Privacy Hot Topics for 2012
As 2011 has come to a close, many of us are thinking about what 2012 will bring. With regard to privacy, there are numerous key issues to choose from (and I am sure many privacy professionals would add to this list) – but from a corporate compliance standpoint, here are my top five picks for hot topics to address in 2012:
1. Online Behavioral Advertising (OBA).
OBA continues as a very hot topic and legislation or further government regulation remains a possibility. Consider if your practices fall within the guidance given to date by the Federal Trade Commission (“FTC), including the FTC Staff Report, “Self-Regulatory Principles for “Online Behavioral Advertising”.
Self-regulation took a big step forward in 2011 and you should know if you are subject to the Digital Advertising Alliance’s (DAA) cross-industry “Self-Regulatory Program for Online Behavioral Advertising,” (http://www.iab.net/media/file/ven-principles-07-01-09.pdf) or if you will comply in any event with its best practices. The DAA recently began enforcing the Self-Regulatory Program for OBA through the Better Business Bureaus (BBB), which has contacted ad networks, web site publishers and other members asking for a report on their compliance status. Note, too, that in November 2011the DAA released Principles for Multi-Site Data, which address non-OBA tracking of consumers across the internet and which will be implemented in early 2012.
It remains an open question whether the current self-regulatory process will be enough to satisfy U.S. regulators and lawmakers (it appears it will not be so in the EU). You should take steps now to fully understand the OBA practices you engage in, the OBA practices you allow others to engage in through your web site or online feature, the tracking technologies used and the information you collect and share in connection with OBA. You should also consider how you are disclosing this information to consumers and the choices you are offering to consumers regarding the collection of information and the tracking of users for OBA purposes. And, remember that even if you do not accept third party ads on your web site, you may be engaging in OBA on some level if you advertise outside of your web site on the Internet.
2. Other Online Tracking.
Tracking is not limited to OBA purposes (at a minimum, most web sites engage third party analytics providers) and tracking devices are no longer limited to cookies and clear gifs (for example, embedded scripts, browser fingerprinting and flash cookies). Flash cookies were a hot topic in 2011 for their ability to be used to re-spawn traditional browser cookies and to override user preferences, and the difficulty for most consumers to delete them. Several class action lawsuits were filed relating to flash cookies and the FTC announced its final settlement with Scout Scan on December 21, 2011. As new tracking technologies emerge it is almost certain that new issues will arise. Thus, it is essential to fully understand the tracking technologies being used by your organization, as well as the information collected both by your company and by third parties, and the identity of all third parties who are collecting information from users through your web site or online features. You may also need to update or institute procedures for controlling the information that passes from your site or online feature to third parties and for how long. Moreover, as with OBA tracking, it is important to evaluate both the disclosures you are providing to consumers and any choices that may be available, particularly with regard to third party tracking.
3. Mobile.
Mobile technology raises unique privacy issues even when the topics are similar to those for web sites. For example the issues of notice, choice and privacy policies are more complicated when the screen space is limited to that available on a mobile device. For those organizations releasing mobile apps, the Mobile Marketing Association released a proposed mobile application privacy policy in October that may serve as a useful starting point. However, as with all privacy policies, the key step is to make sure that the disclosures you make are accurate and that all material disclosures are made. And, given the multiple parties involved (including carriers, device manufacturers, and application developers and providers) there may be contractual terms that must be considered, including contractually required disclosures that must be made.
In addition, text message campaigns continue to be popular with marketers, but there remain significant class action lawsuits filed over these types of campaigns. You should ensure you always have the express consent required to send text messages and that you are in full compliance with both the TCPA (Telephone Consumer Protection Act) and the Mobile Marketing Association (“MMA) Guidelines, which set forth procedures for obtaining consumer consent, required disclosures in the text messages, and opting out, among other issues. In addition, organizations should be considering issues such as the collection and use of geolocation data, children’s marketing, the use of text messages in promotions and marketing campaigns, information security and mobile e-commerce.
4. Children.
The FTC extended the deadline to December 23, 2011 for comments to its notice of proposed rulemaking for revisions to its implementation of the Children’s Online Privacy Protection Act (“COPPA”) through the Children’s Online Privacy Protection Rule (“COPPA Rule”). The FTC has proposed significant changes that, if adopted, will require most web sites that currently collect information from children younger than the age of 13, or that are directed to children younger than the age of 13, to adjust their practices. For example, the FTC has proposed the elimination of the “email plus” method of consent, additional limitations to the “one time use” exception, and significant expansion the categories of “personal information” covered by COPPA. Some of the proposed changes may be modified or new changes implemented when the FTC issues its final revised COPPA Rule, but there appears to be no question that important changes will be made and that many web sites and online operators will need to take steps to remain COPPA compliant. In the meantime, remember that the FTC continues to actively enforce COPPA (also here). Moreover, there are other important rules and regulations to consider when marketing to children, including the CARU (Children’s Advertising Review Unit) Guidelines, which are administered and enforced by the BBB.
5. EU Compliance.
There are two key European Union regulations that U.S. companies should monitor and address in 2012: the General Data Protection Regulation, which will update and replace the current Data Protection Directive, and the provisions of the EU Privacy and Electronic Communications Directive (the “ePrivacy Directive”), which requires web sites to obtain opt-in consent from consumers prior to setting cookies. U.S organizations will first want to determine whether they are subject to these regulations, and if so, what specific steps are required based upon their specific business practices. Early released drafts of the Data Protection Regulation suggest there may be significant changes to the current Directive that, if ultimately enacted, may require significant compliance efforts from U.S. companies with regard to cross-border transactions and interactions with EU residents. The ePrivacy Directive has been adopted by the UK and a handful of other EU members and the European Commission begun legal action against the members who have not yet implemented the requirement to obtain specific consent for cookies. In the UK, enforcement will start as early as May 2012 and thus companies subject to the UK regulation must determine how they will comply within the next few months.
Of course, what 2012 will bring none of us know for sure – but it certainly promises to be interesting.
Look Around...The FTC Is Really Busy
If you haven’t noticed, the FTC has had a monster year announcing or significantly moving forward various reviews of long-standing FTC interpretations, rules and guides. According to a report issued by the FTC in September of this year, the FTC is accelerating its typical 10-year review cycle for a number of rules and guides, in particular to account for recent changes in technology and the market place. The FTC launched a web page here that provides information about each rule and guide under review. And the FTC posted a chart here showing the schedule of all rule and guide reviews from now through the year 2020 (note that the Guides Concerning Use of Endorsements and Testimonials in Advertising will go under review again in 2020 – hopefully it won’t take the marketplace over 3 years to understand any modifications).
I counted 21 rules or guides currently under review by the FTC and its report indicates that another 14 will go under review in 2012 and 2013 and many more through 2020.
Let’s take a look at just a few that are at the heart of both online and offline advertising:
MAIL OR TELEPHONE ORDER MERCHANDISE RULE (notice of proposed rule making) – ecommerce sites; pay attention
The Mail or Telephone Order Merchandise Rule (16 CFR 435) generally requires sellers of goods (whether via mail, facsimile or certain internet connections) to be able to ship an item once ordered within the time frame advertised by the seller. If the seller does not provide the customer with a shipping date, the seller must ship the goods within 30 days of order receipt. If the seller learns that it cannot ship within the time stated or 30 days (if no time was stated), the seller must seek the customer’s consent to a delayed shipment and provide the customer with an option to cancel the order (using the mechanisms allowed by the Rule). If the customer does not consent, the seller must quickly cancel the order and return the customer’s money. Note that the time period on a seller’s obligation to ship begins as soon as the seller received enough information to fulfill the order and process full or partial payment. The time when the seller actually processes payment is irrelevant. The FTC amended the Rule in 1993 to clarify that the Rule applied to order placed with facsimile machines or computers with telephone modems.
Now the FTC wants to:
(i) clarify that the Rule covers all internet merchandise orders regardless of how the customer accesses the internet (note that the FTC already takes this position and no commenters appear to take issue with the interpretation), It is now time for all ecommerce sites to establish a policy and procedure with respect to shipping dates, shipments, shipment delays, refunds and cancellations.
(ii) allow sellers to provide refunds and refund notices by any means at least fast and reliable as 1st Class mail (e.g., electronic transfer);
(iii) clarify sellers’ obligations with respect to sales made using payment methods not specifically enumerated in the Rule (such as debit card, prepaid gift card, or payroll card payments); and
(iv) clarify that sellers must process any third party credit card refund within 7 working days of a buyer’s refund right.
Note that the FTC has actively enforced this Rule, and not just in connection with the direct sale of merchandise. In fact, in 2005, the FTC enforced the Rule against CompUSA for its alleged failure to fulfill rebate checks in a timely manner.
Go here for the notice of proposed rule making (comment period closes December 14, 2011).
THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT (notice of proposed rule making)
Please see InfoLawGroup’s prior post here about the FTC’s notice of proposed rule making with respect to COPPA. And here on how the FTC is already enforcing COPPA against mobile app developers. The comment period closes November 28, 2011.
DOT COM DISCLOSURE (not really a rule or guide, but rather a “business guidance publication”)
This publication was originally issued in 2000 by the FTC to provide marketers guidance on how to provide clear and conspicuous disclosures to consumers associated with goods and services offered on the internet. Possibly one of the most important elements in this publication is the FTC’s statement that all of the laws applicable to consumer protection offline apply online too. The FTC advised that we should use the same factors we use to determine if a disclosure is conspicuous in the offline world to determine if it is conspicuous in the online world, namely:
(i) the placement of the disclosure and its proximity to the claim;
(ii) the prominence of the disclosure;
(iii) whether there are distracting elements;
(iv) whether the ad is so long that the disclosure needs to be repeated;
(v) whether audio disclosures are loud and slow enough;
(vi) whether visual disclosures appear long enough; and
(vii) whether the disclosure is generally uncomplicated.
The original publication is a lengthy document that goes into much more detail than above and ends with a series of example internet advertisements and FTC commentary associated with the same. The publication even answers the question (from a year 2000 perspective): “Can I link to the disclosure?” The FTC recognizes, however, that times have changed dramatically over the past 11 years, and therefore, the guidance needs to change to account for viewing the internet on mobile devices, apps and app stores, social networking, etc. The FTC issued a notice requesting answers to a list of 11 questions (check out the list of questions here). I expect that if the FTC issues an updated version of the publication, new examples and commentary will be included. Some commenters request that the FTC not rush to revise the publication, but rather take time to understand all the ways the “online” world has changed in the past 11 years, including how internet users are more savvy than ever. The Promotion Marketing Association, an association that this firm is a member of, submitted comments requesting the FTC to hold workshops to gain that full understanding and to approach any revisions with flexibility in mind rather than offering a prescriptive approach.
WARRANTIES AND GUARANTEES (request for comment)
The FTC has published a request for comment with respect to its warranty-related interpretations, rules and guides – namely:
(i) its interpretations of the Magnuson-Moss Warranty Act, which governs written warranties on consumer products;
(ii) the Rule Governing Disclosure of Written Consumer Product Warranty Terms and Conditions, which establishes disclosure requirements for written warranties on consumer products that cost more than $15.00, including:
a. language that must be used pursuant to certain state laws on the duration of implied warranties and the availability of consequential and incidental damages; and
b. what needs to be disclosed by sellers who use warranty registration or owner registration cards.
(iii) its Rule Governing Pre-Sale Availability of Written Warranty Terms, which, as you might expect, requires the terms of any written warranty on a consumer product to be made available to the purchaser prior the sale of the product. This Rule allows doing so by displaying the warranty document in close proximity to the product or furnishing the warranty document on request and posting signs in prominent locations advising consumers that warranties are available. The Rule also provides guidance on how to comply with the pre-sale available requirements for products sold through catalogs, mail order or door-to-door sales;
(iv) its Rule Governing Informal Dispute Resolution Procedures, which requires a seller to follow specific protocols if it wants to require a consumer to first resort to informal dispute resolution prior to filing a lawsuit associated with a warranty; and
(v) its Guides for the Advertising of Warranties and Guarantees, which recommend that the actual warranty document be made available to consumers to read prior to purchase and makes recommendations about how to offer satisfaction and lifetime guarantees.
The FTC, in its request for comments, asks a number of questions, including on the continued need for its interpretations, rules and guides, their benefits, recommended changes, whether the interpretation, rules or guides should be amended to cover service contracts and whether warranty documents should be allowed to be made available online for purposes of compliance. Go here for the request for comments (comment period closes October 24, 2011).
GREEN GUIDES (ENVIRONMENTAL MARKETING CLAIMS) (notice of proposed rule making)
The comment period has long since closed on the FTC’s proposed changes to its Green Guides. The proposed changes were issued in October of 2010 and the comment period ended on December 10, 2010. We await the publication of the revised guides. While we do so, let’s refresh just a few of the important issues in play here:
(i) The FTC does not want marketers to make general environmental benefit claims. The FTC uses “green” and “eco-friendly” as examples of claims that are difficult, if not impossible, to substantiate.
(ii) Certifications and seals should be viewed as endorsements covered by the FTC’s Endorsement Guides and should be expressly limited to the claim(s) for which the advertiser has substantiation.
(iii) No unqualified degradable claims for items destined for landfills, incinerators or recycling facilities. And other solid waste products should only be advertised as “degradable” if they completely breakdown and return to nature in no more than one year after disposal.
(iv) Clarification on when and how a “recyclable” claim can be made and when an unqualified recyclable claim can be made.
(v) “Free-of” claims should not be used in associated with a substance never associated with the product category (this one seems obvious to me)
(vi) No unqualified “renewable materials” claims unless the item is made entirely out of renewable materials. Generally, renewable claims should explain why a product or element of a product is renewable.
Notably, the FTC declined to provide guidance on the terms “sustainable,” “natural,” and “organic” in the proposed Guides. You can read the current Green Guides here and the notice of proposed rule making here.
MORE & INTO THE FUTURE
Some other important guides that are currently under review: Fuel Economy Advertising, Negative Option Plans and the Unavailability Rule. And the following Guides or Rules are set to go under review in 2012/2013: Deceptive Pricing, Bait Advertising, Use of the Word “Free”, Advertising Allowances and the Telemarketing Sales Rule.
So, needless to say, we will have much more to write about soon….
Mobile Application Settles FTC Charges of COPPA Violations
If there really was any remaining debate over whether the Children’s Online Privacy Protection Act (“COPPA”) applies in the mobile world, this should put it to rest. W3 Innovations, LLC, doing business as Broken Thumbs Apps, along with the company president and owner Justin Maples, has paid $50,000 to settle an FTC complaint that certain mobile applications collected information from children without first obtaining parental consent. The FTC alleged
that the company’s apps (which include Emily’s Girl World, Emily’s Dress Up, Emily’s Dress Up & Shop, and Emily’s Runway High Fashion), were directed to children and that the applications therefore violated COPPA and the FTC’s COPPA Rule by collecting and disclosing personal information from children without their parents’ prior consent. COPPA defines a child as someone younger than age 13 (e.g., 12 and younger).
This is the FTC’s first COPPA action involving mobile applications and in bringing it, the FTC is making clear that it expects companies to strictly follow COPPA in the mobile world just as they must for web sites. The FTC complaint in fact specifically states that the “apps send and/or receive information over the Internet, and thus are online services directed to children pursuant to COPPA.” It is also notable that the FTC held both the company and its president responsible and that the company involved is small. The clear message: everyone must strictly comply with COPPA and the FTC will continue to aggressively enforce COPPA’s requirement (in most cases) for prior parental notice and consent before collecting personal information from children.
Here, the FTC alleges that the apps were specifically directed to children. Apparently W3 Innovations has offered for download numerous apps through Apple’s App store since 2009, which were available for the iPhone and the iPod touch. In addition to the general content of the apps, the FTC noted that the games were listed in the "Games-Kids" section of Apple’s App Store.
The apps collected email addresses from tens of thousands of users and also allowed users to publicly post information on message boards. The FTC complaint is based on the failure of the defendants to: (1) maintain or link to an online notice of their privacy practices, (2) provide direct notice to parents of those privacy practices, and (3) obtain verifiable consent from parents prior to collecting, using or disclosing children’s personal information. In addition to imposing the $50,000 penalty, the settlement will bar the defendants from future violations of the COPPA Rule and require them to delete all personal information collected in violation of the Rule.
Thus, at a minimum, all companies that are in the mobile space and offer products or services directed at children (or where information is knowingly collected from children) should ensure they are providing the required disclosures -- which may present unique challenges for a mobile offering -- and obtaining parental consent as necessary.
Stay tuned: The FTC is currently reviewing its COPPA Rule and the most interesting could be yet to come.
Takeaway
COPPA applies to all online activities, including web sites and mobile applications. And, all companies, regardless of size, should make sure they are fully COPPA complaint.
FTC Enforcement Update: "Virtual Worlds" Operators Settle Children's Privacy Violation Charges; Pay $3M Fine
On May 12, 2011, the Federal Trade Commission announced that the operators of 20 online virtual worlds have agreed to pay $3 million to settle charges that they violated the Children’s Online Privacy Protection (COPPA) Rule by collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents’ prior consent. The FTC noted that this settlement is the largest civil penalty for a violation of the FTC’s COPPA Rule.
The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use or disclose children’s personal information. The Rule also requires that website operators post a privacy policy that is clear, understandable and complete. The FTC alleged that Playdom, Inc., a leading developer of online multi-player games, and a company executive, Howard Marks, failed to meet these requirements in violation of the Rule.
Specifically, the FTC alleged that Playdom and Marks operated 20 virtual world websites where users could access online games and other activities, including 2 Moons, 9 Dragons and My Diva Doll. The FTC alleged that at least one of these virtual worlds, Pony Stars, was a website specifically directed to children. According to the FTC, the company’s other sites intended for a general audience also attracted a significant number of children. The FTC alleged that between 2006 and 2010, approximately 403,000 children registered on the defendants’ general audience sites, and 821,000 more users registered in the Pony Stars children’s site.
The FTC complaint alleges that the sites collected children’s information, including ages and email addresses, during registration and then enabled children to publicly post their full names, email addresses, instant messenger IDs, geographic location and other information on personal profile pages and in online community forums. The FTC charged that the sites' failure to provide proper notice of these practices or obtain parents’ prior verifiable consent before collecting or disclosing children’s personal information violated the COPPA Rule.
The FTC further alleged that Playdom and Marks engaged in deceptive or unfair trade practices in violation of Section 5 of the FTC Act because the sites' privacy policies misrepresented that the sites would prohibit children under 13 from posting personal information online.
In addition to the $3 million civil penalty, the settlement order permanently bars Playdom and Marks from violating the COPPA Rule and from misrepresenting their information practices regarding children.
Takeway
The FTC continues privacy enforcement onslaught and gets serious about COPPA. Expect more to come; the FTC announced on May 10, 2011 that it has mobile privacy enforcement settlements in the pipeline.
FTC Settles Charges Against Kids' Apparel Brands for Alleged COPPA Violations
Remember Candie's shoes and Op shorts? The FTC announced yesterday that it has settled charges against Iconix Brand Group, the owner, licensor, and marketer of popular kids' apparel brands such as Candie’s, Op, Mudd, and Bongo, for allegedly violating the Children's Online Privacy Protection Act (COPPA). Among other things, Iconix will pay a $250,000 civil penalty. The FTC filed its complaint and submitted its consent decree and order for approval yesterday in the Southern District of New York.
The FTC charged Iconix with knowingly collecting personal information from approximately 1,000 children since 2006 without obtaining prior parental consent, and failing to delete the information. The FTC claimed that Iconix required consumers to provide personal information such as name, e-mail address, zip code, and in some cases mailing address, gender, phone number, and date of birth, in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other Web site features. The FTC further charged Iconix with posting a privacy policy that falsely stated that it would not seek to collect personal information from children without obtaining prior parental consent and would delete any such information about which it became aware. Specifically, the privacy policy stated as follows (after the jump):
"We do not seek to collect personally identifiable information from persons under the age of 13 without prior verifiable parental consent. If we become aware that we have inadvertently received such information online from a child under the age of 13, we will delete it from our records. If you are under the age of 13, please do not submit any personally identifiable information to us. If you are the parent or guardian of a person under the age of 13 who has provided personally identifiable information to us, please inform us by contacting us at info@iconixbrand.com and we will remove such information from our database. If you are concerned about your children's use of the Site, you may use web filtering technology to supervise or limit access to the Site."
In addition to the $250,000 penalty, pursuant to the settlement, Iconix must, among other things, delete all personal information collected and maintained in violation of COPPA, distribute the settlement order and the FTC’s “How to Comply with the Children’s Online Privacy Protection Rule” to company personnel, and link to the FTC's www.OnGuardOnline.gov Web site on any Iconix Web site that collects or discloses children’s personal information and on any Iconix site that offers the opportunity to upload writings or images, create publicly viewable user profiles, or interact online with other Iconix site visitors.
Of course, this is not the first time the FTC has brought and settled COPPA charges. There have been more than a dozen COPPA enforcement cases, the most notable being a 2008 $1 million settlement with Sony BMG and a 2006 $1 million settlement with Xanga.
The FTC's most recent COPPA enforcement action is another reminder of (a) the importance of posting a privacy policy that accurately reflects a company's practices with respect to children's (and others') personal information; and (b) the need for legal, marketing, and IT to work hand-in-hand in developing kid-friendly and compliant online campaigns.
