Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

Definitions

The FTC proposes to modify particular definitions to update the Rule’s coverage and to streamline the Rule’s language. The COPPA Rule requires websites and online services to obtain parental consent before collecting personal information from children. The FTC proposes to change the definition of “personal information” to include geolocation information, photos and videos containing a child’s image, audio files containing a child’s voice, and certain types of persistent identifiers used for functions other than, or in addition to, support for the internal operations of a website or online service. In addition, the FTC proposes to modify and streamline the definition of “collects or collection.” First, the FTC aims to clarify that the definition includes all means of passive online tracking, irrespective of the technology used. Additionally, the current definition of “collects or collection” includes enabling children to publicly post personal information (e.g., on social networking sites or on blogs), “except where the operator deletes all individually identifiable information from postings by children before they are made public, and also deletes such information from the operator’s records.” Instead of a “100% deletion standard,” the FTC is proposing a “reasonable measures” standard. This means that websites and online services will not be deemed to be “collecting” children’s personal information if they employ technologies “reasonably designed to capture all or virtually all personal information inputted by children.” This change is intended to lower the hurdle to websites’ development and to encourage the development of systems “to detect and delete all or virtually all personal information that may be submitted by children prior to its public posting.”

Parental Notice

COPPA requires that websites and online services notify parents of their online information practices in two ways: on the website or online service (usually in a privacy policy), and in a “direct notice” delivered to a parent whose child seeks to register on the site or service. The FTC proposes to revise the notice requirements to reinforce COPPA’s goal of providing complete and clear information in the direct notice, and to rely less heavily on the online notice or privacy policy as a means of providing parents with information about operators’ information practices.

Parental Consent

Central to COPPA is the requirement that websites and online services must obtain parental consent before collecting, using, or disclosing children’s personal information. The FTC proposes to add several new methods to obtain parental consent to the Rule’s current list, including “electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done.” The FTC also proposes to remove the “e-mail plus” method of parental consent because it “has inhibited the development of more reliable methods of obtaining verifiable parental consent.”

Confidentiality and Security Requirements

To strengthen the Rule’s confidentiality and security requirements, the FTC proposes to require websites and online services ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect the information. Additionally, the FTC proposes to add a new data retention and deletion provision. The new provision requires websites and online services to retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The new provision also requires websites and online services to delete children’s personal information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

Safe Harbors

The COPPA statute established a “safe harbor” for participants in Commission-approved COPPA self-regulatory programs. The Rule provides that websites and online services fully complying with an approved safe harbor program will be “deemed to be in compliance” with the Rule. The FTC proposes to strengthen its oversight of self-regulatory safe harbor programs by mandating that, at a minimum, safe harbor programs conduct annual reviews of each of their members’ information practices and periodically report the results to the FTC.

Although the proposed amendments expand and clarify the Rule in several ways, the breadth of COPPA’s coverage remains unclear. For example, the FTC has indicated it will continue to consider whether short message services and multimedia messaging services are covered by COPPA.

The FTC is seeking comments on the proposed revisions, which are due on or before November 28, 2011.

The FTC developed the proposed framework in recognition of increasing advances in technology that allow for rapid data collection and sharing that is often invisible to consumers. The framework is designed to reduce the burdens of protecting online privacy on consumers and businesses. The report is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.

Building on the FTC’s guidance on behavioral advertising, the proposed framework seeks to further expand the scope of protected data beyond the traditional notions of “personally identifiable information.” Specifically, the proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share or otherwise use consumer data that can reasonably be linked to a specific consumer, computer or device.

In developing the proposed privacy framework, the FTC observed that:

•  there is ubiquitous collection and use of consumer data online;

• the distinction between personally identifiable information and anonymous or de-identified information is blurring;

• the increased flow of information, including consumer data, creates significant economic benefits;

• the FTC’s existing “notice-and-choice” model of privacy protection has led to companies publishing privacy policies and notices that are long, legalistic disclosures that consumers usually do not read and do not understand;

• current privacy policies force consumers to bear too much burden in protecting their privacy;

• the FTC’s existing “harm-based model” of privacy protection, while focusing on protecting consumers from specific harm (e.g., physical or economic) has failed to recognize less tangible privacy concerns such as reputational harm or the fear of being monitored;

• both of the FTC’s privacy protection models (“notice-and-choice” and “harm-based”) have failed to keep up with data collection technology, including data collection that is invisible to consumers and website owners;

• industry efforts to address privacy through self-regulation have been “too slow” and have failed to provide adequate and meaningful protection to consumers;

• some companies manage consumer information in an irresponsible and even reckless manner, and many companies do not adequately address consumers’ privacy interests;

• many consumers are not informed about or cognizant of the risks associated with the collection, sharing and other use of their personal information; they lack understanding and ability to make informed choices about the collection and use of their data.

To reduce the burden on consumers and ensure basic privacy protections, the report makes a number of recommendations, which are summarized below.

1.       Privacy by Design

The report recommends that companies adopt a “privacy by design” approach by building privacy protections into their everyday business practices. Such protections include reasonable security for consumer data, limited collection and retention of such data, secure disposal of the data and reasonable procedures to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services. The report calls for companies to implement these concepts in a systematic manner, scaled to each company’s business operations, including the amounts and types of data the organization processes. 

2.      Notice

The report calls on companies to improve their privacy policies and notices so that interested parties can compare data practices and choices across companies. For example, to facilitate meaningful choice, the FTC is recommending just-in-time concise notice and choice at the data collection point or before a consumer accepts a product or service. The FTC believes that privacy policies will continue to play an important role in promotion transparency, accountability and competition among companies on privacy issues – but only if the policies are clear, concise and easy to read. The report also recommends consideration of standardized privacy notices that allow consumers to compare information practices of competing companies. Finally, the FTC has reminded organizations that they must provide robust notice regarding material, retroactive changes to data practices and obtain affirmative consent to such changes.

3.      Choice, Including a Do-Not-Track Mechanism

The report calls for companies to provide choices to consumers about companies’ data practices in a simpler, more streamlined manner than has been used in the past. Consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. The report suggests that, to simplify choice for both consumers and businesses, companies should not have to seek consent for certain commonly accepted practices associated with processing consumers’ transactions, internal business operations (such as improving services), fraud prevention, legal compliance and first-party marketing. Some of these data uses are apparent in the context of the transaction, while others are accepted or necessary for public policy reasons. For data practices that are not commonly accepted or necessary, consumers should be able to make an informed and meaningful choice. The FTC used the report to remind organizations that they must obtain affirmative consent for material, retroactive changes to their data practices.

One method of simplified choice the FTC has recommended is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The FTC has recommended a simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads. The FTC believes that a practical solution is technologically feasible and suggests that the most practical method could involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted advertising.

4.      Access

The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Because of significant costs associated with access, the report suggests that access should be proportional to both the sensitivity of the data and its intended use.

We note that the data access principle, although novel in the U.S., is a well-established requirement in the European Union and some other jurisdictions that have adopted omnibus data protection regimes. In addition, providing reasonable access to personal data is one of the seven privacy principles mandated by the EU-U.S. and Switzerland-U.S. Safe Harbor programs. Accordingly, many U.S. entities that have certified compliance with the Safe Harbor are already complying with the data access requirement with respect to personal data they receive from Europe.

5.      Privacy Awareness

The FTC has proposed that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. The FTC believes that increasing consumers’ understanding of commercial data collection practices will facilitate competition on privacy among companies.

6.      Enforcement

The FTC reiterated its resolve to take action against companies that “cross the line” with consumer data and violate consumers’ privacy – especially when children and teens are involved. The Commission also made clear that consumers’ choices should be respected. The FTC will not tolerate use of technology to circumvent consumer choice.

In issuing the report, the commission posed a series of questions to privacy stakeholders. The deadline for submitting comments to the FTC is January 31, 2011. The questions concern the scope of the companies and data to which the framework should apply; the substantive privacy protections the framework offers; data management procedures; practices that should require meaningful choice; the “do-not-track” proposal; transparency of privacy practices and improvement of privacy notices; data access; and consumer education.

Please check back with us as we address the report in more detail in the coming days.

There are more than a few examples of Internet ventures that were torpedoed by privacy blunders. In addition to the potential for reputational harm, Internet sites may face legal risks arising from representations they make in their online privacy policies. The Federal Trade Commission (FTC) has brought enforcement actions for privacy violations under Section 5 (which deems unfair or deceptive acts or practices unlawful), including in connection with statements in privacy policies that were inaccurate. In addition, many jurisdictions outside the U.S. impose myriad requirements with respect to privacy disclosures to consumers. Our takeaway from the story is to emphasize the importance for businesses of understanding and controlling how their websites collect, use and share personal data, and ensuring that the sites' consumer-facing privacy policies accurately reflect the company’s practices.

Our next story takes on the issue of employee privacy in the digital age. On November 8, 2010, the New York Times reported that the National Labor Relations Board (NLRB) filed an administrative complaint against an employer, alleging that the company violated an employee's federal rights by firing her for criticizing her manager on her Facebook page. The NRLB argues in the complaint that employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in this protected activity. While the terminated employee was a union member, the NLRB asserts that this right to criticize is equally applicable to nonunion employees because it is an extension of the federal right to discuss unionization and form unions. The NRLB's complaint is set to go before an administrative judge in January of next year, but any result can be contested before an appellate board and in federal courts. Still, while this proceeding is pending, the complaint itself may serve as a rude awakening to many employers who have been implementing increasingly stringent policies regarding employees' use of social media and behavior outside of the workplace. In this case, the employer's policy was rather extreme; it barred employees from depicting the company "in any way" on Facebook or other social media sites where the employees posted their pictures or from making disparaging or discriminatory comments when discussing the employer or management. Of course the right to talk about employers on the web or outside of work is not absolute. For example, if an employee lashes out against a supervisor, but is not communicating with employees in doing so, the activity may not be protected (in this case, other employees participated in the Facebook discussion of the former employee's manager). In addition, making false, defamatory statements about the employer or disparaging remarks unrelated to work (for example, about a supervisor's family or personal life) is likely not protected by federal law. The lesson from this story is that the NRLB appears to be taking a more active role in protecting employee privacy, and employers are well-advised to carefully review and consider revising their social media and employee conduct policies to ensure consistency with federal law and NRLB guidance.

The final story is coming from the New York Times and Politico today on legislative and regulatory developments (and disagreements) regarding regulation of online privacy. The New York Times is predicting a battle among the industry, privacy advocates, legislators and the administration on how to regulate online privacy. Industry representatives are not necessarily opposed to all regulation, but argue that targeted ads and competition among advertisers is good for the economy. They do not believe that a “do not track” list that would allow Internet users a single point for opting out of being tracked online for advertising purposes is necessary for protecting web users' privacy. On the regulatory front, the FTC and the Commerce Department are set to release their independent reports on online privacy. Commerce will likely favor self-regulation, while the FTC is likely to argue for a "do not track" option. The White House has set up its own panel that will look into balancing consumer protection with making U.S. companies more competitive overseas. Not to be outdone, as Politico reports, Congress is planning to convene a hearing on online privacy in early December. The discussion will address the idea of a "do not track" list and other options for regulating online privacy. Finally, privacy advocates are concerned that the regulatory and legislative battles will produce rules that do not fully protect the interests of the consumers. We realize that business can't wait for these debates to be resolved. Our recommendation is that businesses build privacy and information security into their products and services and follow industry best practices. Privacy is good for business, and being proactive about privacy and information security helps a business control the story of how it is portrayed in the media and by regulators. There is no reason to be afraid of privacy. Privacy does not mean not using personal information; it means using the information in a fair and transparent manner.

If you would like to read our take on other privacy news, don't hesitate to let us know by posting a comment on the blog, emailing bsegalis@infolawgroup.com or on Twitter @InfoLawGroup.