Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Last week, the FTC gave us their latest message.  This time, it took the form of a settlement with Facebook in an action alleging that Facebook engaged in unfair and deceptive trade practices by, among other things, altering or enhancing their service in a manner that expanded their sharing of user data, without obtaining the consent of their users.  (See our recent blog post detailing the settlement in full.)

In Facebook’s defense, they actually did, at least in some instances, take steps to obtain the consent of their users by requiring users to click through a multipage Privacy Wizard that walked users through the revised privacy settings.  However, the FTC alleged that the Privacy Wizard process was in itself deceptive, since the explanatory wording used on the Wizard spun the changes as affording more control on the part of users, when in fact, according to the FTC, the changes reduced user control over how their data would be shared with third parties and overrode users’ existing privacy settings.  

Under the terms of Facebook’s settlement with the FTC, Facebook denied all the FTC’s legal and factual allegations (with the exception of those regarding jurisdiction), so an outsider’s only way of knowing the facts at hand is through his experience as an observant user of Facebook over the course of years, or, alternatively, trust in the accuracy of media coverage of Facebook’s privacy changes over the last several years.

It is worth noting that Facebook is not required to pay a fine under the settlement.  However, as part of the settlement, Facebook is required to suffer the scrutiny of the FTC for the next twenty years. For example, as is characteristic of the FTC’s privacy settlements, Facebook must retain an independent third party to assess and report on its privacy practices biennially.  It also must implement a privacy program that entails taking a “privacy-by-design” approach to its product development going forward, and it must retain for the FTC’s review: (i) all widely disseminated materials relating to its privacy practices and changes thereto, including any backup materials, for the next three years; (ii) all consumer complaints for six months after receipt; (iii) all documents prepared by or on behalf of Facebook that contradict, qualify or call into question its compliance with the settlement terms for five years from receipt thereof; (iv) documentation of changes that Facebook makes to its privacy policies along with documentation of users’ consent and their settings prior to consent for three years from the date of such documents’ preparation or dissemination; and (v) all backup materials of its biennial privacy assessments for three years after each such assessment.

What is the takeaway for other businesses?  One, the FTC wants businesses to disclose important changes in their privacy practices (such as how they share data with third parties) conspicuously, and not merely in their privacy policies and other legal boilerplate.  Two, the FTC wants businesses to obtain affirmative consent from their customers when they make material adverse retroactive changes to their privacy policies. (They can obtain user consent the next time the user interacts with the business, such as when the user returns to the business’s Web site.) Three, the FTC wants businesses to be upfront and straight with their customers when they solicit their consent to new uses they want to make of user data – not to “spin” changes that expand the business’s usage rights as if they are enhancing user privacy.  

It is worth noting that the statute that the FTC invokes to set these standards (the FTC Act) does not contain any of these requirements.  It simply prohibits unfair and deceptive trade practices.  Yet, each time we see an example of the FTC’s enforcement of this law in the privacy space, we learn something about the FTC’s interpretation of the law.  (It is not often challenged, although it could be by a defendant so inclined.) And anything new and interesting we learn from these settlements is what we at Proskauer impart to you.
 

Indeed, the Facebook settlement signals that the FTC is likely to continue requiring comprehensive privacy programs and enforcing the US-EU Safe Harbor Principles in a substantive manner, two things that the FTC had not done before March 2011. Such enforcement is no surprise, given that the FTC has advocated a “privacy by design” approach since at least December 2010. Specifically, the FTC’s proposed settlement requires Facebook to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” 

In addition, the settlement also requires Facebook, before sharing a user’s nonpublic personal information with a third party in excess of the user’s privacy settings, to “clearly and prominently disclose” (outside of the Facebook privacy policy or other boilerplate) the categories of nonpublic user information that will be disclosed, the identity or specific categories of such third parties, and that such sharing exceeds the restrictions imposed by the users’ privacy settings. Importantly, Facebook must also obtain a user’s affirmative express consent before sharing the user data in the new circumstance. The settlement also imposes a requirement for Facebook to retain an independent third party to biennially assess its privacy practices vis a vis the settlement terms for the next twenty years.

The FTC’s eight-count Complaint that underlies the settlement alleges that numerous Facebook initiatives violated prior representations about the extent to which users’ information was accessible by third parties. For instance, the FTC alleged that Facebook, despite allowing users to restrict access to profile information to specific individuals or groups of people, permitted users’ information to be accessed by third-party applications on the Facebook platform which the users’ friends used. The FTC also alleged that in December 2009, Facebook made public certain information that users had previously designated private and failed to disclose that users could no longer restrict access to certain information or that their existing choices would be overridden.

The FTC also alleged that Facebook’s December 2009 changes were both deceptive (because Facebook failed to adequately disclose the changes) and unfair (because Facebook retroactively applied the changes to personal information that it had previously collected from users, without their informed consent).

According to the FTC, Facebook’s conduct harmed consumers because the alleged violations:

·          Made certain users “subject to the risk of unwelcome contacts;”

·          Exposed “potentially controversial political views or other sensitive information to third parties;”

·          Exposed the user’s list of friends to third parties, “thereby exposing potentially sensitive affiliations;” and

·          Revealed “potentially embarrassing or political images to third parties.”

The FTC’s complaint also alleged other privacy violations by Facebook, including the following:

·          Facebook permitted apps on its platform to access more personal information about the app’s user than was necessary for the app’s purpose

·          Facebook permitted apps to access personal information about a user’s friends even if the friends never granted the app authorization to access their personal information

·          Facebook’s advertising program shared identifiable information with advertisers, contrary to representations it had made to its users

·          A little-used “Facebook Verified App” badge, whereby Facebook, for a fee, would “verify the security of Verified Apps” was deceptive because Facebook did no more to verify applications bearing that badge than it did with any other platform application

·          Facebook retained and continued to make accessible users’ photos and videos, even after users deleted or deactivated their accounts, contrary to Facebook’s prior representations

·          Facebook falsely certified that it had complied with the US-EU Safe Harbor Principles, particularly, the principles of Notice and Choice, when it was not in compliance with them

In settling the FTC’s charges, Facebook did not admit the truth of any of the FTC’s substantive or factual allegations, aside from jurisdictional ones.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up. Any changes to a website or application should respect users’ prior privacy choices and obtain a users’ affirmative consent before altering or overriding those prior choices. The requirement that Facebook enact a comprehensive privacy program (e.g., “privacy-by-design”) - a settlement term that the FTC first included in Google’s March 2011 settlement—demonstrates that this requirement will likely be a staple of future privacy-related settlements. The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

Specifically, the complaint alleged that the Android application shared, by default, all content on the user’s phone, whether preexisting, downloaded or user-generated (e.g. “intimate pictures,” as characterized by the FTC).  If the user wanted to limit the sharing by changing the application’s settings, the user had to “laboriously unshare individual files” by affirmatively deselecting specific files not to share as opposed to affirmatively selecting specific files to share. The FTC also noted that there was no notice that adequately informed users of the consequences of the mobile application’s default settings, which amounted to unfair acts or practices in violation of Section 5 of the FTC Act.  With regard to the FrostWire desktop application, the FTC alleged that, by not clearly disclosing that items downloaded and saved by a user would be automatically shared in addition to the items in another folder specifically designated for sharing, FrostWire violated Section 5(a) of the FTC Act which prohibits deceptive acts or practices.  According to the FTC, users believed that the default settings would allow only the sharing of content in the shared folder, when, in actuality, the application shared all content the user downloaded.

Pursuant to the settlement, FrostWire:

• is prohibited from misrepresenting its file-sharing settings and must clearly and prominently disclose to the user which user-generated files and which downloaded files will be shared and with whom; 
• must modify its applications so that the user must affirmatively select which user-generated and downloaded content to share with other P2P users (as opposed to a default setting which allows for sharing);
• must update older versions of the mobile and desktop applications to reflect the terms of the settlement; and
• is subject to standard compliance monitoring and reporting obligations.

Perhaps if FrostWire implemented a “privacy by design” program, as proposed by the FTC in its December 2010 Preliminary FTC Staff Report, it would not have found itself addressing the FTC's allegations.  One thing is certain: This action demonstrates that, as mobile applications that make sharing content ever easier flood the market, the FTC is keeping a vigilant eye on companies that operate in this space so that users can take “intimate pictures” without having to worry about unwittingly sharing them with other P2P users. 

It is worthy to note that Playdom took ownership of the websites when it acquired Acclaim Games, Inc. in May 2010 and Disney subsequently acquired Playdom in August 2010. Although most of the violations occurred when Acclaim Games was operating independently, its acquirers ended up getting stuck with the tab. 

As background, the Telemarketing Sales Rule allows a company to call a consumer on the Do Not Call Registry if the company has an “established business relationship” with the consumer and the consumer has not otherwise opted out of receiving calls from the company. What Rascal Scooters failed to consider, however, was that an “established business relationship” does not arise from the submission of a sweepstakes entry form. Rather, an “established business relationship” only exists if a consumer has purchased a company’s goods or services within the 18 month period immediately preceding the call or if a consumer inquires or submits an application regarding a company product or service within the 3 month period immediately preceding the date of the call. 

In addition to the $100,000 penalty, Rascal Scooters is only allowed to call consumers if it has their consent in writing or if there is an actual “established business relationship” and is subject to ongoing monitoring and reporting requirements to ensure its compliance with the settlement order.

It is important to note that the penalty imposed could have been (and can be) much greater than $100,000. Pursuant to the settlement order, Rascal Scooters is subject to a $2 million penalty that is currently suspended due to its inability to pay.   The $2 million will become due immediately if it is revealed that the company misrepresented its inability to pay.

Unlike prior settlements in response to data security breaches where the FTC required the implementation of a comprehensive information security program as a remedial measure, the Buzz settlement requires Google to enact a comprehensive privacy program, consistent with the Commission’s “privacy by design” approach that we have previously blogged about.  Specifically, the FTC’s proposed settlement requires Google to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” 

The settlement also requires Google to “clearly and prominently disclose” if a user’s information will be disclosed to third parties, the identity or specific categories of such third parties, and the purposes for sharing; and to obtain affirmative consent from the user regarding the sharing.  In addition, the settlement requires Google to provide a report on the effectiveness of the company’s privacy program biennially to the FTC for the next twenty years.

The FTC’s Complaint that underlies the settlement alleges that Google launched the Buzz social networking service in February 2009 within its Gmail product.  Upon logging into their Gmail accounts, users were presented with the option to “Check out Buzz” or proceed to their Gmail inbox.  The FTC alleged that even if a user opted to go to his or her inbox, that user’s information was still shared with others in the Buzz network.  The FTC claimed that Google therefore did not use the information that users provided to Google only for the purpose of providing them the company’s web-based email service (Gmail) – rather, Google also used this information in connection with the Buzz social networking service.  Moreover, Google did not request users’ consent before using the information collected from Gmail users in connection with Buzz. 

The FTC further alleged that if a user clicked a link to “Turn off Buzz” certain information about that user was still shared with others.  Moreover, the FTC alleged that Buzz did not adequately communicate that certain previously-private information would be shared by default and certain personal information was shared without users’ permission.  The FTC also claimed that the “Turn off Buzz” and options to go to the user’s inbox without signing into Buzz were false or misleading because they represented that a user either would not be enrolled in, or would be removed from, Buzz, when in fact a user was enrolled and not removed from the service consistent with these representations.

The FTC also alleged that Google failed to disclose how a user’s information would be shared.  These allegations also amounted to a substantive violation of the US-EU Safe Harbor Framework, according to the FTC—particularly, the Notice and Choice and limited purpose principles.

These practices also violated Google’s own privacy policy in effect at the time Google Buzz was launched, according to the FTC.  In pertinent part, the policy stated that “Gmail stores, processes and maintains your messages, contact lists and other data related to your account in order to provide the service to you” and “[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” (Emphasis added.)

In settling the FTC’s charges, Google did not admit the truth of any of the FTC’s substantive allegations.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up.  The settlement’s requirement that Google enact a comprehensive privacy program demonstrates that the FTC is serious about privacy and foreshadows potential future settlement terms.  The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

The FTC’s proposed consent order prohibits further violations of the Safeguards Rule and also requires the resellers to do the following:

o       implement comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers’ personal information, including information accessible to clients;

o       obtain independent audits of their security programs, every other year for 20 years;

o       furnish credit reports only to those with a permissible purpose; and

o       maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.

FTC Commissioner Julie Brill used the settlement as an opportunity to emphasize the gravity of the resellers’ offenses and the FTC’s commitment to protecting consumers and their personal information. In connection with the settlement, Commissioner Brill announced that “in the future we will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports, as required by the Fair Credit Reporting Act.”

• ·      They apply both online and offline. Many companies have privacy policies that apply to the information they collect online, but make no promises to consumers about the information they collect offline, for example in stores, at events, on the phone, via loyalty programs, through registration cards, and the like.   The FTC’s report recommends that companies have privacy policies that apply offline as well.
• ·      They apply to what many companies think of as non-personally identifiable information, such as static IP addresses and other information that identifies a particular computer or device, but not necessarily a particular individual. This means that many companies’ privacy policies will need to be revised.
• ·      They propose that consumers be given a choice, at the time and place that they provide their information to a company, about the use of their data by the company in unexpected ways (i.e., ways other than “commonly accepted practices”).   For example, if the company will share the consumer’s data with a third party for the third party’s marketing purposes, the consumer should be given a choice about this at the time that they provide the information to the company, and on the Web page on which they provide the data to the company. (Yes, we mean no more burying consumer choice notices in a privacy policy.) Other examples of when consumer choice would be required are when data will be sold to a data broker or other third party that is unknown to the customer, or shared with others for behavioral marketing purposes.
• ·      Consumer choices could no longer be obtained using the good old pre-checked consent box.
• ·      When data collected in a brick-and-mortar store will be used by the company in one of these “non-accepted” ways, the FTC proposes that the sales associate communicate the consumer’s choices to the consumer orally.
• ·      When a consumer opts out of a certain use of his or her data, that preference would be durable, and not subject to repeated additional requests from the company. (The FTC did not say this, but we presume this would mean, for example, that the FTC prefers an opt-out method that is not dependent on cookies that could inadvertently be deleted by the consumer, and that opt-out preferences not expire.)
• ·      FTC proposes that data sharing with an affiliate is to be treated like data sharing with an unaffiliated third party, unless, possibly, the affiliate relationship is clear to consumers through common branding or similar means.
• ·      The FTC proposes that companies provide consumers with reasonable access to the data that they have about consumers. (Until now, U.S. law has not required this.)
• ·      The FTC proposes that companies obtain affirmative express consent from consumers before collecting, using or sharing sensitive information about consumers (such as financial or medical information, or precise geolocation data), or information about “sensitive” consumers such as children and possibly teens.
• ·      The FTC’s recommendations cover companies that do not have direct relationships with consumers, such as data aggregators, and propose that these companies allow consumers to access and correct the information they have about consumers.
• ·      The FTC proposes that companies take steps to ensure the accuracy of the data that they have about consumers, especially if the data is being used to make decisions about consumers. A good example of this is a company that provides identity or age verification services to other companies.
• ·      The FTC proposes that companies only collect the data they need for their specific business purposes, and that they dispose of it (securely) when it no longer serves that purpose.  (In other words, don’t collect it or retain it “just in case it comes in handy for something later.”)
• ·      The FTC endorses a universal consumer “Do Not Track” option, whereby a consumer can set his or her web browser to instruct Web sites not to engage in behavioral marketing on that consumer. (More on this when/if the required technology becomes available.)
• ·      The FTC proposes that companies assign personnel to oversee privacy issues.
• ·      The FTC proposes that companies have comprehensive privacy programs, and review them periodically to address changes in data risks and other circumstances. (Did you just finish your comprehensive written data security program? Time to start on your comprehensive written privacy program.)
• ·      The FTC proposes “privacy by design.” In other words, companies should consider privacy issues relating to new products, services and business models in the early stages of their development. (As an example, no more sending new products to legal review the last minute before launch.)
• ·      The FTC proposes shorter and more comprehensible privacy policies. The FTC might provide a model form privacy notice for this purpose. If you still want to include all the details in a shorter policy, the FTC suggests the “layered” policy approach, in which each policy layer links to more detail in the next layer. 
• ·      You should have been honoring this for years, but, once again, companies cannot make material adverse retroactive changes to their privacy policies without robust notice to, and consent from, consumers. So when you are shortening your privacy policy, beware of inadvertent substantive changes that provide for lesser privacy protections than before.

Are your intellectual property litigators reading your privacy policy?

In FenF, LLC v. Healio Health, Inc., No. 5:08-CV-404 (N.D. OH July 8, 2010), the court held that a provision from a settlement agreement entered into by FenF, LLC (“FenF”), the plaintiff, and Healio Health, Inc. (“Healio”), the defendant, which required Healio to transfer certain customer information to FenF was unenforceable because doing so would result in a violation of Healio’s privacy policy. The settlement agreement FenF was trying to enforce against Healio arose from Healio’s alleged infringement of FenF’s intellectual property. As a part of the settlement agreement, Healio agreed to transfer to FenF certain customer lists containing customer information. However, Healio promised in its privacy policy that it would not share its customers’ information with third parties. The court reasoned that “[a]llowing Plaintiff to obtain that information without any type of notice to the customers would result in manifest unfairness to those customers, who are not a party to this action and may very well have conditioned their purchases from Healio Health on that company’s promise to keep their customer information confidential.” Id. at 5. 

When you wrote your privacy policy, were you thinking about “the end”?

XY

Recently, the Federal Trade Commission (“FTC”) intervened in a bankruptcy case in which purchasers were attempting to acquire the personal information of subscribers of XY, which, before filing for bankruptcy, operated a magazine and website that targeted young gay men. When it was operating, XY collected sensitive data from anywhere between 500,000 to 1 million subscribers. XY promised its subscribers that their information was safe by stating on its website, “Our privacy policy is simple: we never share your information with anybody.”

The FTC wrote in its letter, dated July 1, 2010, to the counsel of the purchasers that the acquisition of such information would violate the FTC Act, because XY’s sale of subscriber information after XY explicitly promised not to share such information would be an unfair and deceptive act or practice. The FTC requested that XY destroy the subscriber information at issue due to the highly sensitive nature the information.   On August 3, 2010, in response to the FTC’s concerns, the U.S. Bankruptcy Court for the District of New Jersey approved the parties’ settlement agreement which stipulated that the information at issue would be destroyed.

Toysmart.com

The XY bankruptcy was not the first time that the sale of customer lists of a company in bankruptcy was thwarted due to promises made in its privacy policy. In 2000, Toysmart.com, LLC (“Toysmart”), an electronic toy retailer, announced that it was going out of business and sought offers for its customer lists which contained personally identifiable information of its customers. The FTC opposed such a sale and brought suit against Toysmart based on Toysmart’s promise in its privacy policy that it would not share its customers' personally identifiable information with third parties. Federal Trade Comm'n v. Toysmart.com, LLC, 2000 WL 34016434 (D. Mass. July 21, 2000) (Unreported). A group of state attorneys general took similar actions to prevent the sale of the lists. Ultimately, Disney, the majority owner of Toysmart, agreed to purchase and destroy Toysmart's customer lists.

Verified Identity Pass

Years after the Toysmart case, Verified Identity Pass, Inc. (“VIP”) encountered a similar situation. VIP was a company that allowed airport travelers to expeditiously pass through security checkpoints. The company filed for bankruptcy on December 1, 2009. VIP sought an acquirer, but the U.S. District Court for the Southern District of New York issued an injunction preventing VIP from selling or otherwise disclosing personal information from its database because VIP promised in its membership agreement and related privacy policy that it would not sell or distribute such information. On May 4, 2010, VIP was acquired by Alclear, LLC. The U.S. Bankruptcy Court for the Southern District of New York appointed a consumer privacy ombudsman to oversee the transfer of the personally identifiable information. VIP was forced to amend its Privacy Policy to reflect the fact that it would now be transferring its customers’ personal information to third parties. In addition, VIP had to send notice of the changes to its privacy policy to each affected customer and had to give each affected customer the option to opt-out of the transfer by electing to have his or her information destroyed.

The Bankruptcy Code

The Bankruptcy Code was amended in 2005 to specifically address the sale of a debtor company’s customer information as part of its liquidation. Now, under section 363(b)(1) of Chapter 11 of the Bankruptcy Code, the appointed trustee may sell the property of an estate; however, if the debtor has a privacy policy prohibiting the transfer of personally identifiable information to persons not affiliated with the debtor and that policy is in effect on the date of the commencement of the case, then the trustee may not sell such information. A sale of such information may nevertheless occur in the following circumstances: if the sale is consistent with the privacy policy (e.g., there is a carve-out in the privacy policy for a sale of the personally identifiable information), or if a court appoints a consumer privacy ombudsman in accordance with § 332 of the bankruptcy code and the court provokes the sale.

In addition to the HHS resolution agreement, Rite Aid has entered into a separate, but related settlement with the FTC to resolve the FTC’s allegations that the company failed to live up to promises made in its privacy policy that it would protect customers’ sensitive medical information. The FTC settlement will require Rite Aid to implement a comprehensive information security program and obtain independent audits of the program for twenty years.

The Rite Aid settlement marks the second time HHS and the FTC have joined forces for an investigation into alleged violations of individuals’ information privacy. The agencies began investigating Rite Aid after news media captured footage of employees at a number of pharmacies, not limited to Rite Aid, tossing sensitive medical information into insecure trash containers. According to HHS and the FTC, this practice demonstrated Rite Aid’s failure to implement, teach and enforce appropriate policies regarding the disposal of sensitive information.

So will [insert name of your pharmacy here] be the agencies’ next target? We hope not!

The FTC’s complaint alleged that between January and May 2009, intruders twice obtained control of Twitter administrative accounts because of deficient password security policies. In January 2009, an intruder gained control of Twitter by using a “brute force” automated password-guessing tool that attempted to login to Twitter thousands of times until it guessed the correct password. The password was a weak, lowercase, letter-only common dictionary word. In April 2009, an intruder compromised a Twitter employee’s personal email account by unspecified means. The intruder was able to guess the Twitter employee’s administrative password based on two similar passwords that were stored in the employee’s email in plain text for at least six months before the security incident. With administrative access, the intruders were capable of accessing nonpublic user information and nonpublic tweets from any Twitter user and resetting Twitter users’ passwords. The first intruder reset certain user passwords and posted tweets from the compromised accounts.

According the FTC, Twitter was vulnerable to these attacks because it failed to prevent unauthorized administrative control of its system. The FTC claimed that Twitter failed to take reasonable steps to:

• Require employees to use hard-to-guess passwords that were not used for other purposes;
• Prohibit employees from storing administrative passwords in plain-text within their personal e-mail accounts;
• Suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
• Provide an administrative login page that is separate from the ordinary user login page and whose location is known only to authorized users;
• Enforce periodic changes of administrative passwords;
• Restrict access to administrative controls to employees whose jobs required it; and
• Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Pursuant to the agreement, Twitter is required to engage in a number of actions to address its security practices, most notably:

• Identifying reasonably-foreseeable, material risks that could result in unauthorized disclosure of nonpublic consumer information or unauthorized administrative control of the Twitter system; and
• Implementing reasonable safeguards to address the identified risks.

The agreement also includes provisions requiring Twitter to designate an employee or employees to coordinate and be accountable for the information security program. Additionally, the agreement includes provisions addressing Twitter’s use of service providers and requiring Twitter to evaluate and adjust its information security to address material changes to its business or other events that might materially impact the effectiveness of its security program. 

The FTC’s pursuit of, and subsequent agreement with, Twitter is significant because it demonstrates that the FTC’s concern regarding the protection of personal information is not limited to personal financial information and identity theft. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter is not an online merchant and does not collect financial information from its users. Nevertheless, a Twitter user’s account may contain other personally identifiable information and may contain private tweets. The FTC’s pursuit of Twitter demonstrates that the FTC is interested in holding companies to their representations regarding their security practices. The FTC’s allegations regarding Twitter’s security practices may also prove useful to companies, as the allegations signal several behaviors that the FTC considers being inconsistent with reasonable security.

As we’ve previously written, the Rule requires all “creditors” and “financial institutions” that have “covered accounts” to develop and implement programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. The intended (and appropriate) scope of the Rule, however, is anything but clear and the FTC has delayed enforcement of the Rule multiple times in order to address this issue. (Note, however, that the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight. Similarly, the related address discrepancy and card issuer change of address rules are in effect and not delayed.)

Several days before the FTC’s announcement, Senators John Thune (R-SD) and Mark Begich (D-AK) offered up a bill “to amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses” that is intended to help clarify the scope of the Rule. The bill includes exemptions from the Rule for certain businesses engaged in health care, accounting, and the practice of law as well as a catch-all for other low-risk entities if they apply to the FTC for exemption.

Will six months be enough to fix the Rule’s problems? Maybe not. So stay tuned!

As part of their proposed final settlements, filed concurrently with the complaints in Massachusetts and California, both Talbots and SmartReply agreed to orders that prohibit further violations of the TSR. As we previously wrote, according to regulations that became effective on September 1, 2009, this includes delivering prerecorded messages without consumers’ written authorization. In addition, the companies each are subject to a $112,000 civil penalty, although all but $49,000 of SmartReply’s penalty has been stayed due to its inability to pay. The proposed final settlements, which continue the FTC’s recent work in this area, are an important reminder to consult applicable laws and regulations before deploying new marketing strategies or technologies.

According to the FTC’s complaint, an unauthorized individual was able to gain access to Dave and Buster’s networks between the dates of April 30, 2007 and August 28, 2007 and intercept credit card and debit card information (and other personal information) from approximately 130,000 consumers. In addition, according to the FTC, the affected issuing banks have collectively claimed several hundred thousand dollars in fraudulent charges on some of these compromised consumer accounts.

The FTC’s complaint states that, upon its discovery of the data security breach, Dave and Buster’s notified law enforcement officials and credit card companies, and took remedial steps to prevent further unauthorized access by the intruder. However, the FTC’s complaint also alleges that it was Dave and Buster’s “failure to employ reasonable and appropriate security measures to protect personal information” that enabled the unauthorized access that caused the data breach. Among the failures cited by the FTC, Dave and Buster’s allegedly failed to employ an intrusion detection system, failed to monitor system logs, failed to use firewalls to limit access between in-store networks, failed to isolate the payment card system from the rest of the corporate network and failed to use other readily available security measures, such as limiting access to its computer networks through wireless access points on such networks.

The settlement agreement entered into between the FTC and Dave and Buster’s requires Dave and Buster’s, among other things, to establish, implement and maintain a comprehensive, written data security program that contains administrative, technical and physical safeguards designed to protect the security, confidentiality and integrity of personal consumer information. In additional Dave and Buster’s is required to obtain and endure an initial and biennial assessments (for a period of 10 years from the date of the order) from a qualified third-party regarding its implementation and maintenance of its program and safeguards in compliance with the settlement agreement.

The FTC’s news release announcing the settlement, along with the FTC’s complaint and the settlement agreement containing the consent order, can be accessed by clicking here.

The FTC further alleged that LifeLock misrepresented the company’s data security practices to its customers. Among other things, LifeLock claimed that “only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis” and promised that “all stored personal data is electronically encrypted.” In reality, according to the FTC, data was not encrypted and was not shared only on a “need to know” basis. Consequently, sensitive personal information about LifeLock customers was susceptible to exploitation by those seeking access to customer information.

In addition to carrying a hefty penalty, LifeLock’s settlement with the FTC and state attorneys general prohibits the company and its co-founders from making deceptive claims, misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service,” or misrepresenting the risk of identity theft or the manner and extent to which the company’s services protect against this risk. LifeLock also agreed to implement a comprehensive information security program to protect customer information, obtain independent audits of the program every other year for the next twenty years and comply with certain record-keeping obligations. The FTC will use the settlement funds to provide refunds to LifeLock customers.

The six proposed settlements follow right on the heels of the first ever Safe Harbor enforcement action taken by the FTC (as reported in Proskauer’s Privacy Blog here), against a California company, Balls of Kryptonite, which had falsely represented that it had self-certified to the Safe Harbor Program, when apparently in fact it never had.

The US/EU Safe Harbor program was negotiated between the U.S. and EU governments as a way to reconcile the fact that under the EU’s Data Protection Directive (with some exceptions) organizations may only transfer personally identifiable information from the EU to countries that the European Commission has deemed to have adequate data protection laws—and the U.S. is not one of those countries. Therefore, the EU/US Safe Harbor program was created in 2001 as a way for U.S. companies to receive personal data from the EU.

To participate in the program, a U.S. company self-certifies to the U.S. Department of Commerce (and commits in a publicly–facing policy) that it will follow the Safe Harbor Privacy Principles (the “Principles”), which mirror the core requirements of the EU Data Protection Directive.

The FTC’s enforcement action should serve as a wake-up call to U.S. companies that have been lulled, during the eight years since the Safe Harbor program was put into place, into the mindset that the FTC is not enforcing the program. Although for almost a decade U.S. companies have been able to take a “wait and see” approach as to the FTC’s enforcement appetite, that era certainly seems to have come to an end. All U.S. companies that import personally identifiable information from Europe under the Safe Harbor should review their safe harbor policies now, and re-affirm their compliance with the Principles. 

The FTC acknowledged that many entities, particularly small businesses and other companies with a low risk of identity theft, remain uncertain about whether they are covered under the Rule, and, if so, what steps they must take to comply. As part of its education campaign, the FTC stated that it plans to create a link on its Red Flags Rule website to provide additional guidance regarding the Rule to small and low-risk entities.  To date, the FTC has provided, among other things, a how-to guide for businesses, FAQs, and an online do-it-yourself Identity Theft Prevention Program for low-risk entities. 

The delay underscores the difficulty the Commission staff has had in anticipating and explaining the precise scope of the Rule – namely what entities are covered the Rule. As a practical matter, the Rules, and the FTC’s interpretation of them, have cast a net so wide so as to ensnare businesses that have not encountered identity theft in their operations and that are not normally subject to the Commission’s jurisdiction.  Indeed, as we have discussed before on this blog, there has been confusion among companies regarding the scope of the Rule. And despite previous delays and additional FTC guidance, many businesses, as well as entire industries, have still been caught off-guard by the Rule.  Nevertheless, the FTC believes that this extension and the new guidance the Commission will provide “should enable businesses to gain a better understanding of the Rule and any obligations that they may have under it.”

Users must establish reasonable policies to enable the user to form a reasonable belief as to whether the consumer report received actually relates to the customer in question. Users must evaluate the address discrepancy regardless of whether a new account with the customer will be opened. Policies and procedures designed to confirm whether a consumer report relates to the consumer about whom the report was requested include:

o         Comparing information in the consumer report with information that the user

o         obtains and uses to verify the consumer’s identity pursuant to Customer Identification Program rules,

o         maintains in its own records, such as applications or change of address requests, or

o         obtains from third parties;

o         Verifying the information provided by the CRA with the consumer by requesting a copy of the applicant’s driver’s license or other proof of current address; and

o         Other reasonable means.

In the event that a user reasonably confirms, through the policies and procedures established, that the report received belongs to the user’s customer, the user may be obligated to report the consumer’s address to the CRA that provided the notice of discrepancy. Such obligation arises if the user establishes a continuing business relationship with the customer and regularly furnishes information, regardless of the type or comprehensiveness, to that particular CRA.

While the Address Discrepancy Rule is designed to identify instances where a user has not received the correct consumer report for the customer inquired upon, a notice of address discrepancy may signal identity theft. Notices of address discrepancy therefore may implicate the Red Flags Rules for users that are financial institutions or creditors.

Also included in the Rule are special provisions regarding change-of-address notices for debit and credit card issuers. If a card issuer receives a change-of-address notice, and within 30 days, receives a request for an additional or replacement card, the card issuer must verify the address before issuing the card. The card issuer may validate the address either when receiving the change-of-address notice or shortly after receiving the request for a card. To validate the address, the issuer must either notify the cardholder at the last known address and provide the cardholder with a means of reporting any incorrect address change, or otherwise asses the validity of the change of address in accordance with its written policies and procedures established to comply with the Rule. 

For the complete text of the “Address Discrepancy Rule”, please see http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf, and for more information on the Red Flags Rule: http://ftc.gov./redflagsrule. Also check out our prior discussions of the Red Flags and Address Discrepancy Rules. 

Proskauer summer associate Rebecca Guttman contributed to this post.     

The Red Flags Rule relies on the Equal Credit Opportunity Act’s definition of “creditor,” which is codified at 12 C.F.R. § 202.2(l):

Creditor means a person who, in the ordinary course of business, regularly participates in a credit decision, including setting the terms of the credit. The term creditor includes a creditor's assignee, transferee, or subrogee who so participates. For purposes of Sec. 202.4(a) and (b), the term creditor also includes a person who, in the  ordinary course of business, regularly refers applicants or prospective applicants to creditors, or selects or offers to select creditors to whom requests for credit may be made.  A person is not a creditor regarding any violation of the Act or this regulation committed by another creditor unless the person knew or had reasonable notice of the act, policy, or practice that constituted the violation before becoming involved in the credit transaction. The term does not include a person  whose only participation in a credit transaction involves honoring a credit card.

(emphasis added).

By its terms, the definition of “creditor” encompasses a person who “refers applicants or prospective applicants” only for purposes of §§ 202.4(a) and (b). Those sections address non-discrimination and non-discouragement in extension of credit. Thus, if a retailer were to discourage someone from applying for a cobranded credit card, or if it were to select which credit card applications to pass on to the lender, that retailer might be liable under ECOA Regulation B. But the rest of Regulation B does not apply to those who simply pass on credit applications. See, e.g., Treadway v. Gateway Chevrolet Oldsmobile Inc., 362 F.3d 971, 978-79 (2004) (holding that automobile dealership was creditor because it "regularly participated in a credit decision" by deciding whether to pass an application on to the lender, though it would not be a creditor if all it did was pass applications on without making such decisions) (decision attached).

The Federal Reserve Board's supplement to the § 202.2(l) comments supports this interpretation and was partially the basis for the Seventh Circuit's opinion in Treadway:

Some industry commenters expressed concern that the clarification would include in the definition of creditor persons without discretion to decide whether credit will be extended. The Board recognizes that in the credit application process persons may play a variety of roles, from accepting applications through extending or denying credit. Comment 2(l)-2 is intended to clarify that where the only role a person plays is accepting and referring applications for credit, or selecting creditors to whom applications will be made, the person meets the definition of creditor, but only for purposes of the prohibitions against discrimination and discouragement. For example, an automobile dealer may merely accept and refer applications for credit, or it may accept applications, perform underwriting, and make a decision whether to extend credit. Where the automobile dealer only accepts applications for credit and refers those applications to another creditor who makes the credit decision-for example, where the dealer does not participate in setting the terms of the credit or making the credit decision-the dealer is subject only to §§ 202.4(a) and (b) for purposes of compliance with Regulation B.

68 F.R. 13144, 13155, quoted in Treadway, 362 F.3d at 979.

Finally, other recent cases are consistent with both the supplemental comment and Treadway. See, e.g., Cochran v. Northeast Mortgage, LLC, Civil No. 3:06CV01131(AWT), 2007 U.S. Dist. LEXIS 61125, at **5-7 (D. Conn. Aug. 21, 2007); Barnette v. Brook Rd., Inc., 457 F. Supp. 2d 647, 654-655 (E.D. Va. 2006); Logsdon v. Dennison Corp., Case No. 05-1242, 2007 U.S. Dist. LEXIS 41501, at **8-10 (C.D. Ill. June 7, 2007).

EPIC asked the FTC to open an investigation into Google’s cloud computing services and to bar Google from offering such services until it establishes adequate safeguards.  EPIC also requested that the FTC compel Google to contribute $5 million “to a public fund tat will help support research concerning privacy enhancing technologies, including encryption, effective data anonymization, and mobile location privacy.” 

Cloud computing refers to a system that provides off-site software application and data storage services to consumers and businesses through the Internet.  Google’s cloud computing services include Gmail, Picasa Web Albums, Google Calendar, Google Desktop and Google Docs. 

EPIC’s complaint followed on the heels of a reported data breach involving Google Docs.  On March 7, 2009, user documents and files saved through the Google Docs service were exposed to unauthorized users.  EPIC also highlighted other purported flaws in Google’s cloud computing services, including a January 2005 incident that allegedly compromised Gmail usernames and passwords, and two separate vulnerabilities with Google Desktop that permitted access to users’ sensitive data. 

In its complaint, EPIC stated that “Google’s inadequate security practices, and the resultant Google Docs Data Breach, caused substantial injury to consumer, without any countervailing benefits.”  Moreover, EPIC charged that Google made material misrepresentations “that misled consumer regarding its security practices, and users reasonably relied on Google’s promises.”  For instance, EPIC argued that Google assured Google Docs users that “files are stored securely online” and that all documents are saved “to a secure online storage facility.”  According to EPIC, in light of the Google Docs breach, the assurances Google made to consumers were deceptive, and thus, the FTC should step in to protect consumers. 

For more information on the privacy issues surrounding cloud computing services, please see our prior blog post here.

The FTC defines online behavioral advertising as “the tracking of a consumer’s online activities over time– including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests.” The newly revised Principles now explicitly carve out “first party” advertising, where no data is shared with third parties, and contextual advertising, where an ad is based on a single visit to a web page or single search query.

Our challenge at the Proskauer Privacy Law Blog is to synthesize a 55 page Staff Report and two concurrences from Commissioners Harbour and Leibowitz into a pithy, easily digestible blog post. Hmmm. Well, we thought we would start with the Principles themselves. But first, a couple of observations. 

Observation number one – the Report frequently goes out of its way to note the eroding distinction between traditional personal identifying information (“PII”) such as name, address and Social Security, and non-PII such as IP address. As noted in the Executive Summary, “staff believes that the Principles should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is ‘personally identifiable’ in the traditional sense. Indeed, in the context of online behavioral advertising, rapidly changing technologies and other factors have made the line between personally identifiable and non-personally identifiable information increasingly unclear. Moreover, this approach is consistent with existing self-regulatory efforts in this area.” Those blurring lines and increasingly complex technology and advertising practices promise to pose considerable challenges for the construction of clear and user-friendly consumer privacy notices.

Observation number two -- the Report makes clear that disclosures regarding the collection of PII and non-PII for purposes of behavioral marketing should be made separate from the traditional privacy policy.  “Staff recognizes that it is now customary to include most privacy disclosures in a website’s privacy policy. Unfortunately, as noted by many of the commenters and by many participants at the FTC’s November 2007 Town Hall, privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.”  The Staff Report highlights certain recommendations made by commenters that “appear promising. For example, a disclosure (e.g., 'why did I get this ad?') that is located in close proximity to an advertisement and links to the pertinent section of a privacy policy explaining how data is collected for purposes of delivering targeted advertising, could be an effective way to communicate with consumers. . . . Staff encourages these efforts and notes that they may be most effective if combined with consumer education programs that explain not only what information is collected from consumers and how it is used, but also the tradeoffs involved – that is, what consumers obtain in exchange for allowing the collection and use of their personal information.”

So, without further ado, here are the Principles. They provide for: (1) transparency and consumer control; (2) reasonable security, and limited data retention, for consumer data; (3) affirmative express consent for material changes to existing privacy promises; and (4) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. The bolded italicized language below represents the FTC staff’s own annotations showing changes from the first version in late 2007.

(1)        Transparency and Consumer Control

Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)

(2)               Reasonable Security, and Limited Data Retention, for Consumer Data

Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

(3)               Affirmative Express Consent for Material Changes to Existing Privacy Promises

As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.

(4)               Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising

Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

We will have future occasion to discuss other elements of the FTC’s Report, but it is clear this will not be the last we hear from the FTC on this issue. “Looking forward, the Commission will continue to monitor the marketplace closely so that it can take appropriate action to protect consumers. During the next year, Commission staff will evaluate the development of self-regulatory programs and the extent to which they serve the essential goals set out in the Principles; conduct investigations, where appropriate, of practices in the industry to determine if they violate Section 5 of the FTC Act or other laws; meet with companies, consumer groups, trade associations, and other stakeholders to keep pace with changes; and look for opportunities to use the Commission’s research tools to study developments in this area.”

In urging FTC action, the groups’ lengthy 52-page submission focuses primarily on media reports and the marketing literature of a large number of mobile marketing companies that tout the behavioral marketing capabilities of mobile technology.  The document also acknowledges the widespread consumer benefits mobile behavioral advertising offers, including making “rich media, free offers, personalization capabilities, and discounts” more broadly available. Despite its extensive cataloguing of the vast potential for effective targeted mobile marketing, the document is short on specifics as to how these practices currently harm or are likely to harm consumer privacy or constitute unfair or deceptive trade practices under Section 5 of the FTC Act. The group includes very limited specific allegations – against only Bango Analytics, Marchex and AdMob – that relate primarily to insufficient consumer notice.              

 The advocacy groups’ filing follows the FTC’s late 2007 release of draft self-regulatory principles for online behavioral advertising discussed previously at this blog here. At that time, the FTC recognized the benefit to consumers of receiving advertising more tailored to consumers’ interests and the role advertising dollars play in supporting new, innovative and free content. During 2008, the FTC accepted comments on its draft principles and is expected to issue final guidelines in the coming months. Also during 2008, state legislatures and Congress also became involved in the behavioral advertising debate as covered in this blog here and here. Meanwhile, also on January 13, 2009, the American Association of Advertising Agencies, Association of National Advertisers, Direct Marketing Association and Interactive Advertising Bureau jointly announced plans to develop enhanced self-regulatory industry guidelines for online behavioral advertising.

The CDT and U.S. PIRG filing will undoubtedly stir further debate as to whether the current regime consisting of (a) the forthcoming FTC self-regulatory online behavioral marketing principles, (b) case by case enforcement of unfair or deceptive trade practices under existing FTC authority, and (c) industry self-regulatory standards such as those adopted by the CTIA, and Mobile Marketing Association and expected from other industry groups, is sufficient to protect consumers in the vibrant, competitive marketplace of mobile communications where transparency and choice can be a selling point. We will continue to update our readers on these issues as the year unfolds.

Specifically, RemoteSpy collects information regarding keystrokes typed, websites visited, images viewed and passwords used on a computer.  Through marketing and instructional materials, CyberSpy provided its clients with information on how to remotely deploy the program by concealing it as a seemingly innocuous e-mail attachment to mislead a computer user into installing the software on his or her computer.  RemoteSpy then would upload the collected information to CyberSpy servers, which clients could access by logging onto a CyberSpy website.

Prompted by a complaint and request for investigation from the Electronic Privacy Information Center (“EPIC”), the FTC brought suit against CyberSpy alleging that the promotion and sale of RemoteSpy constituted unfair and deceptive trade practices in violation of Section 5 of the FTC Act.  According to the FTC, RemoteSpy was “likely to cause substantial injury to consumers that cannot be reasonably avoided and is not outweighed by countervailing benefits to consumers or corporations.”  CyberSpy claimed that its software had legitimate uses, such as a parent monitoring a child’s computer use.  The FTC, however, argued that CyberSpy wrongfully provided guidance to its clients on how deceive people into installing the software.

In issuing the preliminary injunction, the district court found that the sale of RemoteSpy was likely to cause substantial harm to consumers from possible identity theft and creates a danger to the health and safety of individuals.  Characterizing the risks posed by RemoteSpy as “alarming,” the court stated that “[t]he clandestine remote installation of RemoteSpy on the computer of an unrelated person is fraught with potential abuse.”

Moreover, the court highlighted CyberSpy’s role in advancing the likelihood of such abuses through its marketing materials, which instructed people on how to invade the privacy of unsuspecting victims.  The court noted that the defendants specifically marketed RemoteSpy as a way to collect information remotely from a computer without the knowledge or authorization of the owner or user of a computer.  In fact, CyberSpy claimed that RemoteSpy was “100% undetectable” and encouraged the use of “stealth” e-mails to disguise the identity of the person attempting to install RemoteSpy.  Thus, the court found that “[i]n light of these marketing efforts, the potential for devastating abuse far abuse far outweighs the possibility of benign use.”

Nevertheless, the court did not bar the sale of RemoteSpy entirely.  Rather, it enjoined the marketing and sale of RemoteSpy “by means of informing or suggesting to customers that it may be, or is intended to be, surreptitiously installed on a computer without the knowledge or consent of the computer’s owner . . . .”  In addition, CyberSpy cannot misrepresent to clients that RemoteSpy is an innocuous program.

The FTC is seeking a permanent bar on the sale of RemoteSpy and disgorgement of CyberSpy’s ill-gotten gains.
 

Confusion Among Companies Regarding Coverage

The rules apply to financial institutions and creditors. But, according to the FTC, many companies “indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution.” Moreover, the FTC said that companies not traditionally subject to the jurisdiction of the FTC did not follow the FTC’s rulemaking, and consequently did not become aware of their obligations under the Red Flag Rules until very recently.  The FTC also expressed concern that covered entities, to meet the fast approaching November 1 deadline, were not taking the appropriate care necessary to do a proper risk assessment and craft a meaningful red flags program.

As the FTC stated, “[g]iven the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial for the public.”Therefore, the FTC will delay enforcement of the new rules for six months.Considering this generous extension, covered entities should be on notice that they will need to have a written identity theft prevention program in place by the May 1, 2009 deadline.

Who and What Are Covered

A company must consider whether it would be considered a covered entity – i.e., a financial institution or a creditor.  Financial institutions include banks, mortgage lenders, savings and loan associations, mutual savings banks, credit unions or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.  As to the definition of creditor, the Red Flag Rules reference the Equal Credit Opportunity Act (“ECOA”), which defines a creditor as anyone who grants to a debtor the right “to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.”  In its Enforcement Policy Statement, the FTC noted that under the ECOA’s definition, “any person that provides a product or service for which the consumer pays after delivery is a creditor.”  Thus, under this broad interpretation, many companies that permit their customers to defer payment for any purchase may be covered under the rules. 

Once a company determines that it is indeed a covered entity, it must assess which of its accounts or products fall under the definition of “covered accounts” – a red flag program need only apply to these covered accounts.  The definition of “covered account” is divided into two parts:  (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.

Covered entities then must develop written policies and procedures not only to identify and detect red flags, but also to respond to red flags by preventing or mitigating potential identity theft.  A red flag is a pattern, practice or activity that could indicate identity theft.  Because covered entities must tailor their red flags programs to their particular business, these companies will need to do risk assessment to evaluate current identity theft prevention measures, their shortcomings and the risks to customers.  In addition, companies must periodically update their identity theft programs to address emerging threats.  The final rules became effective on January 1, 2008, and, prior to this announcement, covered entities were required to comply by November 1, 2008.  You can read more about the Red Flag Rules here. 

Background

Businesses engaged in telemarketing or that hire telemarketers to make calls on their behalf are potentially subject to two different federal regulatory regimes. The FTC, under the Telemarketing and Consumer Fraud and Abuse Prevent Act (“TCFAPA”) has jurisdiction over most entities engaged in interstate telemarketing. Excluded are insurance companies (to the extent they are regulated by state law), banks, certain regulated brokers, common carriers and non-profit organizations, although third party telemarketers calling on these excepted entities’ behalf generally are subject to FTC jurisdiction. The FCC, under the Telephone Consumer Protection Act, (“TCPA”) has jurisdiction over all entities engaged in telemarketing, whether interstate or intrastate. In 2003, both the FTC and the FCC enacted rules to implement the national do not call registry. Under both sets of rules, businesses could continue to make live calls to any EBR consumer even if the consumer has enrolled in the national Do Not Call registry, unless the consumer has made a “company-specific” Do Not Call request to the calling entity. EBR consumers are current customers, consumers that have purchased, rented or leased goods and services within the last 18 months, and consumers that have made an inquiry or application within the last 3 months.

The Differing FTC and FCC Approaches to Prerecorded Calls to EBR Consumers

The two agencies’ rules initially differed regarding prerecorded calls to EBR consumers. The FCC permitted such calls. The FTC, however, considered such calls to violate its rules on “call abandonment” – a rule that requires 97 % of calls per day of a calling campaign to be connected to a live sales representative within two seconds of a call recipient’s completed greeting (if the call is answered by a live person and not an answering machine). In November 2004, the FTC, responded to a petition for a rule change to conform its approach concerning prerecorded calls with the FCC’s rules. It issued a Notice of Proposed Rulemaking to expressly permit prerecorded calls to EBR consumers (without the calls being considered abandoned) as long as specific conditions were met. The FTC also announced it would forbear from enforcing its call abandonment restrictions on prerecorded calls to EBR consumers pending completion of its rulemaking.

Despite strong industry support for the FTC’s position in the November 2004 NPRM, the FTC on October 3, 2006, in a surprise move, announced that it was not going to adopt its November 2004 proposal and instead proposed the approach that ultimately led to its most recent rule revisions. The FTC’s rule revisions also modified the call abandonment rate to allow it to be calculated over 30 days rather than on a daily basis, which is similar to a related FCC rule provision.

Significance of the FTC Decision

The FTC’s decision has far-reaching significance for the marketing activities of the many businesses subject to FTC jurisdiction under the TCFAPA. Prerecorded calls to EBR customers made with autodialers are a cheap and efficient way for businesses to reach their existing customers and notify them of new services. Companies not subject to FTC regulation and companies that make such calls intrastate only, will be able to continue to follow the FCC’s approach. Others must be aware of the FTC restrictions.

A copy of the FTC’s Federal Register notice concerning the TSR amendments is available here.
 

The New York Bill

The New York bill, with versions in the Assembly and Senate (A. 9275 and S. 6441) is based on the Network Advertising Initiative (NAI) self-regulatory principles. The NAI is a group of online advertising firms and it adopted its principles in 2002. The bill would create an extensive regime of consumer notice and choice for third party tracking of different types of consumer online activity. Absent obtaining a consumer’s prior affirmative consent or opt-in, third parties would be prohibited from collecting personally identifiable information online in some situations (when merged with certain other previously collected data). Consumers would have the right to opt-out of any online tracking involving non-personally identifiable information. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the types of data they collect, how they use the data, the opt-out process, and the length of time the data is retained. And, it would require third party advertising companies to contractually require the sites to whom they provide services to include notice and opt-out options.  

Notably, the bill would prohibit a third party from tracking information from websites when it does not have a contractual relationship with the website owner. This provision could have major implications for the companies described above that contract with Internet Service Providers to monitor surfing activity across all websites a consumer visits. The bill is also significant because it would effectively create a national law – companies with a national online presence would necessarily be doing business in New York as well.                    

The European Union 

The press has recently reported about controversy in the U.K. concerning reports that the country’s three largest ISPs, BT, Talk Talk, and Virgin Media, had contracted with Phorm for behavioral targeting services. A U.K. think tank, the Foundation for Information Policy Research (FIPR) submitted an open letter to the U.K Information Commissioner charging that Phorm’s activities violate British privacy law and the European Union’s Data Protection Directive by not affording consumers opt-in choice for the tracking. Phorm is claiming that it uses a cookie with a random number assigned to track information so that it does not collect personally identifiable information. 

The issue of online monitoring continues to draw the attention of European Union regulators with more activity expected in the near future. Although the E.U. approved the Google-Doubleclick merger, the E.U. Article 29 Working Party comprised of data privacy regulators from each of the E.U.’s member states has stated that even search engines based outside of the E.U. may fall under the E.U. Data Protection Directive. In addition, the Chairman of the Article 29 Working Party has asserted that IP addresses standing alone constitutes personally identifiable information. This stands in contrast to how IP addresses are viewed in the U.S. The Article 29 Working Party is expected to issue a report in April concerning the privacy implications of Internet search engines, which should further address these issues.     

Industry and Interest Group Guidelines        

The complaint identified five specific security failures:

• failure to adequately assess risks to the information stored on the network and in paper files,
• failure to adequately restrict access to personal information to authorized employees only,
• failure to implement a comprehensive information security program,
• failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
• failure to require third-party service providers by contract to protect the security and confidentiality of personal information.

The FTC Complaint charged Goal Financial with violating the FTC Act by disseminating a false or misleading privacy policy that claimed to "implement[] reasonable and appropriate measures to protect personal information from unauthorized access." Because Goal Financial qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, the Complaint also alleged violations of the GLBA Safeguards Rule and the GLBA Privacy Rule. The Safeguards Rule allegation reflected the company's failure to identify privacy risks and design appropriate safeguards, while the Privacy Rule charge stemmed from the company's privacy policy and notices inaccurately representing the actual security of consumer information.

The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.

The Federal Trade Commission has quietly changed its position on the level of parental consent required under the Children’s Online Privacy Protection Act (“COPPA”) for e-cards sent from a website directed to children.

Under COPPA, websites directed to children under 13 are required to obtain parental consent prior to the collection of personal information – including an email address or a first and last name – from children under 13. There are certain exceptions to this requirement, including the so-called “one-time use” exception, which permits websites directed to children to collect an email address to respond once to a child’s specific request, provided that the website deletes that email address after doing so. The FTC had taken the position that an e-card – which typically permits a child to send a message to a friend’s email account – fell under this exception. Thus, no parental consent was required.

At the end of last year, however, the FTC amended its “Frequently Asked Questions about the Children’s Online Privacy Protection Rule,” available at http://www.ftc.gov/privacy/coppafaqs.shtm, and specifically noted in response to the FAQ concerning e-cards (FAQ 44) that “where an operator’s e-card or forward-to-a-friend system discloses the sender’s email address or first and last name in the message, the operator must obtain verifiable parental consent before such collection and disclosure.” Accordingly, operators of websites directed to children must now comply with COPPA’s verifiable parental consent provisions before permitting children under 13 to send e-cards that disclose their email addresses or full names.

In addition to the fine, the stipulated judgment and order requires American United to obtain an immediate third-party audit of its privacy safeguards and ongoing audits every two years for a decade. American United is also permanently enjoined from further violations of the FACTA Safeguards, Disposal, and Privacy rules.

The Disposal Rule, 16 C.F.R. 682, requires that any company collecting consumer information for a business purpose must dispose of that information in a way that prevents unauthorized access and misuse of the data. "Disposal" includes any discarding, abandonment, sale, donation or transfer of information.

The self-regulatory approach taken by FTC staff recognizes the benefits behavioral advertising provides. Specifically, FTC staff recognizes that ad-supported content makes newspapers and other valuable information from around the world more readily available to consumers online and that many consumers value personalized ads. FTC staff is, however, concerned that behavioral advertising and the related data collection “is largely invisible and unknown to consumers.” The four principles FTC staff has proposed to address concerns over transparency and consumer choice state that: 

(1) every website that collects data for behavioral advertising should include “a clear, concise, consumer-friendly and prominent statement” that (a) consumer data is being collected online for behavioral advertising, and (b) consumers can exercise choice on collection of their data for such purposes, with a “clear, easy-to-use, and accessible method” provided for doing so;  

(2) a company engaged in behavioral targeting should reasonably secure the data collected and only retain it “as long as necessary to fulfill a legitimate business purpose or a law enforcement need”;

(3) a company should obtain consumers' "affirmative express consent" if it is going to use personal data for a materially different purpose than was disclosed when the data was collected; and 

(4) a company should obtain "affirmative express consent" before collecting "sensitive" consumer data (such as health data, sexual orientation, and children's data). FTC staff is seeking further comment on the types of data that constitute "sensitive" information and whether instead of consumer choice, a prohibition on collection of such data would be a better approach; 

FTC staff seeks comments on the four proposed principles generally, including their feasibility and the costs and benefits of offering choices for behavioral advertising. FTC also staff seeks additional information on the secondary uses of tracking data that extend beyond behavioral marketing. Specifically, FTC staff seeks information on what secondary uses of tracking data is occurring, which of those uses raises privacy concerns, whether those concerns extend to non-personally identifiable information in addition to personally identifiable information, and whether some heightened form of protection relating to secondary uses is warranted. 

The FTC vote to approve release of the principles was 5-0. The related FTC press release is available here.