As 2011 has come to a close, many of us are thinking about what 2012 will bring. With regard to privacy, there are numerous key issues to choose from (and I am sure many privacy professionals would add to this list) – but from a corporate compliance standpoint, here are my top five picks for hot topics to address in 2012:
1. Online Behavioral Advertising (OBA).
OBA continues as a very hot topic and legislation or further government regulation remains a possibility. Consider if your practices fall within the guidance given to date by the Federal Trade Commission (“FTC), including the FTC Staff Report, “Self-Regulatory Principles for “Online Behavioral Advertising”.
Self-regulation took a big step forward in 2011 and you should know if you are subject to the Digital Advertising Alliance’s (DAA) cross-industry “Self-Regulatory Program for Online Behavioral Advertising,” (http://www.iab.net/media/file/ven-principles-07-01-09.pdf) or if you will comply in any event with its best practices. The DAA recently began enforcing the Self-Regulatory Program for OBA through the Better Business Bureaus (BBB), which has contacted ad networks, web site publishers and other members asking for a report on their compliance status. Note, too, that in November 2011the DAA released Principles for Multi-Site Data, which address non-OBA tracking of consumers across the internet and which will be implemented in early 2012.
It remains an open question whether the current self-regulatory process will be enough to satisfy U.S. regulators and lawmakers (it appears it will not be so in the EU). You should take steps now to fully understand the OBA practices you engage in, the OBA practices you allow others to engage in through your web site or online feature, the tracking technologies used and the information you collect and share in connection with OBA. You should also consider how you are disclosing this information to consumers and the choices you are offering to consumers regarding the collection of information and the tracking of users for OBA purposes. And, remember that even if you do not accept third party ads on your web site, you may be engaging in OBA on some level if you advertise outside of your web site on the Internet.
2. Other Online Tracking.
Tracking is not limited to OBA purposes (at a minimum, most web sites engage third party analytics providers) and tracking devices are no longer limited to cookies and clear gifs (for example, embedded scripts, browser fingerprinting and flash cookies). Flash cookies were a hot topic in 2011 for their ability to be used to re-spawn traditional browser cookies and to override user preferences, and the difficulty for most consumers to delete them. Several class action lawsuits were filed relating to flash cookies and the FTC announced its final settlement with Scout Scan on December 21, 2011. As new tracking technologies emerge it is almost certain that new issues will arise. Thus, it is essential to fully understand the tracking technologies being used by your organization, as well as the information collected both by your company and by third parties, and the identity of all third parties who are collecting information from users through your web site or online features. You may also need to update or institute procedures for controlling the information that passes from your site or online feature to third parties and for how long. Moreover, as with OBA tracking, it is important to evaluate both the disclosures you are providing to consumers and any choices that may be available, particularly with regard to third party tracking.
In addition, text message campaigns continue to be popular with marketers, but there remain significant class action lawsuits filed over these types of campaigns. You should ensure you always have the express consent required to send text messages and that you are in full compliance with both the TCPA (Telephone Consumer Protection Act) and the Mobile Marketing Association (“MMA) Guidelines, which set forth procedures for obtaining consumer consent, required disclosures in the text messages, and opting out, among other issues. In addition, organizations should be considering issues such as the collection and use of geolocation data, children’s marketing, the use of text messages in promotions and marketing campaigns, information security and mobile e-commerce.
The FTC extended the deadline to December 23, 2011 for comments to its notice of proposed rulemaking for revisions to its implementation of the Children’s Online Privacy Protection Act (“COPPA”) through the Children’s Online Privacy Protection Rule (“COPPA Rule”). The FTC has proposed significant changes that, if adopted, will require most web sites that currently collect information from children younger than the age of 13, or that are directed to children younger than the age of 13, to adjust their practices. For example, the FTC has proposed the elimination of the “email plus” method of consent, additional limitations to the “one time use” exception, and significant expansion the categories of “personal information” covered by COPPA. Some of the proposed changes may be modified or new changes implemented when the FTC issues its final revised COPPA Rule, but there appears to be no question that important changes will be made and that many web sites and online operators will need to take steps to remain COPPA compliant. In the meantime, remember that the FTC continues to actively enforce COPPA (also here). Moreover, there are other important rules and regulations to consider when marketing to children, including the CARU (Children’s Advertising Review Unit) Guidelines, which are administered and enforced by the BBB.
5. EU Compliance.
There are two key European Union regulations that U.S. companies should monitor and address in 2012: the General Data Protection Regulation, which will update and replace the current Data Protection Directive, and the provisions of the EU Privacy and Electronic Communications Directive (the “ePrivacy Directive”), which requires web sites to obtain opt-in consent from consumers prior to setting cookies. U.S organizations will first want to determine whether they are subject to these regulations, and if so, what specific steps are required based upon their specific business practices. Early released drafts of the Data Protection Regulation suggest there may be significant changes to the current Directive that, if ultimately enacted, may require significant compliance efforts from U.S. companies with regard to cross-border transactions and interactions with EU residents. The ePrivacy Directive has been adopted by the UK and a handful of other EU members and the European Commission begun legal action against the members who have not yet implemented the requirement to obtain specific consent for cookies. In the UK, enforcement will start as early as May 2012 and thus companies subject to the UK regulation must determine how they will comply within the next few months.
Of course, what 2012 will bring none of us know for sure – but it certainly promises to be interesting.