day a new class action suit is filed against Facebook alleging surreptitious tracking or other breaches of privacy laws. Google has recently faced a resounding public backlash related to its new uniform privacy policy, to the extent that 36 state attorney generals are considering filing suit. New privacy legislation and regulatory activities have been proposed, with the Federal Trade Commission (FTC) taking an active role in enforcing compliance with the various privacy laws. The real game changer, however, might be the renewed popularity of “Do Not Track”, which threatens to upend the existing business models of online publishers and advertisers. “Do Not Track” is a proposal which would enable users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms.

To understand the genesis of “Do Not Track” it is important to understand what online tracking is and how it works. If you visit any website supported by advertising (as well as many that are not), a number of tracking objects may be placed on your device. These online tracking technologies take many forms, including HTTP cookies, web beacons (clear GIFs), local shared objects or flash cookies, HTML5 cookies, browser history sniffers and browser fingerprinting. What they all have in common is that they use tracking technology to observe web users’ interests, including content consumed, ads clicked, and other search keywords and conversions  to track online movements, and build an online behavior profiles that are used to determine which ads are selected when a particular webpage is accessed. Collectively, these are known as behavioral targeting or advertising. Tracking technologies are also used for other purposes in addition to behavioral targeting, including site analytics, advertising metrics and reporting, and capping the frequency with which individual ads are displayed to users.

The focus on behavioral advertising by advertisers and ecommerce merchants stems from its effectiveness. Studies have found that behavioral advertising increases the click through rate by as much as 670% when compared with non-targeted advertising. Accordingly, behavioral advertising can bring in an average of 2.68 more revenue than of non-targeted advertising.

If behavioral advertising provides benefits such as increased relevance and usefulness to both advertisers and consumers, how has it become so controversial? Traditionally, advertisers have avoided collecting personally identifiable information (PII), preferring anonymous tracking data. However, new analytic tools and algorithms make it possible to combine “anonymous” information to create detailed profiles that can be associated with a particular computer or person. Formerly anonymous information can be re-identified, and companies are taking advantage in order to deliver increasingly targeted ads. Some of those practices have led to renewed privacy concerns. For example, recently Target was able to identify that a teenager was pregnant – before her father had any idea. It seems that Target has identified certain patterns in expecting mothers, and assigns shoppers a “pregnancy prediction score.” Apparently, the father was livid when his high-school age daughter was repeatedly targeted with various maternity items, only to later find out that, well, Target knew more about his daughter than he did (at least in that regard). Needless to say, some PII is more sensitive than others, but it is almost always alarming when you don’t know what others know about you.

Ultimately, most users find it a little creepy when they find out that Facebook tracks your web browsing activity through their “Like” button, or that detailed profiles of their browsing history exist that could be associated with them. According to a recent Gallup poll, 61% of individuals polled felt the privacy intrusion presented by tracking was not worth the free access to content. 67% said that advertisers should not be able to match ads to specific interests based upon websites visited.

The wild west of internet tracking may soon be coming to a close. The FTC has issued its recommendations for Do Not Track, which they recommend be instituted as a browser based mechanism through which consumers could make persistent choices to signal whether or not they want to be tracked or receive targeted advertising. However, you shouldn’t wait for an FTC compliance notice to start rethinking your privacy practices.

It goes without saying that companies are required to follow the existing privacy laws. However, it is important to not only speak with a privacy lawyer to ensure compliance with existing privacy laws and regulations (the FTC compliance division also monitors whether companies comply with posted privacy policies and terms of service) but also to ensure that your tracking and analytics are done in an non-creepy, non-intrusive manner that is clearly communicated to your customers and enables them to opt-in, and gives them an opportunity to opt out at their discretion. Your respect for your consumers’ privacy concerns will reap long-term benefits beyond anything that surreptitious tracking could ever accomplish.