« February 2011 | Main | April 2011 »

March 30, 2011

59th Antitrust Law Spring Meeting: Zeroing in on Behavioral Targeting

The ABA Antitrust Section spring meeting began March 30, 2011, and features a number of programs focusing on privacy and data security issues. In the “Zeroing in on Behavioral Targeting” program, panelists from the Federal Trade Commission (“FTC”), the Washington state attorney general’s office, and law firm privacy experts discussed current issues and legal actions involving online behavioral targeting.

Panelists included Becky Burr of WilmerHale; Tina Kondo, Deputy Attorney General with the Washington State Office of the Attorney General; Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection; and David Parisi with Parisi & Havens, LLP.

Important highlights from the panel include the following:

  • Maneesha Mithal with the FTC discussed the FTC’s recently announced settlement with Google regarding Google’s social networking tool—Buzz. She remarked that entities should look to the privacy provisions in the Buzz settlement to use as industry best practices for protecting consumers’ privacy. Ms. Mithal also discussed the FTC’s do-not-track proposals, remarking that do-not-track tools should be easy to find and use by consumers, effective and enforceable, universal, persistent, and allow consumer to fully opt-out of information collection, not just allow consumers to prevent a entity from using personal information in a certain manner.
  • Tina Kondo with the Washington state attorney general’s office discussed state regulator priorities for behavioral advertising, which (1) include enforcement actions against entities that target vulnerable individuals (e.g., seniors; individuals that are not technology savvy; individuals with bad credit, facing a foreclosure, or other financial hardships) using unfair or deceptive practices; and (2) cross-transaction marketing practices, where credit card and other personal information is shared with third-party businesses unknown to the consumer.
  • Additionally, panelists discussed self-regulatory models that entities may use to implement do-not-track policies and provide consumers with meaningful choices regarding behavioral advertising. These included a discussion of the methods that Internet browsers employ to allow consumers to stop online marketers’ tracking activities.  Finally, panelists discussed the impact that privacy and behavioral advertising class action lawsuits will have in shaping entities' behavioral targeting practicies.

A full list of the ABA’s Antitrust Spring Meeting programs, including privacy and data security specific programs, is available here.

It's Spring Meeting Time!

The 59th Antitrust Law Spring Meeting is underway in Washington, DC, and will continue through this Friday afternoon.  The Secure Times will be providing live blogging of several sessions that touch on data security and privacy issues.  Also, check out our series "Inside the Session" for previews and background information on several sessions. 

Google Agrees to Settle FTC Charges and Will Implement a “Comprehensive Privacy Program”

The Federal Trade Commission (“FTC”) announced today that Google has agreed to settle FTC charges that it used deceptive tactics and violated its privacy promises when launching Google’s Buzz in 2010. Google will have to implement a “comprehensive privacy program,” as laid out in the proposed consent order. The  agreement is subject to public comment through May 1, 2011, after which the FTC will decide whether to make the proposed consent order final.

The proposed consent order refers to both the FTC Act and to the US-EU Safe Harbor Framework, a reference that is likely to be well appreciated in the European Union.

Agreement containing consent order available here.

Complaint available here.

The 2010 complaint

Google launched in February 2010 a social network within Gmail, Google Buzz (“Buzz”). Gmail users were sometimes set up with followers automatically, and without prior notice (Complaint at 7). These followers were the persons they emailed and chatted with the most in Gmail (Complaint at 8). Even if Gmail users chose to opt out of Buzz, they could nevertheless be followed by other Buzz users, and their public profile, if they had indeed created one, would then appear on their follower’s Google public profiles (Complaint at 8 and at 9).

The FTC complaint alleged that Google had violated the FTC Act, when it represented to consumers signing up for a Gmail account that Google would only use their information to provide them this webmail service, whereas Google also used this information to sign them up to Buzz automatically and without their consent. Also, Google represented that consumers would be able to control whether their information would be made public or not.

The complaint also alleged that Google did not adhere to the Safe Harbor Framework Privacy Principles of Notice and Choice, as Google did not give notice to users before using their personal information for a purpose different that than the one for which the data was originally collected. Also, Gmail users were not given a choice when Google used their information for a purpose incompatible for the purpose for which it was originally collected (Complaint at 25).

The complaint alleged that Google did not communicate “adequately” that “certain previously private information would be shared publicly by default,” and that the controls allowing users to change the defaults were “confusing and difficult to find” (Complaint at 9). Also, certain personal information was shared without Gmail users’ permission (Complaint at 10). For instance, individuals blocked by a Gmail user were not blocked in Buzz, and could be thus be a follower on Buzz (Complaint at 10).  Even more puzzling, it was not possible to block a follower who did not have a public Google profile, and the Gmail user could not even know this follower’s real identity (Complaint at 10).  Also, Buzz offered an @reply function which sometimes led to private mail addresses of contacts to be exposed to every followers, and could thus be found by search engines.

Google made some changes following widespread criticism and thousands of customer complaints. Users were given the ability to disable Buzz. Followers were no longer added automatically based on Gmail contacts, but merely suggested. Users could also block any follower, and Buzz users were given the option not to show their followers’ list on their public profile. The @reply function would no longer make private addresses public.

However, the FTC nevertheless issued a complaint in 2010, and Google has now agreed to settle.  

A comprehensive privacy program

The Buzz settlement is particularly interesting as it is the first time that an FTC settlement order requires a company to implement a comprehensive privacy program to protect the privacy of consumer data.

Indeed, the proposed consent order requires Google to implement a “comprehensive privacy program,” documented in writing, which must “(1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information” (proposed consent order p. 4). This program must designate which employees are responsible for the program. It must identify the reasonably foreseeable risks, external or internal, of Google collecting, using, or disclosing personal information without authorization, and put safeguards in place to prevent these risks. It must also design and implement “reasonable privacy controls and procedures, and regularly monitor the efficiency of privacy controls.” The program must also select service providers in charge of protecting personal data privacy, and enter into contracts with them. This comprehensive privacy program will be evaluated and adjusted if necessary, in light of its results (proposed consent order p. 4-5).

Also, Google will have to obtain from a qualified third-party professional an initial assessment, and then biennial assessments and reports, setting forth the specific privacy controls implemented by Google, explaining why such controls are appropriate, and explaining how they have been implemented. The third-party professional will also certify that such controls are effective (proposed consent order p. 5-6).

It will be interesting to see if U.S. companies will start to use the comprehensive privacy program framework as a reference for their own privacy programs,  and if EU Data Protection Agencies will require U.S. organizations that have self-certified to the U.S.-EU Safe Harbor Framework to implement such a privacy program to be deemed compliant.


March 29, 2011

Massachusetts AG Announces $110,000 Settlement in Restaurant Data Breach

Yesterday, that Massachusetts Attorney General's Office announced a settlement with the Briar Group LLC, which operates several restaurants and bars including The Lenox, MJ O’Connor’s, Ned Devine’s, The Green Briar, and The Harp in the Boston area, to resolve allegations that the Briar Group failed to take reasonable steps to protect its patrons’ personal information. 

The complaint alleges that the restaurant group suffered a data breach in April 2009.  Hackers were able to access customers' credit and debit card information, including names and account numbers, through malcode that was installed on the Briar Group's computer systems.  The malcode was not removed until December 2009.  The complaint also alleges that the Briar Group had insufficient security protections in place, such as allowing multiple employees to share commons usernames and passwords and failing to properly secure its wireless network.

The settlement requires (1) a payment to the Commonwealth of $110,000 in civil penalties; (2) compliance with Massachusetts data security regulations; (3) compliance with Payment Card Industry Data Security Standards; and (4) the establishment and maintenance of an enhanced computer network security system.

March 28, 2011

Inside the Session: Tara Koslov on Technology and Privacy Issues at the 59th Antitrust Law Spring Meeting

Editor’s Note:  Inside the Session” is a sneak preview of the privacy and information security-related sessions that will take place at the 59th Antitrust Law Spring Meeting.  For more information on the conference, visit the ABA’s page on the event. 


The Chair’s Showcase on “Competition and Consumer Protection in the Web 3.0 World” promises to be a fast-paced and exciting event.  Two separate panels will explore the nexus between privacy and competition, highlighting cutting-edge technology as well as legal and social policy issues.  The Secure Times recently spoke with Tara Koslov, who will serve as co-moderator of the technology panel.  Tara has been with the Federal Trade Commission for 14 years, and is currently the Deputy Director of the FTC’s Office of Policy Planning.  Tara also serves as Editorial Co-Chair of the Antitrust Law Journal.  She gave us a sneak preview of what to expect from the session on Thursday, March 31st, from 10am-12pm.

Secure Times:  What makes the Chair’s Showcase so unique this year?


Tara Koslov:  The Chair’s Showcase is so unique this year because it embodies one of Section Chair Allan Van Fleet’s platform issues: The intersection of competition and consumer protection as dual means to promote consumer welfare, especially in the new information-age markets that are heavily driven by consumer data.  Specifically, our panelists will discuss the idea of privacy as a dimension of competition---an idea that should resonate with everyone in the audience, not just as lawyers and economists but also as consumers ourselves.  Rather than launch straight into a legal and policy discussion, we’ll begin the program with demonstrations of actual privacy technologies that firms are using to differentiate themselves in the marketplace.  These concrete, real-world examples will inform and animate the second panel, which will feature a stellar group of thought leaders from the United States and abroad.


One emerging technology that protects consumer privacy is the “do not track” feature on several web browsers.  Are there similar technological developments?


Tara Koslov:  In short, yes.  The session will also feature several other technology demonstrations.  Representatives of both well known and start-up firms will use these demonstrations to show several innovative products and features intended to give consumers greater variety and choice in privacy protection.


Will we hear about the concept of “privacy by design” and how it may create a competitive advantage for businesses?


Tara Koslov:  We’re honored to have FTC Commissioner Julie Brill as our lead-off speaker, and her comments no doubt will provide an excellent framework for thinking about privacy issues.  Among other topics, I expect she will highlight the privacy-by-design recommendations in the recent FTC staff report.  We are also excited that the technology panel will feature Ken Anderson, Assistant Commissioner of Ontario’s Office of the Privacy and Information Commissioner, the organization that is credited with pioneering the privacy-by-design concept.


Are there other major issues that you anticipate the panel will discuss?


Tara Koslov:  I expect one big-picture theme will be the goal of balancing innovation and economic growth with privacy protection, and the appropriate role for regulation in striking the right balance.  I expect our panelists also will discuss the economic value of consumer data in markets driven by behavioral advertising, and whether these data ever comprise their own relevant market for purposes of antitrust analysis.


What key points will an audience member learn by attending the session?


Tara Koslov:  I hope all attendees will leave the session convinced---as I am---that privacy is an important dimension of competition, and therefore should be viewed through both competition and consumer protection lenses.  The more informed we are as consumers, the more motivated we will be to contemplate and exercise our privacy choices, and the market no doubt will respond with products and services that meet a broad range of consumer expectations.



Session Information: Chair’s Showcase Session:  Competition and Consumer Protection in the Web 3.0 World, 10:00 am--12:00 pm

Section Chair:

Allan Van Fleet, Greenberg Traurig LLP, Houston, TX


Panel 1: Technology and Privacy Issues


Description: Privacy is a means to compete, but user information is part of many Web businesses’ revenue.  The panel will address “Privacy by Design” (building privacy into technology from the start) and consumer protection as a dimension of competition policy, demonstrating current technology innovations using privacy as a competitive differentiator.


  • Matthew J. Bye, Competition Counsel, Google, Mountain View, CA
  • Tara Koslov, Deputy Director of the FTC's Office of Policy Planning, FTC, Washington, DC


  • Katherine Albrecht, U.S. Media Relations, Startpage by Ixquick, Nashua, NH
  • Ken Anderson, Assistant Commissioner, Office of the Privacy and Information Commissioner, Ontario, Canada
  • The Honorable Julie S. Brill, Commissioner, Federal Trade Commission, Washington, DC
  • Scott Taylor, Chief Privacy Officer, Hewlett Packard, Palo Alto, CA
  • Jonathan McPhie, Product Manager, Google, Mountain View, CA

Panel 2: Legal and Social Policy Issues


Description: This panel will explore the Section 2 and international antitrust ramifications of internet related markets driven by troves of personal data, the potential for privacy to be included as a non-price dimension of competition analysis, and the nexus between competition and privacy.



  • Pamela Jones Harbour, Fulbright & Jaworski LLP, Washington, DC


  • Stephen Kinsella, Sidley & Austin, Brussels, Belgium
  • Bruno Lasserre, President, French Competition Council, Paris, France
  • Timothy J. Muris, Washington, DC
  • Pamela Passman, Vice President Corporate and Regulatory Affairs, Microsoft Corporation, Redmond, WA
  • Carl Shapiro, Deputy Assistant Attorney General for Economics, U.S. Department of Justice, Antitrust Division, Washington, DC

Privacy – Transparency and the Push to Convert the U.S. Government to the “Cloud”

Have you thought about how many government agencies are transitioning to cloud computing, and what that means for privacy concerns?  The White House released a “25 Point Implementation Plan to Reform Federal Information Technology Management” in December 2010 that advocates a shift to a “cloud first” policy for all agencies. This is after the GAO observed in June 2010 that although “OMB launched a cloud computing initiative in 2009” it “does not yet have an overarching strategy or implementation plan.” The OMB IT Dashboard suggests that numerous federal agencies (perhaps over 100) are pushing to build in cloud computing functions, including. the General Services Administration and the  Department of Health and Human Services.
In contrast to the hype surrounding the cloud, NIST’s recently published draft Guidelines on Security and Privacy for government use that provides detailed commentary on key cloud computing concerns, including: cloud system complexity; the shared multi-function environment; and internet-exposure that increases vulnerability to internet attacks such as botnets. Notably, the NIST reported that although the city of Los Angeles made news in 2009 (see, e.g. articles here, here, and here and mention in this report) when it announced it was shifting its email servers to Google’s cloud, the system has not lived up to the hype. As of early 2011 the city was running both its legacy and the cloud systems – hardly a model of cost-efficiency. The police functions had not been successfully outsourced because of security concerns and the report stated that Los Angeles will have to shut down the operation in June 2011 if the situation isn’t resolved. Could Los Angeles be the canary in the coal mine to show that that “cloud first” may not result in dramatic cost savings?
Perhaps most troubling is the loss of control over data: According to the draft NIST report “a characteristic of many cloud computing services is that detailed information about location of the data is unavailable or not disclosed to the service subscriber. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met.” Translation: outsourcing data to the clouds means that often organizations (including the US government) won’t know and/or have any control over where that data is stored or transferred, despite state and federal laws prohibiting transfer of data overseas. Enabling third party service providers to dictate where data flows may not be worth whatever cost-savings may be generated by the new “cloud first” policies.

March 26, 2011

Privacy Events: ABA Antitrust Spring Meeting: March 30-April 1, 2011

The Annual Antitrust Spring Meeting is next week in Washington DC! This year’s Chair’s Showcase Session highlights privacy issues in the Web 3.0 world. Here is a list of privacy-related presentations:
Wednesday, March 30
            - 8:45-10:30. Fundamentals of Consumer Protection. (Nat’l Press Club)
            - 9:00-10:30. Data Privacy and Consumer Protection Issues for U.S. Distribution Systems. (Salon IV)
            - 2:00-3:30 A New Paradigm: The Consumer Financial Protection Bureau and Antitrust     Enforcement
            - 3:15-5:15. Zeroing in on Behavioral Targeting (Salon IV)
            - 3:45-5:15. Cross-National Perspectives on Consumer Protection (Salon III)
Thursday, March 31
            - 8:15-9:45. Consumer Protection Regulatory Round-Up. Insights from the Enforcers. (Salon IV)
            - 10:00-noon    Chair’s Showcase Session: Competition and Consumer Protection in a Web 3.0 World. Panel 1 – Technology and Privacy Issues; Panel 2, Legal and Social Policy Issues. (Grand Ballroom)
Friday, April 1
            - 8:15-9:45. National Privacy Policies as Barriers to Entry in International Competition. (Ballroom – Nat’l Press Club)

March 25, 2011

Inside the Session: Suzanne Wachsstock on the Consumer Financial Protection Bureau at the 59th Antitrust Law Spring Meeting

Editor’s Note:  “Inside the Session” is a sneak preview of the privacy and information security-related sessions that will take place at the 59th Antitrust Law Spring Meeting.  For more information on the conference, visit the ABA’s page on the event.

Created by the Dodd-Frank Act, the Consumer Financial Protection Bureau (“CFPB”) is part of a wider regulatory effort to make “markets for consumer financial products and services work in a fair, transparent, and competitive manner.”  The CFPB, which has existed since last July, receives regulatory authority from the Secretary of the Treasury on July 21, 2011.  Due to uncertainty in the financial sector surrounding the scope of the new bureau’s authority, the House Financial Institutions and Consumer Credit Subcommittee held an oversight hearing on March 16, 2011.  There, CFPB chairperson Elizabeth Warren testified that the bureau’s purpose is to “make markets work for buyers and sellers alike.”  Warren’s testimony drives to the heart of the questions posed at the Spring Meeting session on the CFPB:  What role will the CFBP have in antitrust enforcement and consumer protection

The Secure Times recently met with Suzanne Wachsstock, who will moderate the session entitled: “A New Paradigm: The Consumer Financial Protection Bureau and Antitrust Enforcement.”  Wachsstock---a vice president and Chief Antitrust Counsel for American Express---gave us a sneak preview of what to expect from the session, which takes place on Wednesday, March 30, from 2:00 to 3:30 pm.

Wachsstock noted that one of the key goals of the session is to understand the jurisdictional boundaries of the CFPB, other federal consumer protection agencies, and the states in regulating consumer financial markets.  She noted that how these entities collaborate going forward, and how the existence of a regulator solely focused on consumer financial protection changes the mix, will be a focus of discussion.

Another area Wachsstock anticipates delving into at the session is the role of the CFPB in maintaining market competitiveness, and addressing and preventing economic problems.  Panelists will explore, for example, how might things have been different if the CFPB had been in existence prior to the current recession?  Wachsstock noted that the underlying question is whether consumer protection principles could have prevented the current economic crisis.

Finally, the session will examine how, if at all, antitrust principles will be relevant to the work of the  CFPB.  According to Wachsstock, the consensus among the speakers seems to be that the CFPB, with its focus on consumer protection, will have little use for traditional antitrust theories, but economic analysis and general market principles will certainly play a role.  Expect a lively discussion of these important and timely issues.


Session Information: A New Paradigm, Wednesday, March 30, 2011 at 2:00--3:30 pm

Presented by the Consumer Protection and Insurance & Financial Services Committees

Description: What should be expected from the newly established Consumer Financial Protection Bureau?  Will the CFPB turn to FTC jurisprudence to define “unfair and deceptive acts and practices”? Should the CFPB’s decision-making process incorporate antitrust principles and economic analysis?  Panelists will explore these issues and what enforcement role will be left to the states.           

Session Chair: William M. Katz, Jr., Thompson & Knight LLP, Dallas, TX

Moderator: Suzanne E. Wachsstock, Vice President & Chief Antitrust Counsel, American Express, New York, NY


  • Robert H. Gertner, The University of Chicago Booth School of Business, Chicago, IL
  • Kathrin Sears, Supervising Deputy Attorney General, Office of the Attorney General, California Department of Justice, San Francisco, CA
  • Peggy L. Twohig, Director, Office of Consumer Protection, U.S. Department of the Treasury, Washington, DC
  • Joel Winston, Associate Director, Division of Financial Practices, Bureau of Consumer Protection, Federal Trade Commission, Washington, DC

March 22, 2011

Inside the Session: Chris Wolf on Behavioral Advertising at the 59th Antitrust Law Spring Meeting


Editor’s Note:  “Inside the Session” is a sneak preview of the privacy and information security-related sessions that will take place at  the 59th Antitrust Law Spring Meeting.  For more information on the conference, visit the ABA’s page on the event.


It’s no secret that, over the past several years, companies have embraced behavioral targeting to deliver personalized online advertising.  Nor is it any secret that legislators and regulators have been paying close attention to this topic.  The Secure Times recently spoke with Christopher Wolf, who will serve as session moderator of a Spring Meeting session entitled “Zeroing in on Behavioral Targeting”  Chris is a partner in the Washington, D.C. office of Hogan Lovell who practices in the field of privacy and data security law.  He also is the founder and co-chair of the Future of Privacy Forum think tank, which is examining the behavioral advertising issues.  He gave us a sneak preview of what to expect from the session on Wednesday, March 30, from 3:45-5:15pm.


Secure Times: To what extent are private law suits really shaping regulatory guidance and enforcement? 

Chris Wolf:  I think the privacy regulators, and I am speaking principally of those at the FTC, decide where to focus and what to investigate based on a variety of inputs, such as complaints from consumers, suggestions from privacy advocates, reports of data security breaches, news stories and the work of their own investigators.  The regulators are quite aware of what is going on in the data collection and sharing ecosystem.  I would doubt that the bringing of private party lawsuits, which often take the form of putative class actions, are influential by themselves in shaping regulatory action.  The regulators and plaintiffs’ counsel may be focusing on the same companies and the same conduct, but it is doubtful that the plaintiffs’ bar is setting the regulators’ agenda.

Secure Times: What is the key issue that you anticipate the panel discussing? 

Chris Wolf:  Online tracking of consumers without their knowledge or consent is likely to be a hot topic at the panel, along with a discussion of the so-called “Do Not Track” proposal that is being widely discussed.  We will have a great cross-section of views on the panel, including the head of the privacy division at the FTC, a senior  lawyer in a state attorney general’s office, a class action plaintiff’s lawyers and a lawyer who represents online companies.  

Secure Times: What do you think is at the heart of the issue? 

Chris Wolf:  At the heart of the issue is how can we improve consumer privacy, especially with respect to the unwanted collection of online information to deliver ads?  Is it through increased FTC regulation under Section 5?  Is it through State Attorney General actions?  Is it through new federal laws?  Is it through class actions?  And what role does self-regulation play?  These are the issues the panel will address.   

Secure Times: What points should the audience take away from the session?

Chris Wolf: The audience is likely to learn that regulation of online data collection is not a simple matter.  They will hear how federal and state regulators approach the subject, the role of class actions, and the importance of self-regulation.  They will also hear that crafting a new law in this area is no simple matter. The major take-away will likely be that privacy law is a growing and increasingly important area of the law.  



Session Information: Zeroing in on Behavioral Targeting, Wednesday, March 30, 2011 3:45-5:15pm        

Presented by the Communications & Digital Technology Industries, Consumer Protection, Corporate Counseling, Federal Civil Enforcement, Privacy & Information Security, Private Advertising Litigation, and State Enforcement Committees

Description: Behavioral targeting technologies have the potential to provide consumer benefits but may also cause substantial consumer harm.  Regulatory guidance and enforcement in this area is developing and being influenced by recent private lawsuits.  How has the legal landscape been affected by these lawsuits and what is the resulting regulatory outlook?

Session Chair:     Saira Nayak, Nayak Strategies, San Francisco, CA

Moderator:         Christopher Wolf, Hogan Lovells, Washington, DC


  • Becky Burr, WilmerHale, Washington, DC
  • Tina Kondo, Deputy Attorney General – Antitrust, Consumer, Public Counsel, Research & Revenue Divisions, Washington State Office of the Attorney General, Seattle, WA
  • Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Federal Trade Commission, Washington, DC
  • David Parisi, Parisi & Havens LLP, Sherman Oaks, CA

March 14, 2011

FTC Settles With Chitika Ad Network Over Deceptive Opt-Out Mechanism

The Federal Trade Commission announced a proposed settlement today with Chitika, Inc., the operator of an online advertising network, ending Chitika’s allegedly deceptive practices related to the mechanism it provided allowing users to opt out of its online tracking. Chitika offers an online behavioral advertising service which places targeted ads on a publisher’s website and, according to its website, it has over 100,000 websites in its network, including salary.com and yellowbook.com.
The FTC alleges that the representations Chitika made in its privacy policy regarding visitors’ ability to opt out of receiving tracking cookies were false or misleading. According to the complaint, from at least May 2008 through February 2010, Chitika’s website offered an opt-out from receiving cookies used to track visitors’ activities on websites in its network. After pushing a button to opt out, a user would see a message stating “You are currently opted out”, but the message did not state that the opt-out would only last for 10 days.  The unqualified claims regarding the opt-out allegedly deceived consumers and violated Section 5 of the FTC Act. 
Under the terms of the settlement, Chitika is prohibited from making misrepresentations about the extent of its data collection about consumers and the extent to which consumers are able to control the collection, use or sharing of their data. Chitika also agreed to take specific steps to improve the transparency of, and consumer’s ability to control, its collection of consumer data for online behavioral advertising, including agreeing to include a link within each targeted ad that takes users to a page that will allow them to opt out of tracking for at least five years. Additionally, Chitika must destroy all information collected from users obtained during the period the opt-out mechanism only lasted for 10 days. 
The timing of the settlement is interesting because it comes several months after the FTC released its privacy report which included a “do-not-track” proposal.  The settlement will likely be considered closely by the online behavioral advertising industry, which has recently developed a self-regulatory program requiring similar links within ads (aboutads.info), and by members of Congress, which have recently proposed do-not-track legislation

March 11, 2011

Changes Ahead in Children Online Privacy?

Children’s privacy has been a hot topic during the last few weeks, and the debate goes on.

Consumer Watchdog, a non-profit organization, sent a letter on February 24 to Reps. Ed Markey (D-MA) and Joe Barton, (R-TX), Co-Chairmen of the Congressional Privacy Caucus, stating concerns over Google solicitation of the partial Social Security numbers of children wanting to participle in a Doodle 4 contest. A hearing  before the Caucus was promptly scheduled.

The two chairmen wrote in a joint statement:

"As Co-Chairmen of the Bi-Partisan Privacy Caucus, we have long believed that consumers should have control over their own personal information. It is particularly important that stringent privacy protections are applied so that children do not have their personal information collected or disclosed.”

In the European Union

This position is similar to the position of the European Union (EU) Commission. The Commission published last month a communication on the EU Agenda for the Rights of the Child. The communication discusses the need to protect children from cyber-bullying, and notes that” [t]he Commission aims at achieving a high level of protection of children in the digital space, including of their personal data, while fully upholding their right to access internet for the benefit of their social and cultural development.”(p.10-11)

The Commission referred to another of its communications, published last November, about a comprehensive approach on personal data protection in the European Union. Noting there that it is essential that individuals be clearly informed by data controllers about how and by whom their data are collected and processed, the commission then emphasized that children “deserve specific protection, as they may be less aware of risks, consequences, safeguards and rights in relation to the processing of personal data.” (p.6)

Children’s privacy and social media sites

Even children less than 13 years old may register on some social media sites. We recently learned that Disney has acquired Togetherville, a social network for elementary school age children.  According to the site’s policy, only “parents, or legal guardian, who have gone through the process of verifying their identity based on COPPA standards, are allowed to create and administer accounts for their children.”

Is COPPA, the Children’s Online Privacy Protection Act, still able to protect the privacy of children when they visit social media sites? The 1998 Act prohibits unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from and about children on the Internet.

 Ed Markey was the House author of the COPPA bill. He stated last December at an Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection hearing concerning Do Not Track Legislation:

But in Internet years, 1998 is so long ago – we may as well be talking about the Peloponnesian Wars.  The 1990’s is way back in the “B.F. Era” – Before Facebook.”

Only children older than 13 are authorized to use Facebook, according to the site’s policy. However, a 2009 report of Pew Internet & American Life Project revealed that 55% of children age 12 to 13 years are using Facebook. 

Facebook answered on February 23 the letter sent on February 2nd by Representative Markey and Representative Barton to Facebook’s CEO, Mark Zuckerberg, requesting information about Facebook’s January 14th announcement that the site would allow third-party websites to access users’ addresses and mobile phone numbers they entered on their Facebook’s profiles. Representatives Markey and Barton asked Facebook whether it had considered “the risks to children or teenagers posed by enabling third parties to access their home addresses and mobile phone numbers through Facebook.” Facebook answered that it is “actively considering whether to enable application to request contact information for minors at all.”

Parents and children should be educated about online privacy

One of the round tables organized by the FTC last year was about “Privacy Implications of Social Networking and Other Platform Providers.” One of the panelists, Chris Conley, noted that while parents have the responsibility of protecting their children’s privacy, parents do not always understand the new technologies well and that thus “[w]e have to make sure that the parents, that teachers, that everyone else is also educated about the consequences of these choices online so that they can help their children understand what they mean.” (p. 117)

What’s next?

Following the privacy roundtables, the FTC issued a privacy report last December, posing several questions: Should COPPA apply to emerging media, including mobile devices, interactive television, and interactive gaming? Should COPPA’s definition of personally identifiable information be expanded? Do technological advances dictate changes to the methods for verification of parental consent? Questions such as these, according to the report, should be addressed by the FTC in the next few months (p. 29 of the FTC Report).

2011 should be a year of changes in children online privacy law, both in the U.S. and in the E.U.

March 10, 2011

Senate Hearing on Consumer Online Privacy on March 16

The U.S. Senate Committee on Commerce, Science & Transportation will hold a hearing on online consumer privacy on March 16. The hearing will examine commercial practices that involve collecting, maintaining, using, and disseminating large amounts of consumer information.

John D. Rockefeller (D-WestVa), Chairman of the Committee said:

Modern technology has connected people with the world and led to new innovations, new products and new experiences. But with these new opportunities come new risks. I want to know if the privacy protections we have in place are enough, or whether Congress needs to step in and do more. As Chairman, I’m committed to doing everything I can to protect consumers’ privacy.”

Press release available here.

FTC publishes Top 10 Consumer Complaints of 2010. Identity Theft is Still Top Category

The Federal Trade Commission released yesterday a report on the Top 10 Consumer Complaints of 2010. The FTC received 1,339,265 complaints in 2010.

Identity theft was the number one category of complaint for the 11th year in a row. 250,854 complaints, that is, 19 percent, were related to identity theft. The most common form of reported identity theft was government documents/benefits fraud (19%), followed by credit card fraud (15%), phone or utilities fraud (14%), and employment fraud (11%). Victims also reported identity theft by bank fraud (10%) and loan fraud (4%).

Press release available here.

Class Action Suit Claims Amazon Circumvented Privacy Settings

A suit was filed last week in the U.S. District Court for the Western District of Washington by two clients of Amazon.com. The complaint, which is seeking class-action status, states that the retailer has been taking the personal information of its site’s visitors that it was not entitled to take, by misusing privacy-protection software installed on the user’s computers. The complaint also alleges that Amazon.com shares personal identifiable information (PII) with other parties in spite of its privacy policy stating that it does not share a user’s information with third parties.

According to the complaint, Amazon.com circumvented the privacy filters of Microsoft Internet web browser (IE) “by spoofing IE into categorizing Amazon.com as more privacy-protective than it actually is.”  Plaintiffs used IE to restrict the ability of the websites visited to collect their PII. IE reads both a site’s full P3P policies, which describe the site privacy practices, and the compact P3P policy, describing the use of browser cookies. Both consist of three-character and four-character tokens summarizing a website's privacy policy. Based on this information, the browser then allows or restricts the site to store cookies on the user’s computer.

The complaint alleges that “Amazon knowingly published an invalid P3P Compact Policy and did so intentionally to exploit IE’s default privacy settings” and cites a report written by four Carnegie Mellon University researchers, Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald, and Robert McGuire, “Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens” which detailes how, because of an IE loophole, invalid Compact Policies may lead to cookies not being blocked by IE’s default cookie settings.

Plaintiffs are seeking relief under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, claiming that Amazon violated the Act as it knowingly and with intent to defraud, accessed plaintiff’s protected computers without authorization, or exceeding authorized access. It also seeks relief under the Washington State Consumer Protection Act, RCW § 19.86.010 et seq., which prohibits unfair and deceptive acts or practices, and relief under common law, claiming trespass to chattels. 

March 9, 2011

Privacy-related complaints top consumer fraud complaints in New York

To mark the start of National Consumer Protection Week, New York Attorney General Eric T. Schneiderman released the list of the top ten consumer fraud complaints received by his office in 2010.

The highest number of complaints is related to the Internet (privacy issues; spyware; consumer frauds). 7,024 complaints were received in this domain.

March 7, 2011

Rhode Island Bills Would Prevent Use of SSNs to Identify Customers

Rhode Island State Senators Ruggerio, Perry, Nesselbush, Jabour, and Ottiano introduced a bill last February the Consumer Empowerment and Identity Theft Prevention Act. It has been referred to the Rhode Island Senate Committee on Corporations.

The bill would prevent retailers to record a credit card number or all or part of a social security number as a way to identify the customer paying for a purchase by check. Violations would be punished by a fine of not more than one hundred dollars. The bill would also require that, unless required by federal law, no one may require a customer to disclose all or part of a social security number incident to a sale of consumer goods or services. Violating this provision of the act would be a misdemeanor, punishable by a fine of not more than five hundred dollars. However, insurance and financial services companies would still be authorized to require service applicants’ social security numbers. Companies providing and billing health care or pharmaceutical-related services could also still require users’ social security numbers, and a consumer applying for a credit card may still be required to disclose his social security number.

The bill would also bar any person or business offering discount cards for purchases to require a consumer to disclose all or part of her social security number as a condition to apply for the discount card. Also, no information obtained during the discount card application process could “be sold or given to any other person, firm, corporation or business entity provided, that the person, firm, corporation or other business may: (a) disclose such information to its affiliates, to service providers that perform services for it, or as required by law; and/or (b) transfer such information in connection with the sale of its business operations.”

A similar bill has been introduced by Representative Brian Patrick Kennedy, and is currently before the Rhode Island House Committee on Corporations.

A press release is available here.

March 2, 2011

Marketers Advance Self-Regulatory Privacy Principles

On February 27, 2011, the Interactive Advertising Bureau (“IAB”) Board of Directors voted to require its members to adopt industry self-regulatory privacy rules governing online behavioral advertising. Within six months, members must publicly affirm that they will follow self-regulatory principles, which were created in 2009 by the IAB, the American Association of Advertising Agencies, the Association of National Advertisers, and the Direct Marketing Association. Companies that do not comply with the new self-regulatory standards will face a minimum six-month suspension from the IAB.

The new rules: (1) require entities to provide consumers with clear and prominent notices in at least two places, including on the marketers’ websites and within or around the targeted advertisements or another place on the webpage where data is collected, before engaging in cookie-based behavioral targeting; and (2) require entities to obtain consumers’ consent before collecting sensitive personal data, such as financial account numbers, Social Security numbers, or medical information. More information regarding the IAB’s self-regulatory principles is available through the IAB’s website.

The IAB’s self-regulatory efforts follow recently introduced legislation designed to regulate marketers’ online tracking activities. The bills include the Do Not Track Me Online Act (H.R. 654) introduced by Representative Jackie Speier (D-CA)--which would allow consumers to opt out of online tracking by marketers--and the Best Practices Act (H.R. 611), an online privacy bill reintroduced by Representative Bobby Rush (D-IL) that would require marketers to obtain consumers’ consent before engaging in online tracking.