Posting a Privacy Policy May Not Be Enough - NARC to Enforce Industry Principles
If your company has a posted privacy policy, it may be a good time to confirm that the cookies, tracking technologies, and other activities currently being used on your web site or sites are still consistent with your existing policy and industry standards. The National Advertising Review Counsel ("NARC") of the Better Business Bureau has recently stated that it will begin enforcing advertising industry privacy principles and publicly naming those companies who either aren't complying with the principles or following their own privacy policies. For the more serious cases, NARC may even refer the matter to the FTC.
Industry principles do not prohibit collecting information about and tracking users, but require those engaged in behavioral targeting to notify consumers about data collection via an icon and allow them to opt out of receiving targeted ads. Although failing to comply with industry privacy and tracking principles may result in a mere notification from NARC, if your company is failing to comply with its own privacy policy, this could be an unfair or deceptive act, falling under the purview of the FTC. NARC's latest move, as well as pending class-action lawsuits regarding cookies that persist after a consumer has tried to opt-out, make it important for companies to take time to know what technologies their web sites employ and keep their online disclosures and privacy policies up to date with that often-changing reality.
Privacy Enforcement Update: FTC Settles with Twitter and Chitika
As we have previously reported on our blog, 2011 has seen a whirlwind of privacy enforcement activity. The FTC, NLRB, EEOC, HHS and FINRA have all taken privacy enforcement actions this year. This March, the FTC has announced privacy settlements with Chitika and Twitter.
Chitika – FTC Alleges Deceptive Behavioral Targeting Opt-Outs
On March 14, 2011, the FTC announced that Chitika, an online advertising company, has entered into a settlement over allegations that the company did not respect consumers’ choice to opt out of receiving targeted ads online. According to the FTC complaint, Chitika buys ad space on websites and contracts with advertisers to place cookies on those websites. Chitika also uses cookies to tracks consumers’ activities on the web, including searches and visited sites.
The company displays ads to consumers based on their online activities. Chitika’s privacy policy said that consumers could opt out of having cookies placed on their browsers and receiving targeted ads. According to the FTC, however, Chitika’s opt-out lasted only 10 days. After that time, Chitika placed tracking cookies on browsers of consumers who had opted out and displayed targeted ads to them again.
The FTC charged that Chitika engaged in a deceptive practice in violation of Section 5 of the FTC Act by tracking consumers’ online activities even after they used Chitika’s opt out mechanism to direct the company to stop tracking them online and serving targeted ads.
The settlement bars Chitika from making misleading statements about the company’s data collection practices and the extent to which consumers can control the collection, use or sharing of their data. The settlement also requires that every targeted ad Chitika displays include a link to a clear opt-out mechanism that allows a consumer to opt out for a period of at least five years. It also requires that Chitika destroy all identifiable user information collected when the defective opt out was in place. Finally, Chitika must alert consumers who previously tried to opt out that their attempt was not effective, and they should opt out again to avoid receiving targeted ads through the company.
Twitter – FTC Alleges Failure to Safeguard Personal Information
On March 11, 2011, the FTC announced final settlement with Twitter over allegations that the company deceived consumers and put their privacy at risk by failing to safeguard the security of their personal information. The FTC alleged that serious lapses in the company’s data security practices allowed hackers to obtain unauthorized administrative control of Twitter and access users’ personal information and tweets that users designated as private. The hackers also gained the ability to send tweets from any account. The FTC complaint alleged that hackers were able to gain administrative control of Twitter on at least two occasions.
According to the FTC, Twitter’s website privacy notice stated that the company “employ[s] administrative, physical, and electronic measures designed to protect your information from unauthorized access.” In addition, Twitter offered its users privacy settings that enabled them to designate their tweets as private. The FTC alleged that Twitter’s representations that the company (i) used reasonable and appropriate security measures to prevent unauthorized access to nonpublic user information, and (ii) honored users’ privacy choice were deceptive and violated Section 5 of the FTC Act.
The settlement prohibits Twitter from misleading consumers about the extent to which the company protects the security, privacy and confidentiality of nonpublic consumer information, including the extent of the measures the company takes to prevent unauthorized access to the information. Twitter also must honor the privacy choices made by consumers and establish and maintain a comprehensive information security program. The program must be assessed by an independent auditor every other year for 10 years.
Lessons Learned
With privacy enforcement on the rise, companies are well advised to take proactive approach to compliance with privacy and information security laws, regulations, guidelines and best practices. The FTC expects businesses to collect, use, disclose and process personal information in a fair and transparent way, and to accurately represent their privacy and security practices to consumers. Take a look at these Fair Information Practice Principles and think how your business can apply them to its personal information practices.
Privacy News Round-Up: Lessons Learned
Several important privacy issues were in the news in the first half of this week. Here's our take on these stories, which covered online data collection, employee privacy and legislative and regulatory debates about the future of online privacy.
On November 6, 2011, the Wall Street Journal reported that major websites are taking steps to control and limit tracking of their visitors by third parties. The sites' goal is to both mitigate the privacy risks associated with such third party tracking and to capture the revenue that could be derived from their users' data. A study cited in the article estimated that a sample of 50 popular U.S. websites is losing at least $850 million in revenue to third parties that collect and sell users' data without the sites' knowledge. The study also found that nearly a third of the tracking tools operating on the 50 sites are unauthorized. As the recent Facebook controversies demonstrate, clandestine or unauthorized use and collection of users' data may cause reputational harm to the sites, and not every company is able to withstand revelations of inappropriate data use as well as Facebook can.
There are more than a few examples of Internet ventures that were torpedoed by privacy blunders. In addition to the potential for reputational harm, Internet sites may face legal risks arising from representations they make in their online privacy policies. The Federal Trade Commission (FTC) has brought enforcement actions for privacy violations under Section 5 (which deems unfair or deceptive acts or practices unlawful), including in connection with statements in privacy policies that were inaccurate. In addition, many jurisdictions outside the U.S. impose myriad requirements with respect to privacy disclosures to consumers. Our takeaway from the story is to emphasize the importance for businesses of understanding and controlling how their websites collect, use and share personal data, and ensuring that the sites' consumer-facing privacy policies accurately reflect the company’s practices.
Our next story takes on the issue of employee privacy in the digital age. On November 8, 2010, the New York Times reported that the National Labor Relations Board (NLRB) filed an administrative complaint against an employer, alleging that the company violated an employee's federal rights by firing her for criticizing her manager on her Facebook page. The NRLB argues in the complaint that employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in this protected activity. While the terminated employee was a union member, the NLRB asserts that this right to criticize is equally applicable to nonunion employees because it is an extension of the federal right to discuss unionization and form unions. The NRLB's complaint is set to go before an administrative judge in January of next year, but any result can be contested before an appellate board and in federal courts. Still, while this proceeding is pending, the complaint itself may serve as a rude awakening to many employers who have been implementing increasingly stringent policies regarding employees' use of social media and behavior outside of the workplace. In this case, the employer's policy was rather extreme; it barred employees from depicting the company "in any way" on Facebook or other social media sites where the employees posted their pictures or from making disparaging or discriminatory comments when discussing the employer or management. Of course the right to talk about employers on the web or outside of work is not absolute. For example, if an employee lashes out against a supervisor, but is not communicating with employees in doing so, the activity may not be protected (in this case, other employees participated in the Facebook discussion of the former employee's manager). In addition, making false, defamatory statements about the employer or disparaging remarks unrelated to work (for example, about a supervisor's family or personal life) is likely not protected by federal law. The lesson from this story is that the NRLB appears to be taking a more active role in protecting employee privacy, and employers are well-advised to carefully review and consider revising their social media and employee conduct policies to ensure consistency with federal law and NRLB guidance.
The final story is coming from the New York Times and Politico today on legislative and regulatory developments (and disagreements) regarding regulation of online privacy. The New York Times is predicting a battle among the industry, privacy advocates, legislators and the administration on how to regulate online privacy. Industry representatives are not necessarily opposed to all regulation, but argue that targeted ads and competition among advertisers is good for the economy. They do not believe that a “do not track” list that would allow Internet users a single point for opting out of being tracked online for advertising purposes is necessary for protecting web users' privacy. On the regulatory front, the FTC and the Commerce Department are set to release their independent reports on online privacy. Commerce will likely favor self-regulation, while the FTC is likely to argue for a "do not track" option. The White House has set up its own panel that will look into balancing consumer protection with making U.S. companies more competitive overseas. Not to be outdone, as Politico reports, Congress is planning to convene a hearing on online privacy in early December. The discussion will address the idea of a "do not track" list and other options for regulating online privacy. Finally, privacy advocates are concerned that the regulatory and legislative battles will produce rules that do not fully protect the interests of the consumers. We realize that business can't wait for these debates to be resolved. Our recommendation is that businesses build privacy and information security into their products and services and follow industry best practices. Privacy is good for business, and being proactive about privacy and information security helps a business control the story of how it is portrayed in the media and by regulators. There is no reason to be afraid of privacy. Privacy does not mean not using personal information; it means using the information in a fair and transparent manner.
If you would like to read our take on other privacy news, don't hesitate to let us know by posting a comment on the blog, emailing bsegalis@infolawgroup.com or on Twitter @InfoLawGroup.
Social Networking: Setting Boundaries in a Borderless Brave New World
The explosive growth and morphing applications of social media such as Facebook and Twitter create new opportunities and challenges for individual users, parents, employers, organizations, governments, and marketers. Where a social phenomenon has such a wide and unpredictable impact, it almost inevitably attracts a retinue of lawmakers and regulators, as well as lawyers and HR managers struggling to craft appropriate policies for employees. And given the globalization of social media, those policies have to take account of the evolving rules in multiple jurisdictions.
When I was a kid in Las Vegas, I had a “pen pal” in France. We exchanged the occasional letter, painfully translating into each other’s languages and then trying to figure out how much postage to stick on the envelope. It seems quaint now.
Thanks to Facebook, LinkedIn, and Twitter, I’ve enjoyed meeting people with similar interests and reconnecting with people I knew socially or professionally in years past, in several countries. It’s usually pretty easy to look up people as you think of them, and there’s no postage and little delay.
Those services, and an array of other social media, have become truly international. Some 15% of the world’s Internet users are American, so even successful social media operators in the US naturally look abroad to expand their increasingly monetized networks. Competing with national and regional social networks throughout the world, leading social networking providers in the US, Europe, China, and India have turned social media into a global phenomenon. To take one prominent example, US-based Facebook now translates into more than 100 languages and reported this month at InsideFacebook.com that nearly 70% of its hundreds of millions of users reside outside the United States.
Facebook aggregates users’ self-reported demographic data and sells the information to advertisers, who are understandably eager to tap the advertising possibilities of social media. In several developed countries, a third or more of the population uses Facebook, many on a daily basis.
Facebookers and other social networkers often end up sharing a large amount of personal and professional information over time with friends . . . and friends of friends, and friends of friends of friends, and ultimately with a lot of people they wouldn’t recognize across a restaurant. By some estimates, roughly a third of Facebook users ultimately divulge their home address and current employment to an unknown number of people who are perhaps not all really their friends. New York Senator Charles Schumer recently called on the Federal Trade Commission to develop guidelines for social networking sites, and the FTC has already had occasion to investigate the extent to which identity theft and fraud are attributable to bad hygiene, or bad policies, in social media.
Most of the social networking groups I belong to are professional ones, linking lawyers, business people, inventors, IT managers, academics, and government officials who share certain interests and follow developments in particular fields. Those who participate often share ideas and some personal and career information, and they sometimes comment about their own companies or organizations or the offerings of their competitors.
So, as a lawyer, it strikes me that some social networkers may be exposing themselves not only to embarrassment and unwanted solicitations but also to fraud or identity theft. They also may be setting themselves up for trouble with prospective employers, or with their current employers or business partners who feel the talkative social networker has violated confidentiality policies or nondisclosure agreements (in surveys, many large US employers acknowledge that they have fired or disciplined employees for the contents of their posts or blogs). Advertising thinly disguised as a Tweet or post may not conform to advertising rules in all the relevant states, provinces, or countries. An intemperate rant or sly aside, broadcast to a few hundred of the user’s “closest friends,” raises the potential of liability for defamation or commercial disparagement. Comments about associates or coworkers, especially in the context of social media that blur the lines between personal and professional life, may trigger sanctions under privacy and data protection laws. And thanks to the global nature of social media, the hapless social networker could conceivably run afoul of laws in multiple jurisdictions.
It’s not only the FTC that has started worrying about the dark side of social media. The Article 29 Data Protection Working Party (comprised of EU authorities and European national data protection commissioners) issued a statement this month declaring that Facebook’s new default privacy settings are dangerous. The group has also warned social media applications developers (such as FarmVille) to be careful in their handling of user data. Regulators on both sides of the Atlantic have expressed concern as well about behavioral marketing applications based on gathering information about an individual’s participation in social media.
It’s easy to over-react to the hazards of social media, of course. Some parents forbid their children from joining in (and some teens have created a “safe” MySpace page that their parents can see, while secretly maintaining a more dubious version to share with their peers). Some users decide to drop out entirely, finding the risks, or just the implied obligation to post and respond frequently, unmanageable; there is even a “Quitting Facebook” Community Page on Facebook itself. Reasonably careful social networkers simply look at the privacy policies and options and adjust their settings appropriately to their intended use – and then watch what they say about employers, competitors, and other sensitive types. Some corporations have blocked access to social networking sites from company computers and adopted policies against their employees saying, well, pretty much anything about the company or its competitors or regulators. But other companies have already designated a “director of social media” to help the organization make effective use of social networking, internally and externally.
It seems that the trend is for employers to expand their “acceptable use” policies on email and web browsing to encompass blogging and social media as well. This is a necessary step, but it is also fraught with concerns arising from labor law, privacy law, and rights of association and free expression, and the rules differ across the many jurisdictions that may be at issue.
It is possible to set some boundaries that will pass muster just about anywhere and articulate policies that guide employees toward safe and sensible use of social media. There is much to be learned in the way of evolving best practices, especially among large multinational employers. Just don’t forget to check with a knowledgeable lawyer when crafting such policies and determining how to enforce them.
