Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The FTC’s proposed consent order prohibits further violations of the Safeguards Rule and also requires the resellers to do the following:

o       implement comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers’ personal information, including information accessible to clients;

o       obtain independent audits of their security programs, every other year for 20 years;

o       furnish credit reports only to those with a permissible purpose; and

o       maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.

FTC Commissioner Julie Brill used the settlement as an opportunity to emphasize the gravity of the resellers’ offenses and the FTC’s commitment to protecting consumers and their personal information. In connection with the settlement, Commissioner Brill announced that “in the future we will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports, as required by the Fair Credit Reporting Act.”

The FTC’s complaint alleged that between January and May 2009, intruders twice obtained control of Twitter administrative accounts because of deficient password security policies. In January 2009, an intruder gained control of Twitter by using a “brute force” automated password-guessing tool that attempted to login to Twitter thousands of times until it guessed the correct password. The password was a weak, lowercase, letter-only common dictionary word. In April 2009, an intruder compromised a Twitter employee’s personal email account by unspecified means. The intruder was able to guess the Twitter employee’s administrative password based on two similar passwords that were stored in the employee’s email in plain text for at least six months before the security incident. With administrative access, the intruders were capable of accessing nonpublic user information and nonpublic tweets from any Twitter user and resetting Twitter users’ passwords. The first intruder reset certain user passwords and posted tweets from the compromised accounts.

According the FTC, Twitter was vulnerable to these attacks because it failed to prevent unauthorized administrative control of its system. The FTC claimed that Twitter failed to take reasonable steps to:

• Require employees to use hard-to-guess passwords that were not used for other purposes;
• Prohibit employees from storing administrative passwords in plain-text within their personal e-mail accounts;
• Suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
• Provide an administrative login page that is separate from the ordinary user login page and whose location is known only to authorized users;
• Enforce periodic changes of administrative passwords;
• Restrict access to administrative controls to employees whose jobs required it; and
• Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Pursuant to the agreement, Twitter is required to engage in a number of actions to address its security practices, most notably:

• Identifying reasonably-foreseeable, material risks that could result in unauthorized disclosure of nonpublic consumer information or unauthorized administrative control of the Twitter system; and
• Implementing reasonable safeguards to address the identified risks.

The agreement also includes provisions requiring Twitter to designate an employee or employees to coordinate and be accountable for the information security program. Additionally, the agreement includes provisions addressing Twitter’s use of service providers and requiring Twitter to evaluate and adjust its information security to address material changes to its business or other events that might materially impact the effectiveness of its security program. 

The FTC’s pursuit of, and subsequent agreement with, Twitter is significant because it demonstrates that the FTC’s concern regarding the protection of personal information is not limited to personal financial information and identity theft. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter is not an online merchant and does not collect financial information from its users. Nevertheless, a Twitter user’s account may contain other personally identifiable information and may contain private tweets. The FTC’s pursuit of Twitter demonstrates that the FTC is interested in holding companies to their representations regarding their security practices. The FTC’s allegations regarding Twitter’s security practices may also prove useful to companies, as the allegations signal several behaviors that the FTC considers being inconsistent with reasonable security.

The FTC defines online behavioral advertising as “the tracking of a consumer’s online activities over time– including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests.” The newly revised Principles now explicitly carve out “first party” advertising, where no data is shared with third parties, and contextual advertising, where an ad is based on a single visit to a web page or single search query.

Our challenge at the Proskauer Privacy Law Blog is to synthesize a 55 page Staff Report and two concurrences from Commissioners Harbour and Leibowitz into a pithy, easily digestible blog post. Hmmm. Well, we thought we would start with the Principles themselves. But first, a couple of observations. 

Observation number one – the Report frequently goes out of its way to note the eroding distinction between traditional personal identifying information (“PII”) such as name, address and Social Security, and non-PII such as IP address. As noted in the Executive Summary, “staff believes that the Principles should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is ‘personally identifiable’ in the traditional sense. Indeed, in the context of online behavioral advertising, rapidly changing technologies and other factors have made the line between personally identifiable and non-personally identifiable information increasingly unclear. Moreover, this approach is consistent with existing self-regulatory efforts in this area.” Those blurring lines and increasingly complex technology and advertising practices promise to pose considerable challenges for the construction of clear and user-friendly consumer privacy notices.

Observation number two -- the Report makes clear that disclosures regarding the collection of PII and non-PII for purposes of behavioral marketing should be made separate from the traditional privacy policy.  “Staff recognizes that it is now customary to include most privacy disclosures in a website’s privacy policy. Unfortunately, as noted by many of the commenters and by many participants at the FTC’s November 2007 Town Hall, privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.”  The Staff Report highlights certain recommendations made by commenters that “appear promising. For example, a disclosure (e.g., 'why did I get this ad?') that is located in close proximity to an advertisement and links to the pertinent section of a privacy policy explaining how data is collected for purposes of delivering targeted advertising, could be an effective way to communicate with consumers. . . . Staff encourages these efforts and notes that they may be most effective if combined with consumer education programs that explain not only what information is collected from consumers and how it is used, but also the tradeoffs involved – that is, what consumers obtain in exchange for allowing the collection and use of their personal information.”

So, without further ado, here are the Principles. They provide for: (1) transparency and consumer control; (2) reasonable security, and limited data retention, for consumer data; (3) affirmative express consent for material changes to existing privacy promises; and (4) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. The bolded italicized language below represents the FTC staff’s own annotations showing changes from the first version in late 2007.

(1)        Transparency and Consumer Control

Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)

(2)               Reasonable Security, and Limited Data Retention, for Consumer Data

Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

(3)               Affirmative Express Consent for Material Changes to Existing Privacy Promises

As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.

(4)               Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising

Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

We will have future occasion to discuss other elements of the FTC’s Report, but it is clear this will not be the last we hear from the FTC on this issue. “Looking forward, the Commission will continue to monitor the marketplace closely so that it can take appropriate action to protect consumers. During the next year, Commission staff will evaluate the development of self-regulatory programs and the extent to which they serve the essential goals set out in the Principles; conduct investigations, where appropriate, of practices in the industry to determine if they violate Section 5 of the FTC Act or other laws; meet with companies, consumer groups, trade associations, and other stakeholders to keep pace with changes; and look for opportunities to use the Commission’s research tools to study developments in this area.”