Trending Topics in Data Collection & Targeted Marketing


Published on

Slideshow to accompany co-sponsored panel from IAB Ad Lab and Cowan, DeBaets, Abrahams & Sheppard LLP. Participants: Joshua B. Sessler, Eleanor M. Lackman, Sarah Hudgins. For more entertainment and digital media law analysis, go to:

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Trending Topics in Data Collection & Targeted Marketing

  2. 2. Speakers:• Eleanor Lackman Partner at Cowan, DeBaets, Abrahams & Sheppard• Joshua Sessler Partner at Cowan, DeBaets, Abrahams & Sheppard
  3. 3. Agenda• Technical and Commercial Landscape• Current Trends in the Law• US Position on Data Gathering and Compliance Guidelines• Industry Self-Regulation and Certification• Questions and Discussion• Networking
  4. 4. Cookies• Cookies• Small text files stored on your computer via your Web browser• Provide continuity between a user’s web browser and a web server by remembering what happens on a web page.• Without them, important web functionality would be lost• Originally designed to let retailers remember shopping cart contents• Now also useful in storing preferences, content personalization, analytics and targeting advertising• Web Beacons• Many terms: Web bug, tag, tracking pixel, clear gif• Placed on Web pages and emails, often as tiny clear images or as “frames”• Allow third-party sites to run code on the web page• Can provide transactional information such as the IP address of the computer that loaded an image, how long the image was viewed, the browser that was used, etc.• HTML-5 Storage or Local Store Objects – Super Cookies!
  5. 5. Image above reproduced under Creative Commons license - 5/5/11 Ashkan Soltani
  6. 6. Josh Slide 3Consumer-Focused Privacy Tools• PrivacyChoice – Launched 04/09. – Self-funded (?). – Premise: make managing online privacy easier for consumers and websites through the use of a suite of privacy tools.• – Launched 7/09 – $7.6 million - Grotech Ventures, Revolution LLC, Allen & Company – Premise: web and mobile service that helps users take control of all their digital information, decide who gets access to it, and use it for users’ benefit.• Abine - Launched 6/10 – $5MM - Atlas Venture and General Catalyst. – Premise: Provides products and privacy subscription services that allow users to regain control over their personal information while continuing to interact and shop online. Includes the products Do Not Track Plus, DeleteMe, and the PrivacySuite.• - Launched 10/11. – $600K - Highland Capital Partners, Charles River Ventures, and angels investors. – Premise: We make simple tools to help users understand and control the data they share on the web. Created Collusion plug-in for Chrome and FB/TWTR/G Disconnect.• Dashlane – Launched 4/12. – $5MM - Rho Ventures and FirstMark Capital. – Premise: All-in-one password, form, and online purchase and checkout manager.• Mega – latest entry from Kim Dotcom. Launched 1/20/13 – Unknown investment – Premise: “The Privacy Company” file-storage and sharing system that encrypts files on the user’s computer before they are uploaded to the site’s servers.
  7. 7. Congress and Consumers – worried about “little brother” “A person who knows all of another’s travels can deduce whether he is a weekly church-goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups – and not just one such fact about a person, but all such facts.” – United States v. Maynard, Apr. 6, 2010 9
  8. 8. The Legal Landscape: A Hodgepodge of Laws Federal Statutes • Section 5 of the Federal Trade Commission Act • Electronic Communications Privacy Act (ECPA) • Computer Fraud and Abuse Act (CFAA) • Video Privacy Protection Act (VPAA) • Children’s Online Privacy Protection Act (COPPA) State Laws • California Online Privacy Protection Act • Anti-spyware and/or transparency statutes in approx. 15 states • Various deceptive trade practices statutes in every state Common Laws (non-statutory) • Invasion of privacy • Breach of contract 10
  9. 9. Consumer Class Actions • Usually fail right out of the starting gate – Question: will lack of success encourage Congress to revise the laws? • But some have defeated early dismissal (which usually leads to settlement) – Lack of transparency or failure to give notice of policy • AOL: Privacy policy said that the service was “safe, secure and private” • Facebook Beacon: Display of visits to 3P sites in newsfeeds w/o user permission – Failure to get approval of expanded uses or give choice to opt-out • NebuAd (quiet policy revision), Google Buzz (disclosing information about Gmail account usage), Fraley v. Facebook (“Sponsored Stories”) – Failure to guard against security breach • RockYou: Claimed failure to guard PII after breach 11
  10. 10. Government Actions Federal Trade Commission (FTC) leads the way • Sets out recommendations and principles (see, brings actions and obtains settlements • Frequent themes in FTC enforcement: – Not complying with terms of policy/lack of transparency • Frostwire (Oct. 2011), Compete, Inc. (Oct. 2012), MySpace (May 2012) – Going too far outside scope/material changes without consent • Sears (June 2009), Chitika (Mar. 2011), Epic Marketplace (Dec. 2012) – Data security breaches – Lack of consent for sensitive info (COPPA, financial, health) Some state AGs (especially California) may be quite active – December 2012: California AG files lawsuit in San Francisco Superior Court against Delta Airlines over Fly Delta app for failure to comply with warning letter that requires a conspicuously posted privacy policy. 12
  11. 11. The Children’s Online Privacy Protection Act (COPPA) • Serves to regulate the collection and use of children’s information by Internet websites by requiring parental consent • Applies to websites that collect personal information from children under age 13 – those sites that have actual knowledge they’re collecting personal information from children or that are directed to children • Code of Federal Regulations provides factors FTC will consider in determining whether a website is “directed to children” • Must post privacy policies, must obtain parental consent • Only government can bring actions; no standing for private citizens to sue 13
  12. 12. COPPA: Enforcement (mainly FTC, State AG sometimes) Collection of data without consent • W3 Innovations (Aug. 2011) – first FTC enforcement case involving mobile apps: alleged collection of email addresses from kids without prior, verifiable parental consent • Social networking sites (Xanga (2006), Imbee (2008), Skid-e-Kids (2011)), fan sites (Sony BMG (2008), Artist Arena (2012)), online worlds (Playdom, Inc. (2011)) 14
  13. 13. COPPA: Enforcement (mainly FTC, State AG sometimes) Use of data without consent • EchoMetrix (Nov. 2010): Settles over charges that company failed to tell parents that their kids’ info would be disclosed to marketers • TeachMe (July 2012) (NJ Atty Gen): Settles with 24x7 Digital, which allegedly disclosed the user’s full name and mobile device’s ID to third-party data analytics firm without advance notice or parental consent 15
  14. 14. COPPA: The New Rule, announced December 19, 2012 • FTC’s modifications include: – Clarification that “personal information” requiring parental consent includes geolocation information, photos and videos – Expanded definition of “operator” to cover operators of child-directed site or service where it allows outside services (such as plug-ins or ad networks) to collect personal information • But does not cover platforms that only offer access to others’ sites or services – Extended coverage to persistent identifiers that can recognize users over time and across different websites or online services (such as mobile device IDs) – Strengthened data security protections by requiring that info be released only to third parties that are capable of keeping it secure and confidential • Rule contains a “safe harbor” provision that allows industry groups or others to seek FTC approval of self-regulatory guidelines – Those who participate will be subject to annual assessments • New rule goes into effect July 1, 2013 16
  15. 15. The Joint Statement of Principles Between California andGoogle, Apple, Amazon, HP, Blackberry, Microsoft and Facebook• An App that collects PII from a user must conspicuously post a privacy policy providing clear and complete information on how PII is collected shared and used• Include in the submission process an optional field for the text of the PP or a link thereto and enable access to the PP from the mobile app store• Implement a means for users to report apps that do not comply with their PP• Implement a process for responding to incidents of such non-compliance• NB: Remedies – Statutory fines – per app/per consumer ($2500/consumer/app)
  16. 16. Consumer Data Privacy in a Networked World: A Framework for ProtectingPrivacy and Promoting Innovation in the Global Digital EconomyReleased 2/23/12 by Department of Commerce• Recommended the adoption of a new consumer privacy protection regime in the US• Incorporated a proposed “Consumer Privacy Bill of Rights” that would apply to personal data – ie any data linked to a specific individual, including that linked to a specific computer or other device• Proposed voluntarily created and implemented “Codes of Conduct” for businesses that would be enforced by the FTC (under Section 5 of the FTCA)• Department of Commerce working on establishing the parameters of Mobile privacy via NTIA’s multistakeholder group
  17. 17. Josh Slide 1Mobile Data Collection Actors• Apps – Access to some data with permission, may embed 3rd party code• Platform (iOS, Android) – can record and transmit data• Carrier – access to location and all traffic to and from device, Carrier IQ – can tweak platform or apps• Third Parties (advertisers, analytics) – access to app, carrier and other sources of info, very little transparency or specific control over outgoing info• User – installs apps, downloads data, turns on or off location services
  18. 18. Josh Slide 1Pending LegislationOmnibus Privacy • Kerry/McCain ― Commercial Privacy Bill of Rights Act • Data Security/Breach Notification ― Nine bills pending • Do Not Track – Three bills pending • Geotracking ― Two bills, including one from Sen. FrankenSpecialized Privacy • Do Not Track Kids Act (Rep. Markey)
  19. 19. Josh Slide 1Privacy Policy Recommendations (1/2)• Generally – Err towards describing collection practices for both PII AND Non-PII – Err towards inclusion even if you don’t actually collect or use consumer information as described (but you might) – PP is a ceiling not a floor. (Balance with PR impact) – Adhere to the stated terms – Use plain English with headings – Make easily printable – Consider treating information collected from consumers in different jurisdictions differently – use different PP’s (note: risk of mistakes) or a unitary policy (of the most restrictive jurisdiction)• Changes to PP – Either segregate data collected under old PP and maintain standards or obtain explicit consent from owners to use under new PP (or both)
  20. 20. Josh Slide 1Privacy Policy Recommendations (2/2)• Strategies to Minimize Exposure – Review and audit your PP and practices – Review third party contracts with entities that collect or provide PII to you – Assess your practices w/r/t behavioral advertising, including ad agencies and other downstream providers – Include indemnification provisions (deep enough pockets) – Use arbitration provisions in consumer contracts (incorporate by reference into TOS) – Evaluate credit card practices (re: California law) – Assess security practices – Technological solutions (browser controls) – Self regulation/best practices – Consider insurance - Cyber/Privacy Risk
  21. 21. Josh Slide 1Industry Self-Regulation
  22. 22. Josh Slide 4 Contact Information• Eleanor Lackman –• Joshua Sessler –• Twitter: @cdas_LLP
  23. 23. Josh Slide 4Disclaimer of Legal Advice and Representation• The materials contained within this slideshow are provided for informational purposes only, do not constitute legal advice, do not necessarily reflect the opinions of CDAS or any of its lawyers or clients, and are not guaranteed to be complete, correct, or up-to-date. Nothing within this slideshow is intended to create an attorney-client relationship between you and CDAS.• Please do not send any confidential information to CDAS until after you have received from us a written statement that we represent you in that matter. If you communicate with us through our Website, by e-mail or otherwise concerning a legal matter for which we do not already represent you, your communication may not be treated as privileged or confidential.