Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Last week, the FTC gave us their latest message.  This time, it took the form of a settlement with Facebook in an action alleging that Facebook engaged in unfair and deceptive trade practices by, among other things, altering or enhancing their service in a manner that expanded their sharing of user data, without obtaining the consent of their users.  (See our recent blog post detailing the settlement in full.)

In Facebook’s defense, they actually did, at least in some instances, take steps to obtain the consent of their users by requiring users to click through a multipage Privacy Wizard that walked users through the revised privacy settings.  However, the FTC alleged that the Privacy Wizard process was in itself deceptive, since the explanatory wording used on the Wizard spun the changes as affording more control on the part of users, when in fact, according to the FTC, the changes reduced user control over how their data would be shared with third parties and overrode users’ existing privacy settings.  

Under the terms of Facebook’s settlement with the FTC, Facebook denied all the FTC’s legal and factual allegations (with the exception of those regarding jurisdiction), so an outsider’s only way of knowing the facts at hand is through his experience as an observant user of Facebook over the course of years, or, alternatively, trust in the accuracy of media coverage of Facebook’s privacy changes over the last several years.

It is worth noting that Facebook is not required to pay a fine under the settlement.  However, as part of the settlement, Facebook is required to suffer the scrutiny of the FTC for the next twenty years. For example, as is characteristic of the FTC’s privacy settlements, Facebook must retain an independent third party to assess and report on its privacy practices biennially.  It also must implement a privacy program that entails taking a “privacy-by-design” approach to its product development going forward, and it must retain for the FTC’s review: (i) all widely disseminated materials relating to its privacy practices and changes thereto, including any backup materials, for the next three years; (ii) all consumer complaints for six months after receipt; (iii) all documents prepared by or on behalf of Facebook that contradict, qualify or call into question its compliance with the settlement terms for five years from receipt thereof; (iv) documentation of changes that Facebook makes to its privacy policies along with documentation of users’ consent and their settings prior to consent for three years from the date of such documents’ preparation or dissemination; and (v) all backup materials of its biennial privacy assessments for three years after each such assessment.

What is the takeaway for other businesses?  One, the FTC wants businesses to disclose important changes in their privacy practices (such as how they share data with third parties) conspicuously, and not merely in their privacy policies and other legal boilerplate.  Two, the FTC wants businesses to obtain affirmative consent from their customers when they make material adverse retroactive changes to their privacy policies. (They can obtain user consent the next time the user interacts with the business, such as when the user returns to the business’s Web site.) Three, the FTC wants businesses to be upfront and straight with their customers when they solicit their consent to new uses they want to make of user data – not to “spin” changes that expand the business’s usage rights as if they are enhancing user privacy.  

It is worth noting that the statute that the FTC invokes to set these standards (the FTC Act) does not contain any of these requirements.  It simply prohibits unfair and deceptive trade practices.  Yet, each time we see an example of the FTC’s enforcement of this law in the privacy space, we learn something about the FTC’s interpretation of the law.  (It is not often challenged, although it could be by a defendant so inclined.) And anything new and interesting we learn from these settlements is what we at Proskauer impart to you.
 

Indeed, the Facebook settlement signals that the FTC is likely to continue requiring comprehensive privacy programs and enforcing the US-EU Safe Harbor Principles in a substantive manner, two things that the FTC had not done before March 2011. Such enforcement is no surprise, given that the FTC has advocated a “privacy by design” approach since at least December 2010. Specifically, the FTC’s proposed settlement requires Facebook to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” 

In addition, the settlement also requires Facebook, before sharing a user’s nonpublic personal information with a third party in excess of the user’s privacy settings, to “clearly and prominently disclose” (outside of the Facebook privacy policy or other boilerplate) the categories of nonpublic user information that will be disclosed, the identity or specific categories of such third parties, and that such sharing exceeds the restrictions imposed by the users’ privacy settings. Importantly, Facebook must also obtain a user’s affirmative express consent before sharing the user data in the new circumstance. The settlement also imposes a requirement for Facebook to retain an independent third party to biennially assess its privacy practices vis a vis the settlement terms for the next twenty years.

The FTC’s eight-count Complaint that underlies the settlement alleges that numerous Facebook initiatives violated prior representations about the extent to which users’ information was accessible by third parties. For instance, the FTC alleged that Facebook, despite allowing users to restrict access to profile information to specific individuals or groups of people, permitted users’ information to be accessed by third-party applications on the Facebook platform which the users’ friends used. The FTC also alleged that in December 2009, Facebook made public certain information that users had previously designated private and failed to disclose that users could no longer restrict access to certain information or that their existing choices would be overridden.

The FTC also alleged that Facebook’s December 2009 changes were both deceptive (because Facebook failed to adequately disclose the changes) and unfair (because Facebook retroactively applied the changes to personal information that it had previously collected from users, without their informed consent).

According to the FTC, Facebook’s conduct harmed consumers because the alleged violations:

·          Made certain users “subject to the risk of unwelcome contacts;”

·          Exposed “potentially controversial political views or other sensitive information to third parties;”

·          Exposed the user’s list of friends to third parties, “thereby exposing potentially sensitive affiliations;” and

·          Revealed “potentially embarrassing or political images to third parties.”

The FTC’s complaint also alleged other privacy violations by Facebook, including the following:

·          Facebook permitted apps on its platform to access more personal information about the app’s user than was necessary for the app’s purpose

·          Facebook permitted apps to access personal information about a user’s friends even if the friends never granted the app authorization to access their personal information

·          Facebook’s advertising program shared identifiable information with advertisers, contrary to representations it had made to its users

·          A little-used “Facebook Verified App” badge, whereby Facebook, for a fee, would “verify the security of Verified Apps” was deceptive because Facebook did no more to verify applications bearing that badge than it did with any other platform application

·          Facebook retained and continued to make accessible users’ photos and videos, even after users deleted or deactivated their accounts, contrary to Facebook’s prior representations

·          Facebook falsely certified that it had complied with the US-EU Safe Harbor Principles, particularly, the principles of Notice and Choice, when it was not in compliance with them

In settling the FTC’s charges, Facebook did not admit the truth of any of the FTC’s substantive or factual allegations, aside from jurisdictional ones.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up. Any changes to a website or application should respect users’ prior privacy choices and obtain a users’ affirmative consent before altering or overriding those prior choices. The requirement that Facebook enact a comprehensive privacy program (e.g., “privacy-by-design”) - a settlement term that the FTC first included in Google’s March 2011 settlement—demonstrates that this requirement will likely be a staple of future privacy-related settlements. The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

In holding that Peacefire is an IAS, the court relied in part on previous rulings, such as the one we discussed here, that social networking sites such as Facebook and MySpace are IASs even though they are not ISPs.

The court also held that Peacefire was “adversely affected” by the alleged spamming activity even though it does not provide consumer e-mail accounts. The court agreed that the alleged harms, “reduc[ing] their network speeds, impair[ing] their ability to notify subscribers about new ways to access services, and requir[ing] them to increase server and memory capacity,” were cognizable under CAN-SPAM. The court recognized that CAN-SPAM’s legislative history contemplated precisely these kinds of harms, in addition to the harm caused to individual e-mail account holders.

The Haselton ruling clarifies that potential CAN-SPAM plaintiffs extend beyond ISPs. While the court recognized that a private right of action requires greater harm than the spam-related harms suffered by all consumers and businesses, it defined the range of harms broadly enough to allow a wide range of IASs to qualify.

The agreement is notable for its breadth. It goes well beyond the scope of the federal Children’s Online Privacy Protection Act (“COPPA”), which applies to the collection of personal information online from children 12 and under. The agreement includes some protections designed to protect teenagers under 18 with stronger protections for those under 16. Under the agreement, MySpace will take some readily achievable operational steps and work towards certain longer term goals such as developing new procedures and tools to protect children.

The more immediate steps include the following:

• continuing to dedicate resources to educate parents and educators on child safety online;
• using “best efforts” to acknowledge consumer complaints within 24 hours of receipt with a follow-up of the steps taken within 72 hours;
• retaining an “Independent Examiner” to evaluate and examine handling of complaints;
• continuing to cooperate with law enforcement on complaints, which includes continuing the law enforcement hotline number and creating a law enforcement liaison;
• implementing a series of operational changes including:
  • “age locking” to reduce the number of times a user can change their age above or below the 18 year old threshold;
  • age restrictions on certain website functions that make it harder for adults to contact children such as limiting the ability of users over 18 to search in school sections; limiting the ability of users under 18 to designate themselves as swingers; limiting being able to browse certain categories such as “body type”, “smoke” and “drink”; limiting group invites; and automatically designating profiles as private for those under 16;
  • an image monitoring policy with technology to hash inappropriate images;
  • limitations on tobacco and alcohol advertisements to those under 18 and 21 respectively;
  • expanded age specific classifications for events;
  • expanded reporting functionality for violations including a drop down for categories such as pornography, cyberbullying and unauthorized use;
  • enhancing safety tools for members such as the ability to set profiles to private, the ability to block others and requiring those under 18 to affirmatively consent to having reviewed posted safety tips before registration; and
  • enhanced tools for parents such as the ability to remove a child’s profile.

MySpace also has agreed to engage in the following longer term efforts:  

• organizing an industry-wide Internet Safety Technical Task Force to develop online safety tools – specifically, improved online identity authentication tools – with quarterly reports to the attorney generals’ task force;
• designating a senior executive to work with the task force;
• holding regular meetings with the attorney generals to discuss website design and functionality improvement to protect children;
• hiring a third party to build and host a database of email addresses for parents to register users under 18 (to prevent child registration at social networking sites);
• blocking access by those under 18 to profiles related to the entertainment industry;
• increasing staff for monitoring and increasing the use of textual searching and other technologies for monitoring.

The settlement is particularly noteworthy for its resulting “new model” to protect children. As set forth in the settlement agreement and settlement terms, Facebook will:

• Disclose the newly implemented safety procedures on its website as specified by the agreement and ensure that all other public statements made by Facebook about safety are consistent with the specified language.

• Accept complaints about nudity or pornography, harassment or unwelcome contact confidentially via hyperlinks placed throughout Facebook’s website as well as via an independent email to abuse@facebook.com.

• Respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.

• Report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been submitted via an independent email to abuse@facebook.com.

• Allow Facebook’s complaint review process to be examined by an Independent Safety and Security Examiner (ISSE), a third party approved by the New York State Attorney General’s Office, to report on Facebook’s compliance with the agreement.

• Provide a prominent and easily accessible hyperlink to allow a Facebook user or their parent/guardian to give feedback to the Independent Safety and Security Examiner (ISSE) about Facebook’s performance in responding to complaints. 

• Submit to the Office reports prepared by the Independent Safety and Security Examiner (ISSE) evaluating Facebook’s performance in responding to complaints. The Examiner will report bi-annually and may recommend additional safety measures concerning complaint handling, as appropriate.

Both Attorney General Cuomo and Facebook are touting the agreement as setting new industry standards to protect children. Notably, Connecticut Attorney General Richard Blumenthal, co-chair of the national social networking task force of all 50 state Attorneys General, issued a press release stating the settlement terms were not strong enough. He is urging social networking sites to increase the use of filtering technology and monitors to screen content, identity and age verification for anyone 18 and older, parental consent for anyone under 18, the hiding of children’s profiles from adults, certain restrictions on advertising to children, and other measures. In light of the settlement, the likely continued interest by law enforcement, and the potential dangers to children, social networking sites should consider assessing their security practices and policies.           

These actions from New York and New Jersey are the latest steps by attorneys general from all 50 states to pressure social networking sites to enhance security protocols, specifically parental controls and age verification tools because of the vulnerability of children to online predators and inappropriate content. In particular, since early last year, Richard Blumenthal, the Connecticut Attorney General and Roy Cooper, the North Carolina Attorney General, have led a task force of the attorneys general calling on social networking sites to increase protections for children. Some of the steps the task force has urged of social networking sites have included enhanced age verification tools, restrictions on the ability of children increased parental consent to allow children to make profiles available to others in the absence of parental consent, increased staff and technology dedicated to screening inappropriate content, giving parents software to block the site, and raising the minimum age of participation to 16.       

This Spring, MySpace was in the news after receiving a letter from eight attorneys general demanding information concerning registered sex offenders on its site. After initially asserting it was unable to legally comply, MySpace struck an agreement with the attorneys general about the form of the requests. MySpace later announced it had removed more than 29,000 profiles of sex offenders from its site.

North Carolina and Connecticut are among states that introduced legislation requiring age verification measures on websites. Those bills have not passed but are expected to be introduced in future legislative sessions.