Privacy, particularly on location, is a huge area of concern for all major brands. The opportunity is so big that it’s hard to pass up use of consumer mobile data. But with so much at stake, you don’t want to overplay your hand and get into a legal quagmire. Matthew will cover the latest in the every-changing legal landscape of mobile marketing. This information session covers (a) an overview of the legal framework affecting mobile marketing, (b) federal and state enforcement measures and expectations, (c) emerging issues in mobile privacy expectations, including location-based ads, (d) recent rulings and implications relative to the TCPA.
Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9/26 in Chicago
1. Produced by the Heartland Mobile Council
MOBILE PRIVACY
Rules of the Road
Matthew Fischer, Partner, Sedgwick LLP
@maf2190; @sedgwickllp
Event hashtag #MobiU2013
2. #MobiU2013, @maf2190 @sedgwickllp
Mobile Legal Liability Issues Will Continue to Grow
• 61% of local searches on a mobile phone result
in a phone call. (Google, 2012)
• 52% of all mobile ads result in a phone call.
(xAd, 2012)
• 9 out of 10 mobile searches lead to action, over
half leading to purchase. (Search Engine
Land, 2012)
• Mobile coupons get 10x the redemption rate of
traditional coupons. (Mobile Marketer, 2012)
• Mobile marketing will account for 15.2% of
global online ad spend by 2016. (Berg
Insight, 2012)
3. #MobiU2013, @maf2190 @sedgwickllp
THE LEGAL LANDSCAPE
• Myriad laws either explicitly or implicitly regulate particular channels of
mobile marketing:
• The FTC Act (Section 5)
• State Unfair and Deceptive Practices Acts
• State Privacy Laws
• CAN-SPAM
• TCPA and FCC regulations
• Children’s Online Privacy Protection Act
• HIPAA / HITECH
• Computer Fraud and Abuse Act
• Video Privacy Protection Act
6. #MobiU2013, @maf2190 @sedgwickllp
FTC Act – Applies to Internet and Mobile
• Section 5 of the FTC Act prohibits unfair or deceptive
advertising in any medium.
• Advertising is deceptive if likely to:
• Mislead consumers (including omissions) and
• Affect consumers’ behavior or decisions about the
product or service
7. #MobiU2013, @maf2190 @sedgwickllp
FTC Framework
• Privacy By Design
• Build privacy protection into products and services at the outset
• Don’t collect more data than needed or retain longer than needed
• Ensure accuracy of data and provide reasonable security
• Simplified Consumer Choice
• Easy-to-use choice mechanisms that allow consumers to control
whether their data is collected and how it is used.
• The choice should occur immediately before or at time of collection
• Reiterates support of a “Do-not-track” mechanism
• Greater Transparency
• Shorter standardized privacy policies that can be easily prepared
• Reasonable access to data for consumers
8. #MobiU2013, @maf2190 @sedgwickllp
FTC Mobile Reports and Guidelines
• FTC Guide: Marketing Your Mobile App (Sept. 5, 2012)
• 3 Privacy Principles - mobile market is no different from the Internet
• Disclose clearly and conspicuously
• Comply with your privacy policy
• FTC Report: Mobile Privacy Disclosures (Feb. 1, 2013)
• Just-in-Time Disclosures
• Privacy Dashboard
• Icons
• FTC report: .Com Disclosures (March 12, 2013)
• Frame disclosures for mobile devices
• Hyperlink disclosures
• Limited ad space
9. #MobiU2013, @maf2190 @sedgwickllp
California at Forefront of Mobile Privacy
• California Online Privacy Protection Act (Cal. OPPA) – July 2004
• Joint Statement of Principles (Feb. 2012)
• California Mobile Privacy Protection Unit
• AG Issues Non-Compliance Letters (Oct. 2012)
• People of the State of California v. Delta Air Lines, Inc. (Dec. 2012)
• Privacy On The Go (Jan. 2013)
10. #MobiU2013, @maf2190 @sedgwickllp
California Online Privacy Protection Act
(Cal. Bus. & Prof. Code §§ 22575 -22579)
• Applies to any company operating a web site or online service that collects
PII through the Internet from a California resident
• Nationwide in scope
• Requires conspicuous posting of a “reasonably accessible” privacy policy
• Privacy policy must detail
• Kinds of information gathered
• How the information may be shared with other parties
• Process for user to review and change information (if such a process exists)
• 30-day cure period after notice of non-compliance
• Proposed amendment (Feb. 2013) - brevity and clarity
11. #MobiU2013, @maf2190 @sedgwickllp
Cal OPPA and Mobile Privacy
• California AG announces “Joint Statement” of principles (Feb. 22, 2012)
• Statement joined by 7 leading mobile platforms
• Establishes 4 core privacy principles for mobile applications
• Specific privacy notice and consent requirements
• Adoption of privacy by design principles for app development
• Process for reporting to app publishers’ non-compliance with privacy
policies, terms of service or other applicable laws
• Process for app publishers to respond to reports of non-compliance
• Goals of fostering innovation, promoting transparency, and facilitating
compliance with applicable privacy laws
• Does not impose “legally binding obligations” on the Participants
12. #MobiU2013, @maf2190 @sedgwickllp
Cal Privacy Enforcement & Protection Unit
• Cal AG forms new Privacy Enforcement & Protection Unit (July 19, 2012).
Organized under the State’s new eCrime Unit
• Charged with enforcement of laws relating to online privacy, health
privacy, financial privacy, identity theft, government records, and data breaches
• The eCrime Unit has six dedicated Prosecutors
• Signals AG’s intent to prosecute data privacy violations
• Non-compliance letters sent to 100 mobile app developers (Oct. 30, 2012)
• Asserted mobile applications were not compliant with Cal OPPA
• “An operator of a mobile application … that uses the Internet to collect PII is an
‘online service’ within the meaning of Cal OPPA”
• Issued 30-day notice to comply
13. #MobiU2013, @maf2190 @sedgwickllp
State of California v. Delta Air Lines, Inc.
• First enforcement action under Cal OPPA
• “Fly Delta" app collects user's PII: full name, telephone #, email
address, frequent flyer # and PIN code, photos, geo-location info
• Contains no in-app privacy policy
• Web site privacy policy does not cover app
• Not reasonably accessible from the app
• Does not disclose collection of geo-location info
• AG alleges app downloaded “millions of times”
at $2,500 per violation
• Dismissed with prejudice (May 9, 2013)
14. #MobiU2013, @maf2190 @sedgwickllp
Children’s Online Privacy Protection Act
• COPPA Amendments (July 1, 2013) Target Mobile Devices
• Changes definition of PII
• FTC offers companies a streamlined, voluntary and
transparent approval process for new ways of getting parental
consent
• No disclosing data to third parties
without parental consent
• Applicability of COPPA to some
third parties
• Persistent identifiers now included
15. #MobiU2013, @maf2190 @sedgwickllp
CAN-SPAM Act (FCC Rules)
• Under FCC Rules (47 C.F.R. § 64.3100), the Act applies to “mobile service
commercial messages” (MSCMs) sent to wireless domain email addresses
(e.g., mattfischer@verizonwireless.com)
• Applies if sent to address that includes a domain name posted on the FCC’s
wireless domain list available at http://www.fcc.gov.
• FCC Rules differ from general opt-out requirements under CAN-SPAM
• Recipient must provide prior express authorization (verbal or oral)
• Authorization request must disclose that recipient may be charged by wireless
service provider for receipt
• Must provide users a means of opting out
• Opt-out requests must be processed in 10 bus. days
• FTC rules for standard emails apply to wireless emails
16. “The conclusion is inescapable that these class actions exist for the benefit of
the attorneys who are bringing them and not for the benefit of individuals
who are truly aggrieved as a result of receiving the faxes.”
West Concord 5–10 –1.00 Store, Inc. v. Interstate Mat Corp., 2013 WL
988621, *6 (Mass. Super. Ct. March 5, 2013)
“Because plaintiffs may enforce the statute via class action and because a
single advertisement is often faxed to hundreds—if not thousands—of
phone numbers, suits under the Act present lucrative opportunities for
plaintiffs’ firms.”
Reliable Money Order, Inc. v. McKnight Sales Co.,
704 F.3d 489, 491 (7th Cir. 2013)
#MobiU2013, @maf2190 @sedgwickllp
Do the Math
17. #MobiU2013, @maf2190 @sedgwickllp
Telephone Consumer Protection Act (TCPA)
• 47 USC §227 and 47 CFR §64.1200
• Prohibits autodialed and prerecorded calls/text
messages to cell phones
• Judicially expanded to apply to texts
• Satterfield v. Simon & Schuster, 569
F.3d 946 (9th Cir. 2009)
• The Act does not restrict live, manually dialed calls
• Established Business Relationship (EBR) for voice calls to residential
numbers but not to wireless devices or for pre-recorded calls
• Implemented and interpreted by the FCC
• Enforced by the FCC, state Attorneys General, and private litigants
18. #MobiU2013, @maf2190 @sedgwickllp
TCPA Private Actions (§ 227(c)(3) & (c)(5))
• $500 per violation (per call, text message or fax)
• Can be increased up to $1,500 for knowing or willful calls
• No cap on the amount of damages
• Strict liability statute
• Lack of knowledge or intent is not a defense
• For do-not-call violations only, defendant can avoid liability
if it “has established and implemented, with due
care, reasonable practices and procedures to effectively
prevent telephone solicitations in violation of the
regulations”
• 14 cases filed in 2008 vs. 1,100 filed in 2012
19. #MobiU2013, @maf2190 @sedgwickllp
United States v. Dish Network
(FCC-13-54A1 (May 9, 2013 Dec. Ruling))
• Sellers may be vicariously liable under federal common
law agency principles for violations by telemarketers who
initiate calls to market sellers’ products or services
• A company can avoid TCPA liability for its “agent” by
adequately supervising and controlling the conduct
of the vendor
• Under ruling, the only safe paths are:
• being absolutely clean of any facts that
might show an agency relationship, or
• successfully policing the vendor
20. #MobiU2013, @maf2190 @sedgwickllp
TCPA Defenses
• Prior express consent
• What constitutes consent?
• Recent cases: providing a cell phone number is consent to receive texts
• Must the text relate to the reason for which the cell phone number was
provided?
• Must the text come from the company that obtained the number, not
an affiliate?
• Can consent be revoked?
• No vicarious liability
• Not an “automatic telephone dialing system”
• Constitutional defenses
• Class certification
21. #MobiU2013, @maf2190 @sedgwickllp
Protecting Against TCPA Liability
• Add consent provisions to customer agreements
• Later customer interactions
• Online consent, automated phone systems, customer service scripts
• Law unclear on how express the consent must be
• Cell scrubbing services
• Scrubbing programs can move cell numbers to non-autodialed queues
• Definition of “manual dialing” is unclear
• Actually dialing the number one digit at a time is manual
• Preview dialing (where number appears on screen and representative
clicks on number) is less clear
• Add arbitration provisions to customer agreements
22. #MobiU2013, @maf2190 @sedgwickllp
TCPA Changes on the Horizon
• Starting Oct. 16, 2013, telemarketers must obtain
prior express written consent from consumers before
calling their wireless phones with prerecorded
telemarketing messages and before using an
autodialer to call or text their wireless numbers with
telemarketing messages
23. #MobiU2013, @maf2190 @sedgwickllp
Location Based Marketing
• Generally, must get prior express consent to
collect, use, store, and disclose location-based information.
• Can’t contract away liability for noncompliance with the law.
• Type of location info collected (with express opt-in)
• Disclose how info is used
• Updated disclosure if info will be used for a
purpose other than for which it was collected
and how to exercise choice about that use
• Disclose with whom info is shared (third party service
providers, affiliates, advertisers, social media networks, other
third parties)
24. #MobiU2013, @maf2190 @sedgwickllp
What Does The Future Hold?
• Mobile market is now treated no different from the Internet
• Expect more state activity
• Particular focus on mobile apps directed at children
• Continued emergence of “guidelines” or “principles” for
mobile app platforms and developers
• Increased coordination between states, FTC, FCC and industry
self-regulatory efforts
• Federal legislation?
25. #MobiU2013, @maf2190 @sedgwickllp
Managing Your Mobile Marketing Liability
• Provide clear and conspicuous notice
• Choice
• Do what you say and say what you do
• Procure indemnity agreements from vendors
• Customer Agreements
• Be careful with your representations (FTEU)
• Understand the medium being used to send text messages
• Keep records of all opt-in and opt-out transmissions
• Keep the consumer happy