Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings


Published on

Data Privacy: A Snapshot of
Recent Federal Trade Commission Rulings

A White Paper by Gagnier Margossian LLP

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings

  1. 1.   Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings   A GAMA White Paper 101 Townsend Street, Suite 312 San Francisco, CA 94107 +1 909.447.9819
  2. 2. Data Privacy: A Snapshot of Recent FTC RulingsINTRODUCTION: TACKLING USER PRIVACY As user privacy becomes a growing issue online, the legal mechanisms that exist to deal with privacy violations are increasingly becoming less capable of protecting users and providing means for users to seek legal recourse. While users face a lack of mechanisms through which they can seek protection, companies in the data business find themselves without the appropriate guidelines for their day-to-day operations. With a lack of federal regulation for the online world, companies must exercise due diligence to ensure they are taking measures through their own policies and practices to protect users. These internal efforts can only be shaped through looking to best practices online, non-legal standards that provide little assurance to companies who are earnestly trying to avoid lawsuits. Fortunately, recent rulings by the Federal Trade Commission (FTC) highlight a growing trend of tackling privacy issues on the Internet. From its recent actions, the FTC appears to have two goals in mind when it comes to consumers and privacy: 1. First, companies must be forthcoming about the data they are collecting from users. This call for transparency comes from the growing concern about patrons of websites and mobile applications being deceived about what data is being collected and how it is being used. 2. Second, there is a growing desire to allow people the ability to “opt out” of data collection. Coupled together, these two goals represent the current war being fought over data collection, which has become both an advertising tool and a real threat to privacy. This white paper provides a snapshot of recent cases that highlight the FTC’s application of these goals. These cases serve as cautionary tales for startups in a launch phase, as well as existing companies working in the data industry.Last Revised 1/23/12 © 2012 Gagnier Margossian LLP Page 2  of  5
  3. 3. Data Privacy: A Snapshot of Recent FTC Rulings I. SKIDKIDS: PROTECTING CHILDREN & FIGHTING DECEPTIVE PRACTICES owner Jones Goodwin had an idea to create a Facebook tailored solely to children ages 7-13. Unlike Facebook, Goodwin faced an issue with his target audience since the Children’s Online Privacy Protection Act (COPPA) protects children under the age of 13. COPPA lays out specific requirements for website operators as to what information they can collect from children and what types of activities they may engage in with this age demographic. Since all the users of his site would be under the age of 13, Goodwin was required under COPPA to post a privacy policy that is “clear, understandable and complete.” The original privacy policy posted on the website claimed the site …Requires child users to provide a parent’s valid email address in order to register on the website. We use this information to send the parent a message that can be used to activate the Skid-e- kids account, to notify the parent about our privacy practices, to send the parent communications either about the parent’s and child’s Skid-e-kids accounts or about features of our Web site….” However, this was not the case. Children were able to register on the site without any such parental oversight, and SkidKids was collecting sensitive personal information from its nearly 6,000 users. SkidKids was not only forced to get rid of all information that was collected, but is required to change their privacy policy that is posted on their site. The ruling shows the FTC’s stance against deceptive privacy policies that mislead users about what data is actually being collected. In addition to the ruling, the FTC created a booklet in an attempt to educate users about data collection on the web. The Bottom Line: Be extremely careful when operating a website, online platform or mobile application that collects information from children. While all users are entitled to certain privacy protections, children receive special treatment under the law. When gathering any piece of data, always ask yourself, “Does the user know I am collecting this?” II. SCANSCOUT: NO SUCH THING AS “OPTING OUT” ScanScout is an advertising network that places video ads on websites for advertisers. In this new age of data collection, companies like ScanScoutLast Revised 1/23/12 © 2012 Gagnier Margossian LLP Page 3  of  5
  4. 4. Data Privacy: A Snapshot of Recent FTC Rulings collect data from users in order to personally target them with advertisements that each user would be interested in. This case touches on the “hot topic” of the ability of users to “opt out” of allowing sites to collect their data and track their usage. The ScanScout case centered on their privacy policy post on their site, which stated, “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” However, even if users indeed made those changes, their data was still being collected by what is known as a “flash cookie.” Flash cookies are a new way of tracing a user’s movement on a site and storing more information about a user than normal cookies have traditionally allowed. A major issue with flash cookies is that a user cannot locate them in their browser and delete them. In addition, normal cookies cannot save more than four kilobytes of data. Flash cookies can save up to one hundred kilobytes, allowing sites to gather more information about users in order to target them with personalized advertisements. In its ruling, the FTC is requiring ScanScout to post on their website a statement that reads, “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements, click here.” Not only must there be a clear post that indicates what the data is being collected for, but there also must be a clear way for users to opt out. The take away from this ruling is that the FTC wants users to have control over their data and companies must be completely forthcoming about their data collection policies and usage. The Bottom Line: Do what you say and say what you do as a data company. Make it clear and simple for users to figure out what you collect. Looking into using visceral notice structures for user privacy, like pictures, videos and other creative mechanisms is recommended to ensure users engage with and understand your policies regarding privacy. III. ADDITIONAL DEVELOPMENTS IN DATA PRIVACY The issue of user data is not confined to United States borders. Globalization has opened the door for data to be spread across the world, allowing business to target potential customers thousands of miles away.Last Revised 1/23/12 © 2012 Gagnier Margossian LLP Page 4  of  5
  5. 5. Data Privacy: A Snapshot of Recent FTC Rulings On November 11, 2011, President Obama and representatives from the Asia-Pacific Economic Cooperation (APEC) agreed on a new initiative to harmonize cross-border data privacy protection among members of APEC. The initiative is designed to enhance the protection of consumer data that moves between the United States and other APEC members. It will be interesting to see how this issue will be handled as countries not only fight about users’ privacy, but governance of Internet varies country-by-country. In the absence of international conventions or harmonization on data privacy, there is no “one size fits all” global solution for companies to look to. Companies and organizations are continuing their attempts at self- regulation. The Digital Advertising Alliance published their updated policies regarding data collection. Self-regulation is seen as the best alternative to ensuring users are protected and companies avoid legal issues. If you or your company seek guidance on user privacy and security issues, a GAMA attorney can help you figure this out. The Bottom Line: Self-regulation, by teaming up with legal counsel who can best serve your company’s needs, to help prepare your company for the changing media and legal landscape when it comes to user privacy. Works Cited Federal  Trade  Commission  Press  Release,       OnGuardOnline,­‐cookies-­‐leaving-­‐trail-­‐web     Federal  Trade  Commission  Press  Release,     Federal  Trade  Commission  Press  Release,     Digital  Advertising  Alliance  Self-­Regulating  Principles,­‐Site-­‐Data-­‐Principles.pdf      Last Revised 1/23/12 © 2012 Gagnier Margossian LLP Page 5  of  5