Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Tuesday, November 29, 2011

FTC Announces Enforcement Action Against Facebook

by Mehmet Munur

Recent reports about the FTC and Facebook nearing a settlement were true because today the FTC announced that it had entered into a proposed settlement with Facebook for Facebook's failure to keep its users' information on Facebook private and repeatedly allowing users' information to be shared and made public.The proposed settlement bars Facebook from making misrepresentations about its privacy and security practices, requires it to obtain affirmative express consent before enacting changes that override privacy preferences, as well as the usual FTC enforcement requirements regarding a privacy program and a 20-year duration. The 8 count complaint includes violation of the U.S. Department of Commerce EU Safe Harbor Framework, marking the second substantive enforcement action of the FTC after the Google Buzz enforcement action. The enforcement action reinforces (1) previous FTC enforcement actions relating to aligning  privacy policies and practices, (2) the importance of using screenshots for attorneys working on technology and privacy projects, and (3) the viability of the Safe Harbor as a method of transfer for personal information from the EU.

The first count of the FTC complaint relates to the deceptive privacy settings for Facebook.  There, the FTC alleges that users' profile privacy settings relating "Only Friends" or "Friends of Friends" were accessible through Facebook's Platform Application.  While this sharing exceed the scope of only friends and friends of friends, it was not effectively disclosed to the users, resulting in a false or misleading representation.

The second and third counts in the FTC complaint relate to Facebook's 2009 changes to its privacy policy. As a result of Facebook's changes to its privacy practices in November 19, 2009, users prior choices regarding their publicly available information was overridden. As a result, users' friends list was available to everyone and users became visible in Facebook searches. When Facebook changed these settings back using a privacy wizard, FTC alleged that it left out material facts regarding changes to overriding users' previous privacy settings. Facebook's failure to clearly state make the effects of these changes to the users constituted a deceptive act.  Facebook's application of these privacy settings to the user's previously collected information without countervailing benefits to the consumer constituted unfair act under the FTC Act.

This third count is important and requires some more discussion. The FTC has maintained for some time, at least since the Toysmart enforcement action, that material retrospective changes to privacy policies without the express consent of the users constitute unfair trade practices. Now, the FTC further elaborates on the point and states that the users must not only provide affirmative consent, but that the consent must be properly informed.  The Article 29 Working Party made a similar point in its recent guidance regarding the definition of
consent in WP187. Even though Facebook used a privacy wizard to enable users to change their privacy settings, the disclosure of information was not adequate.  In other words, the FTC's unfairness claim against Facebook brings together the Toysmart enforcement action and the Sears enforcement action

The fourth count in the FTC complaint relates to the amount of access Facebook provides to its Platform Applications. The FTC argued that Facebook had stated in various locations that the Platform Applications needed access to the users' profile information that was required for the applications to work.  In fact, he FTC alleged, the applications received more information than they were required to work, such as the users' relationship status, photos, and videos. In effect, the FTC argues here that Facebook's statements and processes failed the Data Integrity Principle of the Safe Harbor, without necessarily stating it. This principle is also explained in Article 6(C) of the EU Data Protection Directive stating that personal data must be "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed"  In simplest terms, Facebook's statements regarding its actions its actions did not entirely line up with its statements.

The fifth count of the FTC complaint relates to Facebook's sharing of information with advertisers, despite its statements to the contrary.  The sixth count of the FTC complaint relates to Facebook's Verified Apps program.  There, Facebook made statements that its Verified Apps were "secure, respectful and transparent"  and that these apps had passed Facebook's review.  In fact, Facebook had taken no steps to verify the security of these applications, which turned out to be a false and misleading representation.  The seventh count related to Facebook's failure to prevent access to deactivated accounts. FTC alleges that Facebook allowed others to access users' photos, videos, and other Facebook content after the accounts were deactivated. These actions, once again, constituted false or misleading statements.

The eighth and final count of the FTC complaint alleges violations of the EU Safe Harbor, which Facebook joined in 2007.  This enforcement action against Facebook also happens to be the second substantive Safe Harbor enforcement action and the fourth overall.  The FTC's first substantive enforcement action was against Google over the roll out of Google Buzz. Here, Facebook's failure to obtain the affirmative informed consent of its users for the changes in its privacy practices and its failure to clearly state the purposes and means of processing of the information it collects resulted in the violations of the Notice and Choice Principles of the Safe Harbor.

As a result of the enforcement action, Facebook entered into a proposed  consent order.  The consent order, among other things, (1) prohibits Facebook from making misrepresentations about its privacy or security practices, (2) requires it to obtain express and informed consent for changes that materially exceed restrictions placed by users, (3) requires it to establish a comprehensive privacy program, (4) requires it to obtain biennial third party assessments of its practices, (5) requires it to retain appropriate records, and (6) terminates in 20 years.

The FTC's enforcement action against Facebook is important for several reasons.  First, it affects half a billion people around the globe and provides them with fundamental privacy protections under the watchful eye of the FTC.  Second, it expounds on privacy principles previously articulated by the FTC in new ways and shows the importance of clear and unambiguous privacy policies and practices.  Note that Facebook used a privacy wizard in order allow its users to change their privacy practices but its statements were still deceptive and unfair. As a result, the enforcement action once again highlights the importance of brief and accurate privacy statements, which was the lesson that the FTC was attempting to teach in the Sears enforcement action.

Third, the enforcement action demonstrates the importance of screenshots. FTC's hiring of its first full time technologist has led to some changes.  The FTC is now using screenshots more than ever in its complaints.  The Facebook complaint is the first complaint (that I am aware of) where the screenshots were in the body of the complaint instead of the exhibits, which is where the Google Buzz screenshots were located. Now, however, the screenshots take center stage in the many of the counts of the FTC complaint.  This makes perfect sense as the web takes place on the screen, whether on a desktop, laptop, phone, tablet or TV.  This may seem like a minor difference, however, it marks an important shift. The regulators and litigators are increasingly looking at the presentation of companies practices as well as the words in their privacy statements. Therefore, any implementation of a product or service that requires interaction on an electronic device requires that attorneys, as well as the programmers, closely examine work product using screenshots. Though this point is abundantly clear to many technology and privacy attorneys before, the Facebook FTC enforcement action should make it clear to all attorneys.  Reviewing screenshots of any product or service is crucial for the successful implementation of any project and is mandatory for the defense of any claim relating to privacy or technology.

Finally, the increasing number of EU Safe Harbor enforcement actions by the FTC shows that the promises of the Enforcement Principle of the Safe Harbor are not hollow.  EU Data Protection Authorities continue to point to the Binding Corporate Rules as the preferred method of transfer of personal information to countries with inadequate protections under the EU Data Protection Directive. However, the BCRs are beyond the reach of many companies due to their extensive time and resource requirements. Until the EU Data Protection Directive is amended to allow even a more streamlined BCR process, the Safe Harbor will remain the main choice of U.S. companies (under FTC and DoT jurisdiction) wishing to transfer personal information from the EU.

Labels: , , , , ,


Tuesday, November 08, 2011

FTC Announces Enforcement Actions Against Social Network and Online Advertiser

by Mehmet Munur

The Federal Trade Commission announced an enforcement action against Skid-e-kids and a separate enforcement action against online advertiser ScanScout. The enforcement action against ScanScout involved the violations of Section 5 and the use of Flash cookies without disclosing their use in its privacy policy. The enforcement action against Skid-e-kids involved violations of COPPA and the failure to obtain parental consent. Once again, these enforcement actions highlight the importance of drafting accurate privacy policies and following through on those promises.

The enforcement action against Skid-e-kids resembles the enforcement action against W3 Innovations, LLC due to its mobile application failing to pass muster under COPPA. According to the Skid-e-kids FTC complaint, Skid-e-kids promoted  itself as “Facebook and Myspace for kids” and permitted kids to register and create accounts, create public posts, upload posts, among other things. The registration process collected birth date, gender, username, password, and email address from the registrants. However, children were not required to provide parents’ email address to obtain consent. At the same time, Skid-e-kids’ privacy policy stated that it would require email addresses of parents that would be used to obtain consent and to notify them about Skid-e-kids’ privacy policy. In practice, Skid-e-kids never collected the email addresses of the parents, never contacted them to notify them of its privacy practices, and never obtained consent from the parents. As a result, the FTC alleges violations of COPPA and FTC Act.

The resulting consent order requires Skid-e-kids to refrain from violating COPPA, delete the personal information from the children, and place a notice on its website with links to the On Guard Online website. In addition, the FTC imposed a civil penalty of $100,000 but suspended all but a $1,000 of this penalty. The consent order requires Skid-e-kids to retain a privacy professional with COPPA experience to conduct assessments, retain records, and report its compliance with the consent order to the FTC.

The enforcement action against ScanScout, on the other hand, resembles the enforcement action against Chitika. According to the FTC ‘s ScanScout complaint, ScanScout acts as a intermediary between websites and advertisers and publishes advertising space on videos. ScanScout decides which video advertising should be delivered to which user. Unlike the Chitika enforcement action that used HTTP cookies, ScanScout used Flash Cookies from April 2007 to September 2009. At that time, deletion of browser’s HTTP cookies did not result in the deletion of Flash cookies—though since then Adobe and the major browsers have finalized APIs that result in the deletion of Flash cookies by the deletion of HTTP cookies. However, at the same time, ScanScout’s Privacy Policy stated that a user could opt out receiving a cookie by changing their browser settings. In practice, however, the users could not opt out receiving these cookies, and therefore, could not stop the tracking by ScanScout.

The resulting agreement and consent order requires ScanScout to provide a clear and prominent method to enable users to opt out of having their data that can be associated with a particular user collected by ScanScout. This opt-out must last at least 5 years and ScanScout must display links in the advertisements it serves for this opt-out mechanism. The agreement and consent order also comes with other compliance and reporting obligations and lasts for 20 years.

Together, these two enforcement actions, once again, highlight the importance of having accurate privacy policies in place. These two companies came under the FTC’s radar not just due to their actions, but also due to the statements regarding their privacy policies. ScanScout’s privacy policy had not been updated to show that it was using Flash cookies in order to track users. There was also a clear mismatch between what Skid-e-kids’s privacy policy stated and what it did in practice. Attorneys may draft the most intricate privacy policies; however, without processes to ensure that those policies are in place in operations, most businesses are open to FTC enforcement actions or lawsuit by their users. As a result, drafting and implementation of privacy policies must include not just the legal department, but all departments involved in the execution of actions outline in the privacy policy.

Labels: , , , , ,