Posted on March 27, 2008 by Timothy P. Tobin

Consumer Advocates Target Online Behavioral Advertising: Broad Regulation Threatens to Impede Delivery of Relevant Advertising and Business Models for Free Online Content

In the wake of the December 2007 FTC statement proposing self-regulatory principles for businesses that are engaged in online behavioral targeting (click here for earlier blog post), that activity has continued to provoke consumer groups who advocate for government regulation. The legislature in New York has taken notice and is considering a first of its kind bill, the Third Party Internet Advertising Consumer's Bill of Rights Act of 2008, to regulate third parties Internet advertisers’ tracking activities. The New York legislature’s activity coincides with significant opposition in the European Union to online behavioral advertising practices.   

Online behavioral targeting is the process of tracking online users’ behavior and serving ads tailored to that behavior. While the methods vary, the primary methods used online are cookie-based, conveying to advertisers web pages a user visits. Companies may also use search data. This information is sometimes combined with demographic data such as geographic location, to help further personalize advertisements. Glossed over by consumer groups is the fact that tracking usually is conducted anonymously with data collected linked only to a computer’s Internet Protocol (IP) address, not name or other personally identifiable information. In addition, responsible Internet companies are expected to provide clear notice and opportunities for consumers not to participate in such programs. Still, consumer groups have seized on reports of Internet Service Providers contracting with companies such as Nebu-Ad, Phorm and Adzilla who use so-called “deep packet inspection” to collect data on every page a user visits rather than just those that are part of an online advertising network. 

The ongoing debate over online behavioral targeting is significant not only because such targeting enables consumers to receive ads that are more relevant and useful to them, but as the FTC has recognized, restrictions that inhibit companies’ ability to obtain advertising revenue may fundamentally affect the ability of the Internet to continue to offer valuable content for free.

The New York Bill

The New York bill, with versions in the Assembly and Senate (A. 9275 and S. 6441) is based on the Network Advertising Initiative (NAI) self-regulatory principles. The NAI is a group of online advertising firms and it adopted its principles in 2002. The bill would create an extensive regime of consumer notice and choice for third party tracking of different types of consumer online activity. Absent obtaining a consumer’s prior affirmative consent or opt-in, third parties would be prohibited from collecting personally identifiable information online in some situations (when merged with certain other previously collected data). Consumers would have the right to opt-out of any online tracking involving non-personally identifiable information. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the types of data they collect, how they use the data, the opt-out process, and the length of time the data is retained. And, it would require third party advertising companies to contractually require the sites to whom they provide services to include notice and opt-out options.  

Notably, the bill would prohibit a third party from tracking information from websites when it does not have a contractual relationship with the website owner. This provision could have major implications for the companies described above that contract with Internet Service Providers to monitor surfing activity across all websites a consumer visits. The bill is also significant because it would effectively create a national law – companies with a national online presence would necessarily be doing business in New York as well.                    

The European Union 

The press has recently reported about controversy in the U.K. concerning reports that the country’s three largest ISPs, BT, Talk Talk, and Virgin Media, had contracted with Phorm for behavioral targeting services. A U.K. think tank, the Foundation for Information Policy Research (FIPR) submitted an open letter to the U.K Information Commissioner charging that Phorm’s activities violate British privacy law and the European Union’s Data Protection Directive by not affording consumers opt-in choice for the tracking. Phorm is claiming that it uses a cookie with a random number assigned to track information so that it does not collect personally identifiable information. 

The issue of online monitoring continues to draw the attention of European Union regulators with more activity expected in the near future. Although the E.U. approved the Google-Doubleclick merger, the E.U. Article 29 Working Party comprised of data privacy regulators from each of the E.U.’s member states has stated that even search engines based outside of the E.U. may fall under the E.U. Data Protection Directive. In addition, the Chairman of the Article 29 Working Party has asserted that IP addresses standing alone constitutes personally identifiable information. This stands in contrast to how IP addresses are viewed in the U.S. The Article 29 Working Party is expected to issue a report in April concerning the privacy implications of Internet search engines, which should further address these issues.     

Industry and Interest Group Guidelines        

In addition to the activity discussed above, industry and consumer interest groups continue to propose new guidelines. The NAI announced late last year it is planning to revise its guidelines while just last month the Interactive Advertising Bureau – an organization comprised of many leading Internet companies – issued self-regulatory guidelines similar to the FTC’s but designed to give companies more flexibility in their approach to notice and choice. Earlier this month, the Center for Democracy and Technology issued its Privacy Principles for the Development of User Controls for Behavioral Targeting, which focuses on allowing consumers to express their preferences for behavioral targeting, having those preferences remain in place until altered by the consumer, and encouraging companies to have readily available and easily understandable policies.
Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on March 17, 2008 by Joseph K. Wright

FTC Sets Sights on Goal: Student Lender Taken to School for Data Security Breakdowns

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.

According to the FTC's Complaint, Goal Financial "failed to provide reasonable and appropriate security for consumers' sensitive personal information" starting no later than September 1, 2004. The company's faulty security practices allowed employees to transfer over 7000 consumer files containing personally identifying information and financial histories to third parties. Additionally, in 2006 a Goal Financial employee allegedly sold company hard drives containing sensitive personal information of approximately 34,000 consumers in readable text.

The complaint identified five specific security failures:

  • failure to adequately assess risks to the information stored on the network and in paper files,
  • failure to adequately restrict access to personal information to authorized employees only,
  • failure to implement a comprehensive information security program,
  • failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
  • failure to require third-party service providers by contract to protect the security and confidentiality of personal information.

The FTC Complaint charged Goal Financial with violating the FTC Act by disseminating a false or misleading privacy policy that claimed to "implement[] reasonable and appropriate measures to protect personal information from unauthorized access." Because Goal Financial qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, the Complaint also alleged violations of the GLBA Safeguards Rule and the GLBA Privacy Rule. The Safeguards Rule allegation reflected the company's failure to identify privacy risks and design appropriate safeguards, while the Privacy Rule charge stemmed from the company's privacy policy and notices inaccurately representing the actual security of consumer information.

The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.
Tags: , , , , , , , , ,
Posted on February 26, 2008 by Nancy Savitt

Caution: Children's E-Cards Could Result in COPPA Issues

The Federal Trade Commission has quietly changed its position on the level of parental consent required under the Children’s Online Privacy Protection Act (“COPPA”) for e-cards sent from a website directed to children.

Under COPPA, websites directed to children under 13 are required to obtain parental consent prior to the collection of personal information – including an email address or a first and last name – from children under 13. There are certain exceptions to this requirement, including the so-called “one-time use” exception, which permits websites directed to children to collect an email address to respond once to a child’s specific request, provided that the website deletes that email address after doing so. The FTC had taken the position that an e-card – which typically permits a child to send a message to a friend’s email account – fell under this exception. Thus, no parental consent was required.

At the end of last year, however, the FTC amended its “Frequently Asked Questions about the Children’s Online Privacy Protection Rule,” available at http://www.ftc.gov/privacy/coppafaqs.shtm, and specifically noted in response to the FAQ concerning e-cards (FAQ 44) that “where an operator’s e-card or forward-to-a-friend system discloses the sender’s email address or first and last name in the message, the operator must obtain verifiable parental consent before such collection and disclosure.” Accordingly, operators of websites directed to children must now comply with COPPA’s verifiable parental consent provisions before permitting children under 13 to send e-cards that disclose their email addresses or full names.
Tags: , , ,
Posted on February 1, 2008 by Brendon Tavelli

For Companies Whose Data Security Practices Are Lacking, Life is [Not So] Good

The Federal Trade Commission announced on January 17, 2008 that it has agreed in principle to a consent order with Life is good, Inc. and Life is good Retail, Inc. (collectively “Life is good”) resolving allegations that the apparel company collected sensitive information from consumers and failed to secure it in compliance with its own privacy and security policies. The consent order against Life is good, among other things, prohibits future deceptive privacy and security claims and requires the company to implement a comprehensive information security program that includes biennial audits by an independent security professional for the next twenty years.

Life is good designs and sells retail apparel and accessories sporting the slogan “life is good.” In addition to selling at retail outlets across the country, the company offers its products for sale through the website lifeisgood.com. According to the FTC’s complaint, Life is good collected sensitive information from its online customers, including names, addresses and credit card information. The company’s privacy policy stated that “[w]e are committed to maintaining our customers’ privacy. We collect and store information you share with us . . . in a secure file and [this information] is used to tailor our communications with you.” The FTC’s complaint alleged that, contrary to these claims, Life is good failed to protect and secure the sensitive information it maintained. In particular, the FTC alleged that Life is good stored consumers’ information indefinitely on their network in clear, readable text and failed to do the following:

  • properly evaluate the vulnerability of their computer systems to commonly known or reasonably foreseeable attacks, including SQL injection attacks;
  • implement simple, free or low-cost, and readily available defenses to such attacks;
  • employ readily available security measures to monitor and control connections from the network to the internet; and
  • employ reasonable measures to detect unauthorized access to consumer information.

According to the FTC’s complaint, these failures allowed a hacker to use SQL injection attacks to obtain credit card numbers, expiration dates and security codes for thousands of customers between June and August 2006. The FTC complaint further alleged that Life is good’s failure to take reasonable and appropriate measures to protect consumer information against unauthorized access contravened the company’s explicit representations to consumers. 

The FTC’s proposed settlement prohibits Life is good from making deceptive claims about its privacy and security practices and policies. The settlement also requires the company to institute a comprehensive privacy and security program that includes administrative, technical and physical safeguards for consumer information. Specifically, the company is required to:

  • designate at least one employee to coordinate the security program;
  • identify material internal and external risks to the security and confidentiality of consumer information and evaluate the sufficiency of existing safeguards;
  • design and implement reasonable safeguards to control any identified risks and regularly test the effectiveness of such safeguards;
  • develop reasonable procedures for selecting and supervising service providers that handle customers’ personal information; and
  • evaluate and adjust the company’s information security program based on the results of monitoring, material changes to the company’s operations, or other circumstances that may affect the program’s effectiveness.

Life is good must also retain an independent, third-party auditor to assess the company’s security program within 180 days after a final order is served and once every other year thereafter for the next twenty years. The auditor must certify that the program both meets or exceeds the requirements established by the consent order and is operating at a level that provides reasonable assurance that consumer information is being adequately protected. The proposed settlement will remain open to public comment through February 18, 2008.
Tags: ,
Posted on January 4, 2008 by Joseph K. Wright

First FACTA Disposal Rule FTC Settlement Leaves American United Down in the Dumps

On December 18, the FTC announced a settlement in its 15th case (and its first in 13 months) addressing the data security practices of companies handling sensitive consumer information. American United Mortgage Company agreed to pay a $50,000 penalty for failing to implement reasonable safeguards to protect customer information and failing to provide customers with privacy notices.

American United is the first FTC action taken pursuant to the Disposal Rule, promulgated in 2005, of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. The complaint filed in the Northern District of Illinois in mid-December, asserted that the Northbrook, Illinois-based mortgage company disposed of several dozen consumers’ personally identifying information by leaving intact hundreds of documents in a nearby unsecured dumpster, in some cases in open trash bags. Indeed, even after the FTC provided written notice to American United that disposal of documents containing consumers’ personal information in this manner created a risk of unauthorized access, "on at least two occasions, additional intact American United documents containing consumers’ personal information were found in and around the same dumpster adjacent to American United’s office."

In addition to the fine, the stipulated judgment and order requires American United to obtain an immediate third-party audit of its privacy safeguards and ongoing audits every two years for a decade. American United is also permanently enjoined from further violations of the FACTA Safeguards, Disposal, and Privacy rules.

The Disposal Rule, 16 C.F.R. 682, requires that any company collecting consumer information for a business purpose must dispose of that information in a way that prevents unauthorized access and misuse of the data. "Disposal" includes any discarding, abandonment, sale, donation or transfer of information.
Tags: , , , , , , , ,
Posted on December 20, 2007 by Timothy P. Tobin

FTC Staff Issues Proposed Self Regulatory Principles for Behavioral Advertising and Seeks Comment

FTC staff issued a statement today proposing four “self-regulatory” principles to guide businesses engaged in online behavioral advertising. FTC staff also seeks public comments on these principles as well as additional information on what other uses businesses are making of online tracking data. Interested parties can submit comments by February 22, 2008. 

The statement, titled “Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles” follows from the FTC’s town hall meeting held in early November 2007. There, FTC considered privacy issues raised by behavioral advertising and heard from consumer interest groups and businesses’ alike.  The agenda and links to material related to the town hall meeting can be found here.    

The self-regulatory approach taken by FTC staff recognizes the benefits behavioral advertising provides. Specifically, FTC staff recognizes that ad-supported content makes newspapers and other valuable information from around the world more readily available to consumers online and that many consumers value personalized ads. FTC staff is, however, concerned that behavioral advertising and the related data collection “is largely invisible and unknown to consumers.” The four principles FTC staff has proposed to address concerns over transparency and consumer choice state that: 

(1) every website that collects data for behavioral advertising should include “a clear, concise, consumer-friendly and prominent statement” that (a) consumer data is being collected online for behavioral advertising, and (b) consumers can exercise choice on collection of their data for such purposes, with a “clear, easy-to-use, and accessible method” provided for doing so;  

(2) a company engaged in behavioral targeting should reasonably secure the data collected and only retain it “as long as necessary to fulfill a legitimate business purpose or a law enforcement need”;

(3) a company should obtain consumers' "affirmative express consent" if it is going to use personal data for a materially different purpose than was disclosed when the data was collected; and 

(4) a company should obtain "affirmative express consent" before collecting "sensitive" consumer data (such as health data, sexual orientation, and children's data). FTC staff is seeking further comment on the types of data that constitute "sensitive" information and whether instead of consumer choice, a prohibition on collection of such data would be a better approach; 

FTC staff seeks comments on the four proposed principles generally, including their feasibility and the costs and benefits of offering choices for behavioral advertising. FTC also staff seeks additional information on the secondary uses of tracking data that extend beyond behavioral marketing. Specifically, FTC staff seeks information on what secondary uses of tracking data is occurring, which of those uses raises privacy concerns, whether those concerns extend to non-personally identifiable information in addition to personally identifiable information, and whether some heightened form of protection relating to secondary uses is warranted. 

The FTC vote to approve release of the principles was 5-0. The related FTC press release is available here.
Tags: , , , , , , , , , , ,