Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Specifically, the complaint alleged that the Android application shared, by default, all content on the user’s phone, whether preexisting, downloaded or user-generated (e.g. “intimate pictures,” as characterized by the FTC).  If the user wanted to limit the sharing by changing the application’s settings, the user had to “laboriously unshare individual files” by affirmatively deselecting specific files not to share as opposed to affirmatively selecting specific files to share. The FTC also noted that there was no notice that adequately informed users of the consequences of the mobile application’s default settings, which amounted to unfair acts or practices in violation of Section 5 of the FTC Act.  With regard to the FrostWire desktop application, the FTC alleged that, by not clearly disclosing that items downloaded and saved by a user would be automatically shared in addition to the items in another folder specifically designated for sharing, FrostWire violated Section 5(a) of the FTC Act which prohibits deceptive acts or practices.  According to the FTC, users believed that the default settings would allow only the sharing of content in the shared folder, when, in actuality, the application shared all content the user downloaded.

Pursuant to the settlement, FrostWire:

• is prohibited from misrepresenting its file-sharing settings and must clearly and prominently disclose to the user which user-generated files and which downloaded files will be shared and with whom; 
• must modify its applications so that the user must affirmatively select which user-generated and downloaded content to share with other P2P users (as opposed to a default setting which allows for sharing);
• must update older versions of the mobile and desktop applications to reflect the terms of the settlement; and
• is subject to standard compliance monitoring and reporting obligations.

Perhaps if FrostWire implemented a “privacy by design” program, as proposed by the FTC in its December 2010 Preliminary FTC Staff Report, it would not have found itself addressing the FTC's allegations.  One thing is certain: This action demonstrates that, as mobile applications that make sharing content ever easier flood the market, the FTC is keeping a vigilant eye on companies that operate in this space so that users can take “intimate pictures” without having to worry about unwittingly sharing them with other P2P users. 

It is worthy to note that Playdom took ownership of the websites when it acquired Acclaim Games, Inc. in May 2010 and Disney subsequently acquired Playdom in August 2010. Although most of the violations occurred when Acclaim Games was operating independently, its acquirers ended up getting stuck with the tab. 

Are your intellectual property litigators reading your privacy policy?

In FenF, LLC v. Healio Health, Inc., No. 5:08-CV-404 (N.D. OH July 8, 2010), the court held that a provision from a settlement agreement entered into by FenF, LLC (“FenF”), the plaintiff, and Healio Health, Inc. (“Healio”), the defendant, which required Healio to transfer certain customer information to FenF was unenforceable because doing so would result in a violation of Healio’s privacy policy. The settlement agreement FenF was trying to enforce against Healio arose from Healio’s alleged infringement of FenF’s intellectual property. As a part of the settlement agreement, Healio agreed to transfer to FenF certain customer lists containing customer information. However, Healio promised in its privacy policy that it would not share its customers’ information with third parties. The court reasoned that “[a]llowing Plaintiff to obtain that information without any type of notice to the customers would result in manifest unfairness to those customers, who are not a party to this action and may very well have conditioned their purchases from Healio Health on that company’s promise to keep their customer information confidential.” Id. at 5. 

When you wrote your privacy policy, were you thinking about “the end”?

XY

Recently, the Federal Trade Commission (“FTC”) intervened in a bankruptcy case in which purchasers were attempting to acquire the personal information of subscribers of XY, which, before filing for bankruptcy, operated a magazine and website that targeted young gay men. When it was operating, XY collected sensitive data from anywhere between 500,000 to 1 million subscribers. XY promised its subscribers that their information was safe by stating on its website, “Our privacy policy is simple: we never share your information with anybody.”

The FTC wrote in its letter, dated July 1, 2010, to the counsel of the purchasers that the acquisition of such information would violate the FTC Act, because XY’s sale of subscriber information after XY explicitly promised not to share such information would be an unfair and deceptive act or practice. The FTC requested that XY destroy the subscriber information at issue due to the highly sensitive nature the information.   On August 3, 2010, in response to the FTC’s concerns, the U.S. Bankruptcy Court for the District of New Jersey approved the parties’ settlement agreement which stipulated that the information at issue would be destroyed.

Toysmart.com

The XY bankruptcy was not the first time that the sale of customer lists of a company in bankruptcy was thwarted due to promises made in its privacy policy. In 2000, Toysmart.com, LLC (“Toysmart”), an electronic toy retailer, announced that it was going out of business and sought offers for its customer lists which contained personally identifiable information of its customers. The FTC opposed such a sale and brought suit against Toysmart based on Toysmart’s promise in its privacy policy that it would not share its customers' personally identifiable information with third parties. Federal Trade Comm'n v. Toysmart.com, LLC, 2000 WL 34016434 (D. Mass. July 21, 2000) (Unreported). A group of state attorneys general took similar actions to prevent the sale of the lists. Ultimately, Disney, the majority owner of Toysmart, agreed to purchase and destroy Toysmart's customer lists.

Verified Identity Pass

Years after the Toysmart case, Verified Identity Pass, Inc. (“VIP”) encountered a similar situation. VIP was a company that allowed airport travelers to expeditiously pass through security checkpoints. The company filed for bankruptcy on December 1, 2009. VIP sought an acquirer, but the U.S. District Court for the Southern District of New York issued an injunction preventing VIP from selling or otherwise disclosing personal information from its database because VIP promised in its membership agreement and related privacy policy that it would not sell or distribute such information. On May 4, 2010, VIP was acquired by Alclear, LLC. The U.S. Bankruptcy Court for the Southern District of New York appointed a consumer privacy ombudsman to oversee the transfer of the personally identifiable information. VIP was forced to amend its Privacy Policy to reflect the fact that it would now be transferring its customers’ personal information to third parties. In addition, VIP had to send notice of the changes to its privacy policy to each affected customer and had to give each affected customer the option to opt-out of the transfer by electing to have his or her information destroyed.

The Bankruptcy Code

The Bankruptcy Code was amended in 2005 to specifically address the sale of a debtor company’s customer information as part of its liquidation. Now, under section 363(b)(1) of Chapter 11 of the Bankruptcy Code, the appointed trustee may sell the property of an estate; however, if the debtor has a privacy policy prohibiting the transfer of personally identifiable information to persons not affiliated with the debtor and that policy is in effect on the date of the commencement of the case, then the trustee may not sell such information. A sale of such information may nevertheless occur in the following circumstances: if the sale is consistent with the privacy policy (e.g., there is a carve-out in the privacy policy for a sale of the personally identifiable information), or if a court appoints a consumer privacy ombudsman in accordance with § 332 of the bankruptcy code and the court provokes the sale.

The FTC further alleged that LifeLock misrepresented the company’s data security practices to its customers. Among other things, LifeLock claimed that “only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis” and promised that “all stored personal data is electronically encrypted.” In reality, according to the FTC, data was not encrypted and was not shared only on a “need to know” basis. Consequently, sensitive personal information about LifeLock customers was susceptible to exploitation by those seeking access to customer information.

In addition to carrying a hefty penalty, LifeLock’s settlement with the FTC and state attorneys general prohibits the company and its co-founders from making deceptive claims, misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service,” or misrepresenting the risk of identity theft or the manner and extent to which the company’s services protect against this risk. LifeLock also agreed to implement a comprehensive information security program to protect customer information, obtain independent audits of the program every other year for the next twenty years and comply with certain record-keeping obligations. The FTC will use the settlement funds to provide refunds to LifeLock customers.

In urging FTC action, the groups’ lengthy 52-page submission focuses primarily on media reports and the marketing literature of a large number of mobile marketing companies that tout the behavioral marketing capabilities of mobile technology.  The document also acknowledges the widespread consumer benefits mobile behavioral advertising offers, including making “rich media, free offers, personalization capabilities, and discounts” more broadly available. Despite its extensive cataloguing of the vast potential for effective targeted mobile marketing, the document is short on specifics as to how these practices currently harm or are likely to harm consumer privacy or constitute unfair or deceptive trade practices under Section 5 of the FTC Act. The group includes very limited specific allegations – against only Bango Analytics, Marchex and AdMob – that relate primarily to insufficient consumer notice.              

 The advocacy groups’ filing follows the FTC’s late 2007 release of draft self-regulatory principles for online behavioral advertising discussed previously at this blog here. At that time, the FTC recognized the benefit to consumers of receiving advertising more tailored to consumers’ interests and the role advertising dollars play in supporting new, innovative and free content. During 2008, the FTC accepted comments on its draft principles and is expected to issue final guidelines in the coming months. Also during 2008, state legislatures and Congress also became involved in the behavioral advertising debate as covered in this blog here and here. Meanwhile, also on January 13, 2009, the American Association of Advertising Agencies, Association of National Advertisers, Direct Marketing Association and Interactive Advertising Bureau jointly announced plans to develop enhanced self-regulatory industry guidelines for online behavioral advertising.

The CDT and U.S. PIRG filing will undoubtedly stir further debate as to whether the current regime consisting of (a) the forthcoming FTC self-regulatory online behavioral marketing principles, (b) case by case enforcement of unfair or deceptive trade practices under existing FTC authority, and (c) industry self-regulatory standards such as those adopted by the CTIA, and Mobile Marketing Association and expected from other industry groups, is sufficient to protect consumers in the vibrant, competitive marketplace of mobile communications where transparency and choice can be a selling point. We will continue to update our readers on these issues as the year unfolds.

Background

Businesses engaged in telemarketing or that hire telemarketers to make calls on their behalf are potentially subject to two different federal regulatory regimes. The FTC, under the Telemarketing and Consumer Fraud and Abuse Prevent Act (“TCFAPA”) has jurisdiction over most entities engaged in interstate telemarketing. Excluded are insurance companies (to the extent they are regulated by state law), banks, certain regulated brokers, common carriers and non-profit organizations, although third party telemarketers calling on these excepted entities’ behalf generally are subject to FTC jurisdiction. The FCC, under the Telephone Consumer Protection Act, (“TCPA”) has jurisdiction over all entities engaged in telemarketing, whether interstate or intrastate. In 2003, both the FTC and the FCC enacted rules to implement the national do not call registry. Under both sets of rules, businesses could continue to make live calls to any EBR consumer even if the consumer has enrolled in the national Do Not Call registry, unless the consumer has made a “company-specific” Do Not Call request to the calling entity. EBR consumers are current customers, consumers that have purchased, rented or leased goods and services within the last 18 months, and consumers that have made an inquiry or application within the last 3 months.

The Differing FTC and FCC Approaches to Prerecorded Calls to EBR Consumers

The two agencies’ rules initially differed regarding prerecorded calls to EBR consumers. The FCC permitted such calls. The FTC, however, considered such calls to violate its rules on “call abandonment” – a rule that requires 97 % of calls per day of a calling campaign to be connected to a live sales representative within two seconds of a call recipient’s completed greeting (if the call is answered by a live person and not an answering machine). In November 2004, the FTC, responded to a petition for a rule change to conform its approach concerning prerecorded calls with the FCC’s rules. It issued a Notice of Proposed Rulemaking to expressly permit prerecorded calls to EBR consumers (without the calls being considered abandoned) as long as specific conditions were met. The FTC also announced it would forbear from enforcing its call abandonment restrictions on prerecorded calls to EBR consumers pending completion of its rulemaking.

Despite strong industry support for the FTC’s position in the November 2004 NPRM, the FTC on October 3, 2006, in a surprise move, announced that it was not going to adopt its November 2004 proposal and instead proposed the approach that ultimately led to its most recent rule revisions. The FTC’s rule revisions also modified the call abandonment rate to allow it to be calculated over 30 days rather than on a daily basis, which is similar to a related FCC rule provision.

Significance of the FTC Decision

The FTC’s decision has far-reaching significance for the marketing activities of the many businesses subject to FTC jurisdiction under the TCFAPA. Prerecorded calls to EBR customers made with autodialers are a cheap and efficient way for businesses to reach their existing customers and notify them of new services. Companies not subject to FTC regulation and companies that make such calls intrastate only, will be able to continue to follow the FCC’s approach. Others must be aware of the FTC restrictions.

A copy of the FTC’s Federal Register notice concerning the TSR amendments is available here.
 

Dorothy Attwood, senior vice president of Public Policy and Chief Privacy Officer for AT&T, said her company was committing to a policy of “advance, affirmative consumer consent,” a phrase that she said is “generically referred to as “opt-in.” Attwood made clear that a “consumer’s failure to act will not result in any collection and use by default of the consumer’s information for online behavioral advertising.” Tom Tauke, Verizon’s Executive Vice President for Public Affairs, Policy and Communications, said that any kind of consumer protection practices must include “meaningful consent” from the consumer. Tauke went on to explain that “meaningful consent” requires transparency, affirmative choice and consumer control. Peter Stern, Chief Strategy Officer for Time Warner Cable, took a similar stance and also made a strong commitment to affirmative consumer choice when it comes to displaying different online ads to a consumer based on that consumer’s behavior on unrelated web sites. Gigi Sohn, President of the public interest group Public Knowledge applauded the companies' commitments to affirmative consumer choice but expressed concern over the activities of other companies that might deploy technology known as deep packet inspection to monitor online activity in order to deliver ads. Commerce Committee Chair Senator Byron Dorgan (D-ND) asked Ms. Sohn whether she thought there were legitimate uses for deep packet inspection notwithstanding her concerns, and she conceded that there were such legitimate uses. Her concern, she said, was not with the technology but with possible misuse of it. She called for federal regulation of online behavioral marketing. The Senators present did not express an immediate need for such legislation in light of the continuing examination of the issue and the self-regulation that is occurring.

As discussed here in our posts, in December 2007, the Federal Trade Commission issued for public comment proposed online behavioral advertising principles designed to guide the industry in self regulation. The proposed principles state that websites should provide clear notice when they collect an individual’s information and that data collectors should obtain affirmative, express consent before using certain categories of sensitive data for marketing purposes.  The FTC is in the process of reviewing and evaluating dozens of comments filed in response to the proposed principles.

On July 9, 2008, the Senate Committee on Commerce, Science, and Transportation held a hearing to consider the current state of the online advertising industry and the potential impact on user privacy. Industry representatives and consumer advocates, including Microsoft Corp., NebuAd Inc., the Center for Democracy and Technology, Google Inc., the Competitive Enterprise Institute, and Facebook Inc., testified. As noted in the FTC’s press release of July 9, according to the testimony of Lydia Parnes, Director of the FTC's Bureau of Consumer Protection, “behavioral advertising may provide a variety of benefits to consumers, including free content, personalization of ads, and a potential reduction in unwanted advertising. Consumer research has shown that consumers value online ads that are more personalized. These ads may facilitate shopping for specific products. Further, behavioral advertising may help subsidize and support a diverse range of free online content and services that might otherwise not be available or that consumers would have to pay for, for example, blogging, search engines, and instant access to news and other information.”

This is certainly not the end of the discussion – the industry awaits the FTC’s completion of its review regarding the proposed self-regulatory principles, and Congressional leaders have stated their intent to further explore behavioral targeting.

The author thanks Proskauer summer associate Julie Shah for her substantial contribution to this post.

In the FTC’s action against TJX, the Commission alleged that TJX failed to prevent unauthorized access to personal information on its computer networks. These failures allowed a hacker to exploit vulnerabilities and obtain tens of millions of credit and debit payment cards used at the retailer’s stores along with personal information about approximately 455,000 consumers that returned merchandise without receipts. The FTC alleged that TJX:

• Created an unnecessary risk to personal information by storing it on and transmitting it between various computer networks in clear text;
• Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
• Did not require the use of strong passwords or different passwords to access different programs, computers, and networks;
• Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
• Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software. 

The FTC’s settlement with TJX requires the retailer to implement and maintain a comprehensive information security program that is designed to protect the security, confidentiality and integrity of personal information collected from or about consumers. The program must include certain administrative, technical and physical safeguards that are appropriate to the company’s size, the nature of its activities, and the sensitivity of the personal information it collects. In particular, TJX must:

• Designate an employee or employees to coordinate the information security program;
• Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
• Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
• Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and
• Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs.

In addition, TJX must retain an independent, third party security auditor to assess the sufficiency of its information security program at least once every two years for the next 20 years. This security auditor will be required to certify that the company’s security program satisfies the requirements of the consent agreement and is operating with sufficient effectiveness to provide reasonable assurance that consumers’ personal information is being protected. The FTC is not seeking any financial penalty to resolve the charges.

The proposed agreement is subject to public comment until April 28, 2008, after which the FTC will decide whether to make it final.

The New York Bill

The New York bill, with versions in the Assembly and Senate (A. 9275 and S. 6441) is based on the Network Advertising Initiative (NAI) self-regulatory principles. The NAI is a group of online advertising firms and it adopted its principles in 2002. The bill would create an extensive regime of consumer notice and choice for third party tracking of different types of consumer online activity. Absent obtaining a consumer’s prior affirmative consent or opt-in, third parties would be prohibited from collecting personally identifiable information online in some situations (when merged with certain other previously collected data). Consumers would have the right to opt-out of any online tracking involving non-personally identifiable information. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the types of data they collect, how they use the data, the opt-out process, and the length of time the data is retained. And, it would require third party advertising companies to contractually require the sites to whom they provide services to include notice and opt-out options.  

Notably, the bill would prohibit a third party from tracking information from websites when it does not have a contractual relationship with the website owner. This provision could have major implications for the companies described above that contract with Internet Service Providers to monitor surfing activity across all websites a consumer visits. The bill is also significant because it would effectively create a national law – companies with a national online presence would necessarily be doing business in New York as well.                    

The European Union 

The press has recently reported about controversy in the U.K. concerning reports that the country’s three largest ISPs, BT, Talk Talk, and Virgin Media, had contracted with Phorm for behavioral targeting services. A U.K. think tank, the Foundation for Information Policy Research (FIPR) submitted an open letter to the U.K Information Commissioner charging that Phorm’s activities violate British privacy law and the European Union’s Data Protection Directive by not affording consumers opt-in choice for the tracking. Phorm is claiming that it uses a cookie with a random number assigned to track information so that it does not collect personally identifiable information. 

The issue of online monitoring continues to draw the attention of European Union regulators with more activity expected in the near future. Although the E.U. approved the Google-Doubleclick merger, the E.U. Article 29 Working Party comprised of data privacy regulators from each of the E.U.’s member states has stated that even search engines based outside of the E.U. may fall under the E.U. Data Protection Directive. In addition, the Chairman of the Article 29 Working Party has asserted that IP addresses standing alone constitutes personally identifiable information. This stands in contrast to how IP addresses are viewed in the U.S. The Article 29 Working Party is expected to issue a report in April concerning the privacy implications of Internet search engines, which should further address these issues.     

Industry and Interest Group Guidelines        

The complaint identified five specific security failures:

• failure to adequately assess risks to the information stored on the network and in paper files,
• failure to adequately restrict access to personal information to authorized employees only,
• failure to implement a comprehensive information security program,
• failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
• failure to require third-party service providers by contract to protect the security and confidentiality of personal information.

The FTC Complaint charged Goal Financial with violating the FTC Act by disseminating a false or misleading privacy policy that claimed to "implement[] reasonable and appropriate measures to protect personal information from unauthorized access." Because Goal Financial qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, the Complaint also alleged violations of the GLBA Safeguards Rule and the GLBA Privacy Rule. The Safeguards Rule allegation reflected the company's failure to identify privacy risks and design appropriate safeguards, while the Privacy Rule charge stemmed from the company's privacy policy and notices inaccurately representing the actual security of consumer information.

The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.

In addition to the fine, the stipulated judgment and order requires American United to obtain an immediate third-party audit of its privacy safeguards and ongoing audits every two years for a decade. American United is also permanently enjoined from further violations of the FACTA Safeguards, Disposal, and Privacy rules.

The Disposal Rule, 16 C.F.R. 682, requires that any company collecting consumer information for a business purpose must dispose of that information in a way that prevents unauthorized access and misuse of the data. "Disposal" includes any discarding, abandonment, sale, donation or transfer of information.

The self-regulatory approach taken by FTC staff recognizes the benefits behavioral advertising provides. Specifically, FTC staff recognizes that ad-supported content makes newspapers and other valuable information from around the world more readily available to consumers online and that many consumers value personalized ads. FTC staff is, however, concerned that behavioral advertising and the related data collection “is largely invisible and unknown to consumers.” The four principles FTC staff has proposed to address concerns over transparency and consumer choice state that: 

(1) every website that collects data for behavioral advertising should include “a clear, concise, consumer-friendly and prominent statement” that (a) consumer data is being collected online for behavioral advertising, and (b) consumers can exercise choice on collection of their data for such purposes, with a “clear, easy-to-use, and accessible method” provided for doing so;  

(2) a company engaged in behavioral targeting should reasonably secure the data collected and only retain it “as long as necessary to fulfill a legitimate business purpose or a law enforcement need”;

(3) a company should obtain consumers' "affirmative express consent" if it is going to use personal data for a materially different purpose than was disclosed when the data was collected; and 

(4) a company should obtain "affirmative express consent" before collecting "sensitive" consumer data (such as health data, sexual orientation, and children's data). FTC staff is seeking further comment on the types of data that constitute "sensitive" information and whether instead of consumer choice, a prohibition on collection of such data would be a better approach; 

FTC staff seeks comments on the four proposed principles generally, including their feasibility and the costs and benefits of offering choices for behavioral advertising. FTC also staff seeks additional information on the secondary uses of tracking data that extend beyond behavioral marketing. Specifically, FTC staff seeks information on what secondary uses of tracking data is occurring, which of those uses raises privacy concerns, whether those concerns extend to non-personally identifiable information in addition to personally identifiable information, and whether some heightened form of protection relating to secondary uses is warranted. 

The FTC vote to approve release of the principles was 5-0. The related FTC press release is available here.