Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

To get online at www.skidekids.com, users must provide personal information such as their name, email address, date of birth and city. The site’s published privacy policy purported to require that child users provide a parent’s valid email address in order to activate their account and to facilitate communications between Skid-e-kids and parents concerning the site and their child’s account. But according to the FTC the site operator never collected any parent’s email address and failed to obtain verifiable parental consent to collect personal information from children under 13. In doing so, the FTC said, the site operator violated both the FTC Act (by misrepresenting its privacy practices in the privacy policy) and the COPPA Rule (by improperly collecting children’s personal information).

For Skid-e-kids, the FTC’s settlement means taking remedial measures such as destroying all of the information collected from children in violation of the COPPA Rule, providing links to online educational material, and retaining an online privacy professional or joining an approved COPPA safe harbor program to oversee applicable COPPA-covered websites; an injunction against future violations of COPPA and misrepresentations about the collection of children’s information; and a $100,000 civil penalty (all but $1,000 of which may be suspended if the operator demonstrates an inability to pay).

For the rest of us, the settlement is a good reminder that the FTC is staunchly committed to protecting children’s privacy. So when it comes to collecting personal information from children online, it’s important to do it right . . . or not at all.

Users must establish reasonable policies to enable the user to form a reasonable belief as to whether the consumer report received actually relates to the customer in question. Users must evaluate the address discrepancy regardless of whether a new account with the customer will be opened. Policies and procedures designed to confirm whether a consumer report relates to the consumer about whom the report was requested include:

o         Comparing information in the consumer report with information that the user

o         obtains and uses to verify the consumer’s identity pursuant to Customer Identification Program rules,

o         maintains in its own records, such as applications or change of address requests, or

o         obtains from third parties;

o         Verifying the information provided by the CRA with the consumer by requesting a copy of the applicant’s driver’s license or other proof of current address; and

o         Other reasonable means.

In the event that a user reasonably confirms, through the policies and procedures established, that the report received belongs to the user’s customer, the user may be obligated to report the consumer’s address to the CRA that provided the notice of discrepancy. Such obligation arises if the user establishes a continuing business relationship with the customer and regularly furnishes information, regardless of the type or comprehensiveness, to that particular CRA.

While the Address Discrepancy Rule is designed to identify instances where a user has not received the correct consumer report for the customer inquired upon, a notice of address discrepancy may signal identity theft. Notices of address discrepancy therefore may implicate the Red Flags Rules for users that are financial institutions or creditors.

Also included in the Rule are special provisions regarding change-of-address notices for debit and credit card issuers. If a card issuer receives a change-of-address notice, and within 30 days, receives a request for an additional or replacement card, the card issuer must verify the address before issuing the card. The card issuer may validate the address either when receiving the change-of-address notice or shortly after receiving the request for a card. To validate the address, the issuer must either notify the cardholder at the last known address and provide the cardholder with a means of reporting any incorrect address change, or otherwise asses the validity of the change of address in accordance with its written policies and procedures established to comply with the Rule. 

For the complete text of the “Address Discrepancy Rule”, please see http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf, and for more information on the Red Flags Rule: http://ftc.gov./redflagsrule. Also check out our prior discussions of the Red Flags and Address Discrepancy Rules. 

Proskauer summer associate Rebecca Guttman contributed to this post.     

The FTC defines online behavioral advertising as “the tracking of a consumer’s online activities over time– including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests.” The newly revised Principles now explicitly carve out “first party” advertising, where no data is shared with third parties, and contextual advertising, where an ad is based on a single visit to a web page or single search query.

Our challenge at the Proskauer Privacy Law Blog is to synthesize a 55 page Staff Report and two concurrences from Commissioners Harbour and Leibowitz into a pithy, easily digestible blog post. Hmmm. Well, we thought we would start with the Principles themselves. But first, a couple of observations. 

Observation number one – the Report frequently goes out of its way to note the eroding distinction between traditional personal identifying information (“PII”) such as name, address and Social Security, and non-PII such as IP address. As noted in the Executive Summary, “staff believes that the Principles should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is ‘personally identifiable’ in the traditional sense. Indeed, in the context of online behavioral advertising, rapidly changing technologies and other factors have made the line between personally identifiable and non-personally identifiable information increasingly unclear. Moreover, this approach is consistent with existing self-regulatory efforts in this area.” Those blurring lines and increasingly complex technology and advertising practices promise to pose considerable challenges for the construction of clear and user-friendly consumer privacy notices.

Observation number two -- the Report makes clear that disclosures regarding the collection of PII and non-PII for purposes of behavioral marketing should be made separate from the traditional privacy policy.  “Staff recognizes that it is now customary to include most privacy disclosures in a website’s privacy policy. Unfortunately, as noted by many of the commenters and by many participants at the FTC’s November 2007 Town Hall, privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.”  The Staff Report highlights certain recommendations made by commenters that “appear promising. For example, a disclosure (e.g., 'why did I get this ad?') that is located in close proximity to an advertisement and links to the pertinent section of a privacy policy explaining how data is collected for purposes of delivering targeted advertising, could be an effective way to communicate with consumers. . . . Staff encourages these efforts and notes that they may be most effective if combined with consumer education programs that explain not only what information is collected from consumers and how it is used, but also the tradeoffs involved – that is, what consumers obtain in exchange for allowing the collection and use of their personal information.”

So, without further ado, here are the Principles. They provide for: (1) transparency and consumer control; (2) reasonable security, and limited data retention, for consumer data; (3) affirmative express consent for material changes to existing privacy promises; and (4) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. The bolded italicized language below represents the FTC staff’s own annotations showing changes from the first version in late 2007.

(1)        Transparency and Consumer Control

Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)

(2)               Reasonable Security, and Limited Data Retention, for Consumer Data

Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

(3)               Affirmative Express Consent for Material Changes to Existing Privacy Promises

As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.

(4)               Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising

Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

We will have future occasion to discuss other elements of the FTC’s Report, but it is clear this will not be the last we hear from the FTC on this issue. “Looking forward, the Commission will continue to monitor the marketplace closely so that it can take appropriate action to protect consumers. During the next year, Commission staff will evaluate the development of self-regulatory programs and the extent to which they serve the essential goals set out in the Principles; conduct investigations, where appropriate, of practices in the industry to determine if they violate Section 5 of the FTC Act or other laws; meet with companies, consumer groups, trade associations, and other stakeholders to keep pace with changes; and look for opportunities to use the Commission’s research tools to study developments in this area.”