Supreme Court of California Decision Upholds Promotional E-mail Sender's Method of Avoiding E-mail Filters

Posted on July 1, 2010 by Kevin Khurana

As a result of a recent Supreme Court of California decision, businesses may find it a little easier to send commercial e-mail advertisements. On June 21, 2010, the Supreme Court of California held that Vonage did not violate California law by sending commercial e-mail advertisements to individuals from multiple domain names for the purpose of bypassing e-mail filters. Kleffman v. Vonage Holdings Corp., No. S169195 (Cal. filed June 21, 2010).   

In March 2007, Craig E. Kleffman initiated a class action suit in California state court against Vonage Holdings Corp. and certain of its subsidiaries (collectively “Vonage”). Kleffman’s claim arose because Vonage sent him 11 unsolicited commercial e-mail advertisements using 11 different domain names. Id. at 3.

Kleffman alleged that Vonage used these multiple domain names in order to deliberately trick e-mail filters into believing that there were multiple senders (when in fact, all sites were under the control of Vonage). Kleffman alleged that this violated California Business and Professions Code § 17529.5(a)(2), which states that it is unlawful to advertise in a commercial e-mail if the e-mail “contains or is accompanied by falsified, misrepresented, or forged header information.” Id. at 1.

Vonage removed the case to the U.S. District Court for the Central District of California and was granted a dismissal. Kleffman appealed to the U.S. Court of Appeals for the Ninth Circuit which certified the central issue to the Supreme Court of California: “Does sending unsolicited commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters constitute falsified, misrepresented, or forged header information under . . . § 17529.5(a)(2)?” Id. at 5.   

 

Noting that the domain names from which Vonage sent its e-mail advertisements were fully traceable to Vonage’s marketing agents, the Supreme Court of California found that “. . . an e-mail with an accurate and traceable domain name makes no affirmative representation or statement of fact that is false.” Id. at 16. The court also wrote that the state legislature did not intend to prohibit the use of multiple domain names and did not “make it unlawful to use a domain name in a single e-mail that does not make it clear the identity of either the sender or the merchant-advertiser on whose behalf the e-mail advertisement is sent.” Id. at 14.     
Tags: , , , , , ,

FTC Provides Last Clear Chance for Industry to Self-Police in a Target-Rich Environment

Posted on February 17, 2009 by Proskauer Rose LLP

On February 12, 2009, the FTC issued its long-anticipated Staff Report on Self-Regulatory Principles for Online Behavioral Advertising. The revised Self-Regulatory Principles are the result of a year of study of the more than 60 comments provided by industry, advocacy organizations, academics, and individual consumers in response to the FTC’s proposed self-regulatory principles issued in late 2007. For more on the history, see our prior posts on the history here, here, here, and here.

Not surprisingly, the FTC made clear that “these Principles are guidelines for self-regulation and do not affect the obligation of any company (whether or not covered by the Principles) to comply with all applicable federal and state laws.” And the Principles themselves, set forth below, largely reflect existing FTC law in this area. For example, it is well established that a company may not unilaterally alter its policies and use previously collected data in a manner that materially differs from the terms under which the data was originally collected. See In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004).

The FTC defines online behavioral advertising as “the tracking of a consumer’s online activities over time– including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests.” The newly revised Principles now explicitly carve out “first party” advertising, where no data is shared with third parties, and contextual advertising, where an ad is based on a single visit to a web page or single search query.

Our challenge at the Proskauer Privacy Law Blog is to synthesize a 55 page Staff Report and two concurrences from Commissioners Harbour and Leibowitz into a pithy, easily digestible blog post. Hmmm. Well, we thought we would start with the Principles themselves. But first, a couple of observations. 

 

Observation number one – the Report frequently goes out of its way to note the eroding distinction between traditional personal identifying information (“PII”) such as name, address and Social Security, and non-PII such as IP address. As noted in the Executive Summary, “staff believes that the Principles should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is ‘personally identifiable’ in the traditional sense. Indeed, in the context of online behavioral advertising, rapidly changing technologies and other factors have made the line between personally identifiable and non-personally identifiable information increasingly unclear. Moreover, this approach is consistent with existing self-regulatory efforts in this area.” Those blurring lines and increasingly complex technology and advertising practices promise to pose considerable challenges for the construction of clear and user-friendly consumer privacy notices.

 

Observation number two -- the Report makes clear that disclosures regarding the collection of PII and non-PII for purposes of behavioral marketing should be made separate from the traditional privacy policy.  “Staff recognizes that it is now customary to include most privacy disclosures in a website’s privacy policy. Unfortunately, as noted by many of the commenters and by many participants at the FTC’s November 2007 Town Hall, privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.”  The Staff Report highlights certain recommendations made by commenters that “appear promising. For example, a disclosure (e.g., 'why did I get this ad?') that is located in close proximity to an advertisement and links to the pertinent section of a privacy policy explaining how data is collected for purposes of delivering targeted advertising, could be an effective way to communicate with consumers. . . . Staff encourages these efforts and notes that they may be most effective if combined with consumer education programs that explain not only what information is collected from consumers and how it is used, but also the tradeoffs involved – that is, what consumers obtain in exchange for allowing the collection and use of their personal information.”

 

So, without further ado, here are the Principles. They provide for: (1) transparency and consumer control; (2) reasonable security, and limited data retention, for consumer data; (3) affirmative express consent for material changes to existing privacy promises; and (4) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. The bolded italicized language below represents the FTC staff’s own annotations showing changes from the first version in late 2007.

 

(1)        Transparency and Consumer Control

 

Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)

 

 

(2)               Reasonable Security, and Limited Data Retention, for Consumer Data

 

 

Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

 

 

(3)               Affirmative Express Consent for Material Changes to Existing Privacy Promises

 

 

As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.

 

(4)               Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising

 

Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

 

We will have future occasion to discuss other elements of the FTC’s Report, but it is clear this will not be the last we hear from the FTC on this issue. “Looking forward, the Commission will continue to monitor the marketplace closely so that it can take appropriate action to protect consumers. During the next year, Commission staff will evaluate the development of self-regulatory programs and the extent to which they serve the essential goals set out in the Principles; conduct investigations, where appropriate, of practices in the industry to determine if they violate Section 5 of the FTC Act or other laws; meet with companies, consumer groups, trade associations, and other stakeholders to keep pace with changes; and look for opportunities to use the Commission’s research tools to study developments in this area.”
Tags: , , , , , , , , , , , , , , , , , , , , , , ,

Update: Deep Discussion of DPI

Posted on July 29, 2008 by Brendon Tavelli

On July 17, 2008, the House Telecommunications and Internet Subcommittee examined the practice of deep packet inspection (DPI), a method for networks and third parties to determine what information users (identified by IP addresses or random ID numbers) are searching for and accessing on the Internet in order to tailor more relevant advertising based on an individual’s interests. DPI is often cookie-based and does not link personally identifiable information with user surfer behavior.

The House Subcommittee’s hearing focused on whether the online advertising industry should be required to use opt-in systems, or whether current opt-out systems adequately protect consumers’ privacy. The July 17 hearing is the latest in a series of efforts by regulators and legislators to better understand behavioral targeting.

As discussed here in our posts, in December 2007, the Federal Trade Commission issued for public comment proposed online behavioral advertising principles designed to guide the industry in self regulation. The proposed principles state that websites should provide clear notice when they collect an individual’s information and that data collectors should obtain affirmative, express consent before using certain categories of sensitive data for marketing purposes.  The FTC is in the process of reviewing and evaluating dozens of comments filed in response to the proposed principles.

On July 9, 2008, the Senate Committee on Commerce, Science, and Transportation held a hearing to consider the current state of the online advertising industry and the potential impact on user privacy. Industry representatives and consumer advocates, including Microsoft Corp., NebuAd Inc., the Center for Democracy and Technology, Google Inc., the Competitive Enterprise Institute, and Facebook Inc., testified. As noted in the FTC’s press release of July 9, according to the testimony of Lydia Parnes, Director of the FTC's Bureau of Consumer Protection, “behavioral advertising may provide a variety of benefits to consumers, including free content, personalization of ads, and a potential reduction in unwanted advertising. Consumer research has shown that consumers value online ads that are more personalized. These ads may facilitate shopping for specific products. Further, behavioral advertising may help subsidize and support a diverse range of free online content and services that might otherwise not be available or that consumers would have to pay for, for example, blogging, search engines, and instant access to news and other information.”

This is certainly not the end of the discussion – the industry awaits the FTC’s completion of its review regarding the proposed self-regulatory principles, and Congressional leaders have stated their intent to further explore behavioral targeting.

The author thanks Proskauer summer associate Julie Shah for her substantial contribution to this post.
Tags: , , , , , ,