Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

Senator Leahy opened the hearing, reflecting on the benefits of mobile devices, apps, and social networks, as well as the risks these new technologies pose to consumer privacy. Leahy expressed that he is “deeply concerned” that smartphones may be tracking and storing data without users’ consent, that sensitive user data may be maintained by providers in unencrypted formats, and that companies are involved in the sale of location data without consumer knowledge resulting in the receipt of unsolicited ads by third parties.

Subcommittee Chairman Al Franken’s opening remarks focused on the increasing number of entities whose business model is to collect and maintain information on consumers under consumers’ radar. Franken noted the many benefits of location-based services, making a point to emphasize that “the existence of this business model is not a bad thing.” “The answer is not ending location-based services,” Franken said, “what today is about is trying to find a balance” between the benefits of these services and the public’s right to privacy.

The first panel of testifying witnesses consisted of two government representatives from their respective agencies. Here are some highlights from their testimony:

Jessica Rich, Deputy Director, Bureau of Consumer Protection, FTC

• The rapid growth of mobile products and services raises several concerns: mobile devices are always on and always with the consumer, mobile devices contain information that is highly personal in nature, and companies have the ability to track consumers who use mobile devices, including children and teens.
• The FTC has called on the industry to develop simplified disclosures embedded in each mobile interaction so that consumers know when and how their data is being used, rather than rely on privacy policies that are difficult to access using a mobile device.
• Companies should implement privacy by design principles in the development of their products and services, making it easier for consumers understand and choose how their data is used.

Jason Weinstein, Deputy Assistant Attorney General, Criminal Division, DOJ

• Three major threats mobile devices pose to consumers include (1) cyber criminals such as identity thieves, stalkers, and hackers who access and exploit information without authorization; (2) the collection and disclosure of location data by service providers themselves - including app providers; and (3) the use of mobile devices by criminals to facilitate their own crimes.
• While the ECPA restricts providers from sharing location data with the government, it does not restrict them from sharing such information with other private entities.
• Companies are not currently required to retain the data they collect, which impedes the DOJ’s ability to investigate and prosecute crimes.

The second panel consisted of five non-government witnesses – from privacy advocates to representatives from major mobile market players. Here are some highlights from their testimony:

Ashkan Soltani, Independent Researcher and Consultant

• The most serious threat mobile devices pose today is that consumers are repeatedly surprised by the information mobile device platforms and apps are accessing.
• Mobile devices and apps don’t only collect location data - they also transmit consumers’ phone numbers and information from their address books, text messages, contact lists, etc.

Justin Brookman, Director of the Project on Consumer Privacy, Center for Democracy and Technology

• Only a patchwork of outdated and insufficient laws applies to mobile service providers, leaving consumers inadequately protected.
• While companies can’t affirmatively lie about how they protect consumer data, they can decline to make any representations to consumers regarding their data privacy and security practices, thereby avoiding FTC enforcement.
• The default rule for service providers is that they can disclose location data without notifying consumers and obtaining their consent. They only things providers can’t do are things the providers have promised they won’t do.

Guy L. "Bud" Tribble, Vice President of Software Technology, Apple Inc.

• Apple does not track users’ locations and “has never done so,” nor do Apple devices transmit data back to Apple that is unique to any particular consumer.
• Apple controls the apps available to consumers by contract – if apps don’t meet Apple’s privacy requirements then those apps are not made available in Apple’s app store.
• Apple conducts “random audits” and “examines network traffic produced by applications” to ensure that available apps are properly protecting the privacy of Apple consumers.

Alan Davidson, Director of Public Policy, Americas, Google Inc.

• Google makes location-based services opt-in only. If a consumer doesn’t opt-in, his or her mobile device will not transmit any location data back to Google.
• Every third party app must notify users that the app will access location data and the user consent before the app is installed on the user’s device.
• Google believes in providing users with highly transparent information regarding its information practices, requiring opt-in consent before location data is collected, and implementing high security standards to anonymize data once it’s collected.

Jonathan Zuck, President, Association for Competitive Technology

• Mobile apps are made predominantly by small businesses - to protect consumer privacy without unduly burdening innovation, concerns about privacy must be dealt with holistically rather than from a technology-specific perspective.

Chairman Franken closed the hearing by noting that current laws don’t provide consumers with sufficient privacy protections - legislation and agency enforcement hasn’t kept up with the pace of technology. Franken restated his belief that consumers have a “fundamental right” to know what personal information is collected about them, and when and with whom their information is shared. Franken noted that these rights are particularly important when sensitive information – data from mobile devices – is involved.

To view the hearing on the U.S. Senate Committee on the Judiciary website, click HERE.

Factual Allegations

The FTC alleged in its complaint that Google violated Section 5 of the FTC Act by engaging in deceptive tactics and violating its own privacy promises to consumers in connection with the launch of the company’s social network, Google Buzz, in 2010. The FTC also alleged that with respect to the data of its European users, Google violated the Notice and Choice principles of the U.S.-EU Safe Harbor self-regulatory framework for cross-border data transfer, in violation of the company’s certification of adherence to the framework.

The FTC alleged that when Google launched Buzz, the company used its customers’ email contact lists to populate the social network. As a result, by default, when Buzz launched, Gmail users became social network “followers” of other users – including those in their email contact lists – and were “followed” by their contacts. While Google's set-up process appeared to provide users with choices not to enroll in Buzz (such as “Nah, go to my inbox” and “Turn off Buzz”), the FTC alleged that selecting those options did not actually opt the users out of Buzz.. Instead, users continued to be followers of and followed by other Gmail users. Gmail users complained that the automatic generation of follower lists resulted, in some cases, in users following and being followed by individuals against whom they obtained restraining orders, abusive ex-spouses, clients of mental health professionals and attorneys, and job recruiters.

The FTC also alleged that Google did not adequately inform users that their previously private information, such as their contact lists and profiles, would become public by default when they used Buzz. According to the FTC, Goggle did not provide clear means for users to change privacy settings to prevent the public disclosure of this information.

The FTC further alleged that the launch of Buzz resulted in the disclosure of personal information that was contrary to the users’ specific choices. For example, if a Gmail user blocked another individual from Google Chat, that individual could still be a follower of the user on Buzz. Further, Buzz users did not have the ability to block followers who did not have a public Google profile. Finally, a flawed design of the Buzz comment reply mechanism resulted in broad disclosure of users’ private email addresses.

Violations of the FTC Act

The FTC alleged that that Google’s handling of privacy settings in connection with the launch of Buzz (as described above) violated the company’s own privacy notices and Section 5 of the FTC Act prohibition against unfair or deceptive acts or practices. Specifically, according to the FTC, Google:

• By using Gmail information to populate Buzz -- failed to abide by the pledge in the company’s privacy policy to use information from consumers signing up for Gmail only for the purpose of providing them with a web-based email service;

• By using Gmail information in connection with Buzz -- failed to abide by the pledge in the company’s privacy policy to seek users’ consent to use their information for a purpose other than that for which the data was collected; and

• By not respecting user’s privacy choices (such as “Nah, go to my inbox” and “Turn off Buzz”), and misleading users about what information in their profiles would become public and which of their contact lists would become public  in connection with Buzz – engaged in deceptive acts or practices.

U.S.-EU Safe Harbor Framework Violations

The Google Buzz settlement is the FTC’s first substantive U.S.-EU Safe Harbor framework enforcement action in which the Commission alleged specific violations of the Safe Harbor privacy principles. On several previous occasions, the FTC took enforcement action against companies that claimed to be Safe Harbor certified but were not in fact members of the program. Google maintained an up-to-date Safe Harbor self-certification on the U.S. Department of Commerce Safe Harbor list and stated in its privacy policy that it adhered to the Safe Harbor privacy principles.

The Safe Harbor framework consists of a set of privacy principles developed by the U.S. Department of Commerce in collaboration with the European Commission. The framework is intended to provide U.S. companies with a mechanism for receiving personal information from the European Union, European Economic Area or Switzerland in compliance with the European Commission’s Data Protection Directive 95/46/EC and the Swiss Federal Act on Data Protection. U.S. companies that participate in the Safe Harbor framework are deemed by the European Commission and the Information Commission of Switzerland to provide an “adequate” level of privacy protection, enabling the certified U.S. companies to receive and process European data in the U.S.

Among other provisions, the Safe Harbor privacy principles require companies that receive European personal data in the U.S. to give the individuals to whom the information pertains:

• Notice of how the company uses their personal information (the Notice principle);

• Choice to direct the company to refrain from sharing the information with certain third parties (the Choice principle); and

• The opportunity to opt out of having their information used for purposes incompatible with those for which the information was collected or to which they have consented (also the Choice principle).

In practice, a Safe Harbor-certified company in the U.S. that wishes to use or disclose personal data of European residents for purposes incompatible with the purposes for which the information was collected or to which the users have consented, must (i) provide users with a notice of the proposed new use or disclosure, and (ii) give users an opportunity to direct the company not to use or disclose the information in the proposed manner.

The FTC alleged that Google relied on its Safe Harbor certification to transfer data collected from Gmail users from Europe to the United States for processing. According to the FTC, the company also processed this information in connection with the launch of Buzz. The complaint alleged that Google violated the Notice and Choice principles by not giving European users notice before using their Gmail information in connection with Buzz. Google’s alleged non-compliance with the Safe Harbor Notice and Choice principles constituted a deceptive act or practice in violation of Section 5 of the FTC Act.  

Settlement

The FTC has billed this enforcement action as a “tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.” The settlement includes several major requirements.

Prohibition Against Misrepresentations

The settlement prohibits Google from misrepresenting the company's privacy practices with respect to “covered information” or the company’s compliance with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor framework. Importantly, the term “covered information” is broader than the term “personal information” that the FTC has used in its previous privacy enforcement consent orders. “Covered information” includes not only the traditional personal information elements (e.g., name, postal or email address, and telephone number), but also an IP address or an individual’s physical location or list of contacts. The broader definition of “covered information” is consistent with the FTC’s increasingly expansive view of the information associated with an individual that warrants protection. For example, in its report on Self-Regulatory Principles For Online Behavioral Advertising: Tracking, Targeting, and Technology, the FTC refused to provide a bright line rule for delineating personal and non-personal information. Instead, the FTC took the position that behavioral advertising principles "should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is 'personally identifiable' in the traditional sense." Similarly, the FTC’s report on “Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers ("Privacy Report"), argued for protecting consumer data that can reasonably be linked to a specific consumer, computer or device.

Notice and Consent

The settlement requires Google to provide its users with notice and choice prior to sharing users’ information with third parties in certain circumstances. Specifically, if the proposed disclosure is contrary to the data sharing practices Google represented to be in effect at the time the information was collected, the settlement requires Google to give users a clear and prominent notice of the proposed disclosure and to obtain their “express affirmative consent.” While the settlement does not define “express affirmative consent,” at a minimum, this provision will require Google to offer users a prominent, transparent means for exercising their privacy choices. 

Comprehensive Privacy Program

The FTC stated that the Buzz settlement is the first to require a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. The inclusion of his requirement in the settlement appears to be the first application of the “privacy by design” philosophy that the Commission articulated in its Privacy Report. The FTC’s “privacy by design” approach calls on companies to build privacy protections into their business practices. Such protections should include sound mechanisms for allowing consumers to exercise their privacy choices, reasonable security for consumer data, limited collection and retention of consumer data, secure disposal of the data, and reasonable procedures to promote data accuracy. The report also called for companies to implement and enforce procedurally sound privacy practices throughout the organizations, including by assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services.

The settlement requires Google to maintain a written, comprehensive privacy program that is reasonably designed to (i) address privacy risks related to the development and management of new and existing products and services, and (ii) protect the privacy and confidentiality of covered information (as defined above). Goggle must include in its privacy program the privacy controls and procedures appropriate to the company's size and complexity, the nature and scope of its activities, and the nature of covered information.

Specifically, the settlement requires Google to:

• Designate staff responsible for the privacy program;

• Conduct a risk assessment to identify reasonably-foreseeable risks that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;

• Design and implement reasonable privacy procedures to control the risks identified through the privacy risk assessment;

• Regularly test or monitor the effectiveness of the program’s key privacy controls and procedures;

• Develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from Google;

• Require relevant service providers by contract to implement and maintain appropriate privacy protections; and

• Evaluate and adjust the company's privacy program in light of the results of the testing and monitoring, any material changes to the company's operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the company’s privacy program.

Compliance Requirements

In addition to the specific requirements regarding the company’s privacy practices, the settlement mandates a compliance and reporting program, including biennial assessments and reports from a qualified, objective and independent third-party professional. The reports must certify, among other things, that:

• Google has in place a privacy program that provides protections that meet or exceed the protections required by the settlement order; and

• Google’s privacy controls are operating with sufficient effectiveness to provide reasonable assurance that the privacy of covered information is protected.

Google must retain the materials relied upon to prepare the third-party assessments for a period of three years from the date of the assessment. 

The settlement also requires Google to:

• Retain all “widely disseminated statements” that describe the extent to which the company maintains and protects the privacy and confidentiality of any covered information, along with all materials relied upon in making or disseminating such statements, for a period of three years;

• Retain for a period of six months (i) all consumer complaints directed at Google, or forwarded to Google by a third party, that allege unauthorized collection, use or disclosure of covered information and (ii) any responses to such complaints;

• Retain for a period of five years documents that contradict, qualify or call into question the company’s compliance with the terms of the settlement;

• Disseminate the consent order to the company’s current and future principals, officers, directors and managers, and to all current and future employees, agents and representatives who have supervisory responsibilities relating to covered information; and

• Notify the FTC of changes in the company’s corporate status.

Action Item

As we often note on this blog, privacy enforcement activity is rising exponentially, whether in the format of state and federal regulatory actions, class action suits, media exposés or public admonitions by regulators. This enforcement activity presents a significant risk to companies whose business models rely heavily on the collection, use or disclosure of information associated with individuals. If your company has not already done so, now is the perfect time to review the company’s privacy and information security practices, conduct a privacy and information security assessment, and take steps to ensure that the company’s practices comply with the various privacy and information security requirements, including FTC guidance.