FTC Settles Charges Against Kids' Apparel Brands for Alleged COPPA Violations
Remember Candie's shoes and Op shorts? The FTC announced yesterday that it has settled charges against Iconix Brand Group, the owner, licensor, and marketer of popular kids' apparel brands such as Candie’s, Op, Mudd, and Bongo, for allegedly violating the Children's Online Privacy Protection Act (COPPA). Among other things, Iconix will pay a $250,000 civil penalty. The FTC filed its complaint and submitted its consent decree and order for approval yesterday in the Southern District of New York.
The FTC charged Iconix with knowingly collecting personal information from approximately 1,000 children since 2006 without obtaining prior parental consent, and failing to delete the information. The FTC claimed that Iconix required consumers to provide personal information such as name, e-mail address, zip code, and in some cases mailing address, gender, phone number, and date of birth, in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other Web site features. The FTC further charged Iconix with posting a privacy policy that falsely stated that it would not seek to collect personal information from children without obtaining prior parental consent and would delete any such information about which it became aware. Specifically, the privacy policy stated as follows (after the jump):
"We do not seek to collect personally identifiable information from persons under the age of 13 without prior verifiable parental consent. If we become aware that we have inadvertently received such information online from a child under the age of 13, we will delete it from our records. If you are under the age of 13, please do not submit any personally identifiable information to us. If you are the parent or guardian of a person under the age of 13 who has provided personally identifiable information to us, please inform us by contacting us at info@iconixbrand.com and we will remove such information from our database. If you are concerned about your children's use of the Site, you may use web filtering technology to supervise or limit access to the Site."
In addition to the $250,000 penalty, pursuant to the settlement, Iconix must, among other things, delete all personal information collected and maintained in violation of COPPA, distribute the settlement order and the FTC’s “How to Comply with the Children’s Online Privacy Protection Rule” to company personnel, and link to the FTC's www.OnGuardOnline.gov Web site on any Iconix Web site that collects or discloses children’s personal information and on any Iconix site that offers the opportunity to upload writings or images, create publicly viewable user profiles, or interact online with other Iconix site visitors.
Of course, this is not the first time the FTC has brought and settled COPPA charges. There have been more than a dozen COPPA enforcement cases, the most notable being a 2008 $1 million settlement with Sony BMG and a 2006 $1 million settlement with Xanga.
The FTC's most recent COPPA enforcement action is another reminder of (a) the importance of posting a privacy policy that accurately reflects a company's practices with respect to children's (and others') personal information; and (b) the need for legal, marketing, and IT to work hand-in-hand in developing kid-friendly and compliant online campaigns.
Welcome! The InformationLawGroup is Here
We are thrilled to announce the official launch of the InformationLawGroup!
The InformationLawGroup is a group of attorneys that love the law and technology. We concentrate on legal issues concerning privacy, data security, information technology, e-commerce and intellectual property. We are a full service firm addressing a broad spectrum of matters, including transactions, compliance, breach notice and incident response and litigation.
We come together today after many years in large law firm and in-house roles. We are seasoned attorneys, including former “BigLaw” lawyers, smaller practitioners with clearly defined expertise and reputation in the field, and former in-house lawyers with specific information law experience and talent. These factors result in greatly increased efficiency and better results at a significantly lower price for the firm’s clients.
So who are we? Read more after the jump.
Tanya Forsheit. Litigation is my first professional love, and privacy and data security are a close second. Prior to founding the InformationLawGroup, I was the Co-Chair of Proskauer Rose LLP’s Privacy and Data Security practice group, where I launched the firm’s Privacy Law Blog in 2007. I work with clients to address legal requirements and best practices for protecting customer and employee information. I also have extensive experience handling complex commercial and appellate litigation for corporate and individual clients before federal and state courts. In 2009, I was honored to be named one of the Daily Journal’s Top 100 women litigators in California. I am First Vice President of the Women Lawyers Association of Los Angeles, I sit on the Executive Committee of the Los Angeles County Bar Association Entertainment and Intellectual Property Section, and I am co-chair of the American Bar Association’s Information Security Committee Cloud Computing Law Working Group.
David Navetta. Dave has over 12 years of legal experience, including in the areas of information security and privacy contract and policy drafting, breach notice legal services, risk management consulting and regulatory compliance. Prior to starting his own firm, InfoSecCompliance LLC in 2005, he worked as an assistant general counsel for a major insurer’s eBusiness risk group, where he analyzed and forecasted information security, privacy and technology risks and drafted policies to cover such risks. He was a litigator at the Chicago office of an international law firm prior to going in-house. He currently serves as a Co-Chair of the ABA’s Information Security Committee, and is also Co-Chair of the PCI Legal Risk and Liability Working Group. Dave is now working on a book concerning PCI contracting.
Scott Blackmer. Scott has practiced information technology law since 1982. He has been listed in several peer-reviewed directories of prominent IT lawyers, including the Legal Media Group’s Guide to the World’s Leading Technology, Media & Telecommunications Lawyers. Formerly a partner in the Washington, D.C., and Brussels offices of WilmerHale, Scott serves on the executive management team of the First Law International legal network in Brussels. He also consults on privacy, data protection and security issues in association with HR Privacy Solutions in New York and Jeitosa Group International in San Francisco. He also serves as general counsel to the Trusted Computing Group, XDI.org, and OpenID Foundation, and he counsels other industry associations, corporations and entrepreneurs. He has advised federal and state agencies as well as the European Commission on privacy and security issues, and he currently serves as a privacy advisor to the U.S. Social Security Administration. Scott also arbitrates Internet domain name disputes brought before the World Intellectual Property Organization (WIPO) in Geneva. Over his long career, he has worked on transactions and licensing, compliance issues, litigation, and arbitration matters in over 100 countries.
All three of us frequently speak and write on privacy and data security issues. Dave and I are both Certified Information Privacy Professionals through the International Association of Privacy Professionals.
We have successfully served a diverse range of clients: from large Fortune 500 multinationals and name-brand traditional brick-and-mortar companies, to small start-ups and technology service providers. Our law practice uses an integrated approach combining technology and administrative controls, legal compliance, contractual vendor management and risk.
We look forward to meeting you soon!
Highlights of the FTC's Self-Regulatory Principles for Online Behavioral Advertising
Earlier this year the Federal Trade Commission released an FTC Staff Report entitled "Self-Regulatory Principles for Online Behavioral Advertising" (the "Report"). The Report arose after over a year of public comments and debate by both marketers and consumer privacy advocates. The Principles allow for a self-regulatory approach that purportedly strikes a balance between marketing innovation and consumer benefits, and protecting consumer privacy. The following is a summary of some of the key points of the report on the Principles.
What is online behavioral advertising?
The Report defines online behavior advertising as: the tracking of a consumer's online activities over time - including the searches the consumer has conducted, the web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer's interests. For example, "cookies" are often used by some companies to track the websites that users visit while browsing the Internet. A user purchasing a plane ticket to New York on a website might have an advertisement for a New York hotel presented to him on a different website after making the purchase. The information collected for online behavior advertising may not involve personally identifiable information (e.g. name, address, account numbers, etc.), but rather often includes information that associates users with a particular computer or device (e.g. IP address).
The FTC, however, makes a distinction between certain types of behavioral advertising, including "first party" behavior advertising and contextual advertising. First party behavior advertising is the tracking of consumer activities by and at a single website with no sharing of the behavior data with a third party. Contextual advertising is advertising based on a consumer's current visit to a single web page or a single search query that involves no retention of consumer data beyond that necessary for the immediate delivery of the ad or search result .In general, the FTC believes that these types of advertising are less invasive and that the Principles should not apply to these practices.
What are the principles for online behavioral advertising?
The proposed Principles include four governing concepts:
(1) Transparency and consumer control: Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers' activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers' interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)
(2) Reasonable security, and limited data retention, for consumer data: Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC's data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company's business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
(3) Affirmative express consent for material changes to existing privacy promises: As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
The FTC noted, however, that the material change principle is limited to changes that are both material and retroactive. Depending upon a company's initial privacy promises, a material change could include, for example: (i) using data for different purposes than described at the time of collection, or (ii) sharing data with third parties, contrary to promises made at the time of collection. A retroactive change is a change in a company's policies or practices that a company applies to previously collected data.
(4) Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising: Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.
What is "affirmative express consent"?
While the report does not define affirmative express consent or specify the mechanism for obtaining such consent, most commentators agree that this standard amounts to an "opt-in" requirement for material changes (see the third principle) and use of sensitive information for behavior advertising. In other words, there must be some sort of affirmative action take to obtain consent (e.g. pre-checked boxes that need to be unchecked are not likely to work).
What should companies do to address these new principles?
First, companies must determine whether they actually engage in online behavior advertising. Many companies may track their customer's behavior within the company's own website or serve adds based on keyword searches, both of which appear to be exempt from the principles. If a company does engage in online behavior advertising it should review its privacy policy to determine how (and if) those practices are
described to consumers, and whether appropriate notice is provided or consent obtained. It may be necessary to update those privacy policies or modify practices to fall in line with the stated principles.
Significantly, the Report indicates that the FTC will continue to be heavily involved in this area, including potentially, regulatory actions:
During the next year, Commission staff will evaluate the development of self-regulatory programs and the extent to which they serve the essential goals set out in the Principles; conduct investigations, where appropriate, of practices in the industry to determine if they violate Section 5 of the FTC Act or other laws; meet with companies, consumer groups, trade associations, and other stakeholders to keep pace with changes; and look for opportunities to use the Commission's research tools to study developments in this area.
Sears Privacy/Security Double Whammy.
After the resolution of some aspects of the TJX matter in 2007, it looks like another huge retailer has stepped on the privacy/security porcupine for 2008.
Privacy: Sears is suffering some bad press for allegedly placing "spyware" on its customer's computers that allows Sears (and Kmart) to track their Internet usage, including websites visited, searches engaged in and the headings of emails (click here for story)
Security: In addition, Sears has been sued in a $5 million class action for an alleged security breach related to its managemyhome.com website. Apparently, the website allowed any user to type in a customer's name, addresss and phone number (or some combination thereof) and get a complete history of that customer's purchasing history at Sears (click here for story)
So, question to my readers, in the ever-increasing world of e-commerce, how much tracking of customer behavior/Internet usage is too much? And when should it be permissible (if ever) to engage in the type of activity Sears was engaged in?
P.S. Copy of the complaint can be found here.
TJX -- Banks' Motion for Class Certification Denied
This is the court's decision denying class certification by the banks suing TJX. Have not fully read through it, but interestingly it appears that the nature of the negligent misrepresentation claim (e.g. the reliance requirement) is one of the reasons that class cert. was ruled inappropriate.
What You Don't Know Just Might Hurt You.
"As we know, there are known knowns. There are things we know we know. We also know there are known unknowns. That is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know."
--Donald Rumsfeld, Feb. 12, 2002
Regardless of what one thinks of Donald Rumsfeld's tenure as Secretary of Defense, these words hold a pearl of wisdom that applies to organizations struggling to comply with privacy and security laws. One of the major difficulties for modern organizations working with private personal information is simply knowing what privacy and security laws apply to their operations. This problem is exacerbated by the fact that, even for smaller- and medium-sized organizations, modern commerce often involves transacting with consumers in multiple legal jurisdictions (e.g. local, State, Federal and international). In short, since privacy and security laws from several jurisdictions may apply, it is highly likely that a lot of "unknown unknowns" exist, which can cause adverse impacts. This month's newsletter explores an instance where unknown unknowns may have come into play in the privacy context, and how organizations can begin to address the problem.
Too Much Information?
FACTA Credit Card Receipt Class Action Suits a Cause for Serious Concern.
In what appears to be a classic case of "unknown unknowns," a rash of over 100 class action lawsuits have been filed in California alleging violation of the Fair and Accurate Transaction Act of 2003 ("FACTA"). Section 15 U.S.C. § 1681c(g) of FACTA limits the information that can be printed on an electronically printed credit card receipt to the last five digits of the credit card number, and specifically prohibits printing a credit card's expiration date on the receipt. Organizations were provided with a three-year grace period to comply with this Federal law (December 4, 2006 was the first date that compliance was required).
A single willful violation of FACTA (which is incorporated into and part of the Fair Credit Reporting Act ["FCRA"]) could result in damages ranging from $100 to $1,000. Plaintiffs are also entitled to actual damages if they can prove a negligent violation of the FACTA. With companies processing millions of credit card transactions each year the damage potential for these lawsuits is staggering.
These class action suits have been filed against companies such as: Urban Outfitters; IKEA; Chanel Inc.; Toys-R-Us Delaware Inc.; Oakley, Inc.; Rite Aid Corp.; Costco Wholesale Inc.; The Walt Disney Parks and Resorts; California Pizza Kitchen Inc.; El Pollo Loco; Levy Restaurants; United Artists Theatre Circuit Inc.; FedEx Kinkos Office and Print Services Inc.; Valero Energy Corp.; and Avis Rent-A-Car Systems Inc. Lawsuits are also spreading outside of California - two lawsuits were filed on March 14, 2007 in the Western District of Pennsylvania.
Thus far, many of the cases have survived motions to dismiss. Defendants have argued that dismissal is warranted because, while section 1681c(g) of FACTA applies to "cardholders," private rights of action are only available to "consumers" under section 1681n of FCRA. This argument was rejected by California courts when raised by Oakley, Inc. and IKEA.
The success of these cases could ultimately hinge on the meaning of "willfully fails to comply" under section 1681n of FCRA. Two 9th Circuit cases (the Federal Appellate Court for California and other western States) have ruled on the meaning of "willfully." In Geico v. Edo, the court alluded to a "recklessness" standard:
In sum, if a company knowingly and intentionally performs an act that violates FCRA, either knowing that the action violates the rights of consumers or in reckless disregard of those rights, the company will be liable under 15 U.S.C. § 1681n for willfully violating consumers' rights. A company will not have acted in reckless disregard of a consumers' rights if it has diligently and in good faith attempted to fulfill its statutory obligations and to determine the correct legal meaning of the statute and has thereby come to a tenable, albeit erroneous, interpretation of the statute. In contrast, neither a deliberate failure to determine the extent of its obligations nor reliance on creative lawyering that provides indefensible answers will ordinarily be sufficient to avoid a conclusion that a company acted with willful disregard of FCRA's requirement. Reliance on such implausible interpretations may constitute reckless disregard for the law and therefore amount to a willful violation of the law (emphasis added).
This interpretation differs from interpretations in other Federal Appellate Districts, and this issue has now been argued before the U.S. Supreme Court (additional Supreme Court briefs and other information can be found here). If the Supreme Court disagrees with the 9th Circuit's (and the 3rd Circuit's) interpretation of "willfully," then these class actions may be difficult for plaintiffs to win (it is doubtful that plaintiffs will be able to establish actual damages to recover for "negligent" failure to comply with FCRA).
Many corporate defendants reported that they were "surprised" by the FACTA credit card receipt requirements despite the three-year grace period to achieve compliance. That seems like a plausible explanation considering that most rational companies, had they known of this requirement, would most likely have chosen to limit the information on their credit card receipts rather than face a potential fine of up to $1000 per violation and expensive attorney fees to defend class action lawsuits. Nonetheless, these companies are now experiencing the risks and expense associated with unknown privacy laws.
What should companies do to address "unknown unknowns" when it comes to privacy laws?
Organizations are not omnipotent - they cannot possibly know all things at all times at all places. However, they can take action to minimize their risk of unknown privacy and security laws, including: (1) designing their privacy programs consistent with Fair Information Practice Principles; (2) acquiring resources to stay on top of privacy and security regulations and case law; and (3) insuring against the unknown.
Fair Information Practice Principles. While the legal requirement to limit credit card receipt data may not be intuitive to all companies, there are certain general activities that rational actors know could get them into trouble when it comes to handling customer information. For example, selling or collecting personal information without notice or consent can obviously be problematic, and as a result there are laws that address those general categories of privacy violations. Addressing general privacy activities and principles can decrease risk even if specific regulatory requirements are unknown.
In fact many, if not most, privacy and security-related laws reflect the principles and framework set forth in the Fair Information Practice Principles ("FIPP"). FIPP includes: notice/awareness, choice/consent, access/participation, security/integrity and enforcement/redress. If FIPP is the goal and the organization strives to meet that goal with due diligence, that organization will likely have reduced its regulatory privacy risks (relative to organizations that do not consider FIPP).
The problem, of course, is that FIPP does not address every single detail of every privacy law. Some organizations that follow FIPP may have missed the specific requirements of FACTA or may not be aware of the specific notices (and fines) required under the CAN-SPAM Act, HIPAA, GLB and other more obscure laws. These class action lawsuits demonstrate how compliance to FIPP can help. Those companies diligently concerned about the security/integrity prong of FIPP, even without knowledge of FACTA's specific legal requirement, may have made an independent determination that truncating credit card numbers on receipts is a good practice to secure credit card information from identity theft. In fact, some organizations likely adopted this practice prior to the FACTA law as the result of due diligence with general privacy principles.
Due Diligence Investigation. Legal violations arising out of privacy or security incidents increasingly threaten organizations in terms of reputation damage, legal fees and damage awards. In fact, more and more companies are dedicating specific resources toward addressing privacy and security legal compliance. The first step is establishing accountability within the organization by creating a manager solely responsible for privacy compliance (a C-level executive with direct reporting to the CEO is a best case), and providing he or she with a budget. The lead privacy compliance officer should hire or work with attorneys to develop a formal process for inventorying the personal information the company handles, tracking the flow of that information across jurisdictions from collection to storage/disposal and determining the laws that apply to the organization.
Companies should attempt to address the lowest hanging fruit first. In certain industries, such as finance and healthcare, comprehensive privacy laws exist such as GLB and HIPAA. If the personal information of European or Canadian companies is at issue, the national privacy law of those countries should be considered.
Determining the applicability of privacy and security laws requires a continuous effort that considers changes in both the organization's internal privacy practices and the law. Those responsible for privacy compliance should engage in frequent and comprehensive communications with business managers whose units collect and handle personal information. Companies should track laws and legislation, and subscribe to privacy and security reporters and websites (feel free to contact me for a list of sources). A person who can make the link between organizational practices and changes in privacy laws, and how those practices laws might impact the organization, should be dedicated to tracking internal practices and privacy laws.
Privacy and Security Liability Insurance - Risk Transfer. Insurance is a very important tool for managing the "unknown unknowns." For companies that operate across multiple jurisdictions, it is virtually impossible to know every law and how every part of an organization is reacting or failing to react to that law. This means that residual risk exists that must either be tolerated by the organization or transferred to a third party.
Privacy and security liability insurance is an excellent tool for decreasing a company's risk load under these circumstances. While the uncertainty inherent in complying with every security or privacy law still exists for insurers, insurers can spread their risk across thousands of organizations. Moreover, even if aggregated events occur, as long as the insurer has a good financial rating, they should be able to absorb the loss. Even insurance companies without the highest financial ratings are typically reinsured by large reinsurers who are able to weather adverse situations.
The ability of insurers to underwrite privacy and security liability risks in a world where such risks are sometimes "unknown" addresses the main problem of modern organizations. Instead of expending huge amounts of resources to achieve an unattainable level of "perfect security," or researching, discovering and analyzing every possible privacy law that applies to them, insurers can take the risk and help their insureds avoids those expenses.
That is not to say that insurers will insure companies with bad privacy practices or poor information security. To be insurable, at a minimum, "reasonable" security and privacy practices must be present (and what is reasonable can vary from insurer to insurer). Nonetheless, most companies that can establish "due diligence," and have practices and policies adhering to FIPP and generally accepted security standards such as ISO 17799, will likely be insurable.
There are two key challenges for companies that want to use insurance as a risk management tool in this context. First is implementing security and privacy practices that meet a level of reasonableness at the lowest price. As long as insurance is available, spending more to achieve "more than reasonable" privacy/security may not be cost-effective. Moreover, large security and privacy overhauls can be disruptive to business. The risk avoided by implementing costly controls can be transferred for the price of an insurance policy which typically costs less than the controls.
Second, and perhaps most important for an organization that wants to manage risk through insurance, is ensuring that the privacy and security insurance policy it chooses actually covers the risks the organization desires to transfer. If it does not, the organization will be left handling the costs of that risk on its own. It takes a concerted effort by risk managers and key business stakeholders to understand not only the potential risks, but also how they might impact the organization if the risk is realized.
On the other side of the equation, since the current crop of security and privacy policies vary in their approach and coverage scope, it is not always easy to get a clear picture of what is covered. Organizations should make sure they have good brokers or insurance consultants who understand the specific risks of their company and the insurance products available to cover such risks. In all, if some time and effort is taken to understand the range of security and privacy insurance options, insurance can be a very cost-effective and efficient tool for dealing with "unknown unknowns."<
Conclusion
While the risks and problems associated with unknown privacy or security regulations may never be fully solved, the awareness of organizations and the skill and talent available to address the problem are probably at their highest. Companies simply need to acknowledge the fact that unknown unknowns exist in the privacy world, and dedicate time and resources toward at least converting them into "known unknowns." Even unaddressed privacy laws are better than unknown laws because at least the organization is aware of some risk and presumably has factored it into their overall risk management scheme. Organizations that are serious about understanding the full scope of their risk need to engage in a due diligence investigation, and need to at least try to adhere to common industry privacy practices and security standards. Companies should also seriously consider transferring their residual risk rather than engaging in potentially never-ending and expensive attempts to "eliminate" their risk. When these steps are taken, organizations can decrease the risk and loss associated with unknown security and privacy laws.
