Contenu connexe Similaire à Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings (20) Plus de Christina Gagnier (20) Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings 1.
Data Privacy: A Snapshot of
Recent Federal Trade Commission Rulings
A GAMA White Paper
101 Townsend Street, Suite 312
San Francisco, CA 94107
+1 909.447.9819
consult@gamallp.com
gamallp.com
2. Data Privacy: A Snapshot of Recent FTC Rulings
INTRODUCTION: TACKLING USER PRIVACY
As user privacy becomes a growing issue online, the legal mechanisms that
exist to deal with privacy violations are increasingly becoming less capable
of protecting users and providing means for users to seek legal recourse.
While users face a lack of mechanisms through which they can seek
protection, companies in the data business find themselves without the
appropriate guidelines for their day-to-day operations. With a lack of
federal regulation for the online world, companies must exercise due
diligence to ensure they are taking measures through their own policies
and practices to protect users. These internal efforts can only be shaped
through looking to best practices online, non-legal standards that provide
little assurance to companies who are earnestly trying to avoid lawsuits.
Fortunately, recent rulings by the Federal Trade Commission (FTC)
highlight a growing trend of tackling privacy issues on the Internet. From
its recent actions, the FTC appears to have two goals in mind when it
comes to consumers and privacy:
1. First, companies must be forthcoming about the data they
are collecting from users. This call for transparency comes
from the growing concern about patrons of websites and
mobile applications being deceived about what data is being
collected and how it is being used.
2. Second, there is a growing desire to allow people the ability
to “opt out” of data collection.
Coupled together, these two goals represent the current war being fought
over data collection, which has become both an advertising tool and a real
threat to privacy.
This white paper provides a snapshot of recent cases that highlight the
FTC’s application of these goals. These cases serve as cautionary tales for
startups in a launch phase, as well as existing companies working in the
data industry.
Last Revised 1/23/12 © 2012 Gagnier Margossian LLP Page 2
of
5
3. Data Privacy: A Snapshot of Recent FTC Rulings
I. SKIDKIDS: PROTECTING CHILDREN & FIGHTING
DECEPTIVE PRACTICES
SkidKids.com owner Jones Goodwin had an idea to create a Facebook
tailored solely to children ages 7-13. Unlike Facebook, Goodwin faced an
issue with his target audience since the Children’s Online Privacy
Protection Act (COPPA) protects children under the age of 13. COPPA lays
out specific requirements for website operators as to what information they
can collect from children and what types of activities they may engage in
with this age demographic.
Since all the users of his site would be under the age of 13, Goodwin was
required under COPPA to post a privacy policy that is “clear,
understandable and complete.” The original privacy policy posted on the
website claimed the site
…Requires child users to provide a parent’s valid email address
in order to register on the website. We use this information to
send the parent a message that can be used to activate the Skid-e-
kids account, to notify the parent about our privacy practices, to
send the parent communications either about the parent’s and
child’s Skid-e-kids accounts or about features of our Web site….”
However, this was not the case. Children were able to register on the site
without any such parental oversight, and SkidKids was collecting sensitive
personal information from its nearly 6,000 users.
SkidKids was not only forced to get rid of all information that was
collected, but is required to change their privacy policy that is posted on
their site. The ruling shows the FTC’s stance against deceptive privacy
policies that mislead users about what data is actually being collected. In
addition to the ruling, the FTC created a booklet in an attempt to educate
users about data collection on the web.
The Bottom Line: Be extremely careful when operating a website,
online platform or mobile application that collects information from
children. While all users are entitled to certain privacy protections,
children receive special treatment under the law. When gathering any
piece of data, always ask yourself, “Does the user know I am collecting
this?”
II. SCANSCOUT: NO SUCH THING AS “OPTING OUT”
ScanScout is an advertising network that places video ads on websites for
advertisers. In this new age of data collection, companies like ScanScout
Last Revised 1/23/12 © 2012 Gagnier Margossian LLP Page 3
of
5
4. Data Privacy: A Snapshot of Recent FTC Rulings
collect data from users in order to personally target them with
advertisements that each user would be interested in. This case touches on
the “hot topic” of the ability of users to “opt out” of allowing sites to collect
their data and track their usage.
The ScanScout case centered on their privacy policy post on their site,
which stated, “You can opt out of receiving a cookie by changing your
browser settings to prevent the receipt of cookies.”
However, even if users indeed made those changes, their data was still
being collected by what is known as a “flash cookie.” Flash cookies are a
new way of tracing a user’s movement on a site and storing more
information about a user than normal cookies have traditionally allowed. A
major issue with flash cookies is that a user cannot locate them in their
browser and delete them. In addition, normal cookies cannot save more
than four kilobytes of data. Flash cookies can save up to one hundred
kilobytes, allowing sites to gather more information about users in order to
target them with personalized advertisements.
In its ruling, the FTC is requiring ScanScout to post on their website a
statement that reads, “We collect information about your activities on
certain websites to send you targeted ads. To opt out of our targeted
advertisements, click here.” Not only must there be a clear post that
indicates what the data is being collected for, but there also must be a clear
way for users to opt out.
The take away from this ruling is that the FTC wants users to have control
over their data and companies must be completely forthcoming about their
data collection policies and usage.
The Bottom Line: Do what you say and say what you do as a data
company. Make it clear and simple for users to figure out what you
collect. Looking into using visceral notice structures for user privacy,
like pictures, videos and other creative mechanisms is recommended to
ensure users engage with and understand your policies regarding
privacy.
III. ADDITIONAL DEVELOPMENTS IN DATA PRIVACY
The issue of user data is not confined to United States borders.
Globalization has opened the door for data to be spread across the world,
allowing business to target potential customers thousands of miles away.
Last Revised 1/23/12 © 2012 Gagnier Margossian LLP Page 4
of
5
5. Data Privacy: A Snapshot of Recent FTC Rulings
On November 11, 2011, President Obama and representatives from the
Asia-Pacific Economic Cooperation (APEC) agreed on a new initiative to
harmonize cross-border data privacy protection among members of APEC.
The initiative is designed to enhance the protection of consumer data that
moves between the United States and other APEC members. It will be
interesting to see how this issue will be handled as countries not only fight
about users’ privacy, but governance of Internet varies country-by-country.
In the absence of international conventions or harmonization on data
privacy, there is no “one size fits all” global solution for companies to look
to.
Companies and organizations are continuing their attempts at self-
regulation. The Digital Advertising Alliance published their updated
policies regarding data collection. Self-regulation is seen as the best
alternative to ensuring users are protected and companies avoid legal
issues.
If you or your company seek guidance on user privacy and security
issues, a GAMA attorney can help you figure this out.
The Bottom Line: Self-regulation, by teaming up with legal counsel
who can best serve your company’s needs, to help prepare your company
for the changing media and legal landscape when it comes to user
privacy.
Works Cited
Federal
Trade
Commission
Press
Release,
http://www.ftc.gov/opa/2011/11/skidekids.shtm
OnGuardOnline,
http://onguardonline.gov/articles/0042-‐cookies-‐leaving-‐trail-‐web
Federal
Trade
Commission
Press
Release,
http://www.ftc.gov/opa/2011/11/scanscout.shtm
Federal
Trade
Commission
Press
Release,
http://www.ftc.gov/opa/2011/11/apec.shtm
Digital
Advertising
Alliance
Self-Regulating
Principles,
http://www.aboutads.info/resource/download/Multi-‐Site-‐Data-‐Principles.pdf
Last Revised 1/23/12 © 2012 Gagnier Margossian LLP Page 5
of
5