FTC Announces Settlement with Mobile App Developer

by Mehmet Munur

The Federal Trade Commission announced a settlement  with mobile application developer W3 Innovations, LLC for violations of the Children’s Online Privacy Protection Act (COPPA).  According to the FTC complaint, the developer collected personal information from children under the age of 13 through its mobile applications without a privacy notice to the children, without a privacy notice to their parents, and without verifiable consent from the parents as required by the COPPA rules. The FTC settlement requires the developer to 1) cease all violations of COPPA, 2) delete all personal information collected in violation of COPPA, 3) pay a civil penalty of $50,000, and 4) subject itself to a compliance reporting program.  Also today, the FTC announced a guide for teens for Living Life Online.

According to the FTC complaint, the developer offers for download approximately 40 applications in Apple’s App Store.  Some of the applications, Emily's Girl World, Emily's Dress Up, Emily's Dress Up & Shop, and Emily's Runway High Fashion, are, as the exhibits to the FTC complaint show, directed to children.  According to the complaint, Emily's Girl World application was downloaded 32,000 times while Emily’s Dress-up was downloaded 27,000 times. The applications allowed users to share names, email addresses, comments, and “blush” stories using the application or emails related to the application. The blog functionality was also accessible from within the applications.  The developer maintained a database of over 30,000 email addresses as a result of the information collected from the apps. The developer failed to provide notice to the users, their parents, and failed to obtain verifiable consent from the parents before collecting the personal information from the users as required under the COPPA rules located at 16 C.F.R. § 312.4.

The resulting consent decree and order bars the developer from continuing violations of the COPPA rules, requires it to pay $50,000 in civil fines, and requires it to submit to a compliance monitoring program.  The program requires the developer to allow the FTC to monitor compliance with the consent order by obtaining reports and documents from the developer.  Under the order, the developer also takes on reporting obligations with respect to any changes in address, ownership, or name and other information such as bankruptcy filings.  In addition, the developer has record keeping obligations relating to demonstrating its compliance with the consent decree and order for a period of 6 years.  

This enforcement action is not entirely unexpected because the FTC has been signaling its interest in bringing an enforcement action in the mobile space for some time.  Jessica Rich testified in front of Congress in May relating to mobile privacy issues.  Most recently, BNA reported that, at the August 8^th American Bar Association Toronto meeting, the FTC Commissioner Julie Brill stated that the FTC would be bringing enforcement actions in the mobile space under its Section 5 authority.The selection of the FTC’s jurisdiction under COPPA makes perfect sense as well.  Under the FTC’s COPPA regulations, the mere failure to post privacy notices and obtain verifiable consent from parents before collecting personal information is a violation of the regulations—without unfair and deceptive practices in relation to the treatment of that information.  As a result, applications that target children under the age of 13 without posting notices and obtaining verifiable consent from parents make an efficient enforcement target for the FTC. 

However, the monetary fines pale in comparison to the $3 million in fines assessed to Playdom Inc. in May 2011 for violations of COPPA.  There, Playdom operated 20 online virtual worlds and collected personal information from children under the age of 13 without obtaining verifiable consent from parents and without providing parents with notice.  The size of the fine in that enforcement action is likely proportional to the size of the users Playdom’s virtual worlds.  According to the FTC, one Playdom website had 403,000 registered users while another had 821,000 registered users.   Another egregious factor was that Playdom’s website privacy policy stated that it would prohibit children under the age of 13 from posting personal information on its websites—thought it clearly did not.  

Taken together, these two enforcement actions show that the FTC will continue to be active in the mobile space with large consequences for developer.  The number of users of mobile technologies is increasing tremendously.  Congress has had to pay closer attention to this area because their constituents are becoming more concerned with these issues.  It does not help that the treatment of personal information collected by mobile applications is rarely, if ever, disclosed through privacy policies.  Add to this the missteps by Apple and Google with regards to their location tracking features and you end up with the perfect conditions for FTC to step in with enforcement actions based on well-established Section 5 authority.  Considering that Pandora and other mobile application developers received subpoenas from a federal grand jury, this is unlikely to be the last enforcement action in the mobile arena. 

Read More...

FTC Settles with Google over Buzz Rollout, Enforces Section 5 and Safe Harbor

By Mehmet Munur

The Federal Trade Commission announced on March 30^th that it settled with Google over the rollout of its Buzz service. The FTC alleged deceptive trade practices under Section 5 for the enrollment of users without their explicit consent in violation of Google’s own privacy policy. The enforcement action highlights the importance of aligning privacy policies with privacy practices. The enforcement action is also the first substantive enforcement of the US-EU Department of Commerce Safe Harbor.

The FTC complaint explains how Google rolled out its Buzz service to its Gmail users with a splash screen that introduced them to Google Buzz, a social networking service allowing users to share updates much like any other social networking service. The users were given two options: “Sweet! Check out Buzz” or “Nah, go to my inbox.” (The screenshots are included in the exhibits to the complaint.) The complaint further explains that even if users selected “Nah, go to my inbox,” the users could be followed by others who were enrolled in Buzz, their public profiles could appear in the profiles of others who had enrolled, and could be automatically enrolled if they later clicked on the Buzz link in their inbox, among other issues. In short, the FTC alleges that users were enrolled in a product without their explicit consent or an explanation of how their actions may affect their public profiles.

These actions, however, conflicted with Google’s statements on its privacy policy. Google’s privacy policy states that it would not use personal information in a manner other than for the purposes for which the information was initially collected or as later consented to by the user, as Google was required to do under the EU Safe Harbor and probably the FTC Toysmart settlement. Therefore, the FTC concludes that the automatic enrollment of users in the Buzz program in the absence of an explicit consent while representing that Google would get the user’s consent was a deceptive trade practice.

The resulting settlement agreement requires Google not to misrepresent:

A.      the extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including, but not limited to, misrepresentations related to: (1) the purposes for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information.

B.      the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity, including, but not limited to, the U.S.-EU Safe Harbor Framework.

The settlement agreement shares attributes of the previous settlement agreements that FTC reached with Sears, Twitter, and others. It requires Google to implement a proactive privacy program, one that is reminiscent of privacy by design. For example, the program must identify reasonably foreseeable material risks and the sufficiency of safeguards to control those risks. Google is subject to the usual 20 year biennial audit requirements. Additionally, the FTC requires that Google disclose to the user any sharing of user’s identified information in a document separate from its privacy policy, terms of use, or EULA and obtain express consent from those users. This type of disclosure, which the FTC first required in the Sears enforcement action, is likely to be carried on to other FTC privacy enforcement actions.

The FTC Google Buzz enforcement action is also the first substantive Safe Harbor enforcement. FTC’s first enforcement action against Balls of Kryptonite was more focused on fees, service, and shipment policies of an ecommerce merchant than privacy. The second set of Safe Harbor settlements were technical violations of the Safe Harbor. Six companies represented that they were part of the Safe Harbor when their certifications had expired years ago. However, the Google Buzz enforcement action represents the next stage. Google failed to live up to the Notice and Choice Principles of the Safe Harbor, with which it promised to comply.

The enforcement action also stands in distinction with the FTC’s unwillingness to take any action against Google regarding the Wi-Fi gate. While the FTC closed the Wi-Fi gate without an enforcement action, to my knowledge, it is the first privacy regulator to act on the Buzz issues. On the other hand, the French Data Protection Authority recently imposed a €100,000 fine on the same issue. However, considering that Google’s actions took place not on a website, but in a car, the FTC may instead be allowing the State Attorneys General to take a closer look at that issue.

Finally, I would like to take issue with Google’s use of “Sweet! Check out Buzz” and “Nah, go to my inbox” to attempt to allow users to accept or decline an offer. Agreements need not always be replete with legalese. Google was not required to state “I hereby represent that I have read and agreed to the Terms and Conditions of Google Buzz and would like my profile to be public and shared with others and any information to be used for any other purpose represented in the Google Buzz Privacy Policy” in the splash page. Even if it had, due to its practices, it would still have likely violated the Section 5 of the FTC Act. However, Google’s use of such fluffy provisions are not the most effective means of forming agreements online nor of informing users about their rights. One can agree to an offer in many ways, including using the word awesome!, but proving this assent in a court of law may be challenging.

In conclusion, the FTC Google Buzz enforcement action provides an interesting mix of issues by throwing together privacy by design, the EU Safe Harbor, aligning privacy policies with privacy practices, and enforcement of agreements online.

Read More...

FTC Announces Behavioral Tracking Enforcement Action

By Mehmet Munur

The Federal Trade Commission announced an enforcement action today against an online advertising network that restarted tracking of users 10 days after those users had opted out of online tracking. This is likely the first FTC enforcement action in the behavioral tracking context and likely the first time browser cookies played a central role in an FTC enforcement action. The enforcement action sets a serious precedent for importance of making accurate statements regarding the use of behavioral tracking and following through on those statements.

The consent order also includes numerous requirements regarding the deletion of data, displaying new notices regarding the opt-out, and developing a method of opting out apart from the controls already present in users’ browsers. Clearly, the FTC remains willing to bring enforcement actions against online practices it believes to be deceptive, regardless of congressional action in the field of online behavioral tracking and regardless of how small the harm may seem.

Chitika is an online advertising network and works in the field of online behavioral targeting. Chitika tracks its users with the aid of browser tracking cookies placed on a user’s device. Chitika adds information to the tracking cookie about the user’s browsing activities after it is set and uses this information to serve the user with relevant advertisement. However, this tracking, according to the FTC, is “not visible to the consumer, unless the consumer uses sophisticated web diagnostics tools.” Furthermore, the FTC was concerned that the tracking would continue indefinitely so long as the user visited a website using the Chitika network with the same browser.

In its complaint, the FTC also alleges that Chitika implied that its tracking would cease for a reasonable period of time but that the tracking resumed after 10 days. As a result, Chitika’s representations were deceptive. Chitika’s privacy policy played a central role. It stated:

When users visit a page in the Chitika network, one or more cookies - a small file containing a string of characters - are set to the computer that uniquely identifies the users (sic) browser. Chitika uses cookies to improve the quality of the targeting service by storing anonymous activity data and tracking user trends, such as how people search and browse. Users can reset their browsers to refuse all cookies or to indicate when a cookie is being sent. . . . Chitika encourages and promotes business practices that protect and honor the privacy of users. You can opt-out of receiving Chitika cookies by using the button below.

After users clicked the opt-out button, Chitika told the user that they were opted out. However, these opt-out cookies expired after 10 days and Chitika restarted tracking after this time. Users were not told that the opt-out cookie would expire after 10 days. The FTC concludes that Chitika represented “expressly or by implication, that when consumers opt out of targeted advertising by Chitika, such opt-out [would] last for a reasonable period of time.” The fact that the tracking resumed after 10 days, resulted in deception in the FTC’s view.

The consent order that followed the FTC investigation requires Chitika not to

misrepresent in any manner, expressly or by implication: (A) the extent to which consumers may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities, or (B) the extent to which data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.

The consent order also requires Chitika to place disclosures on its websites about the expired opt out and

provide a mechanism, separate and apart from any preferences or controls offered by consumers’ browsers, to enable Chitika users to prevent respondent from collecting data that can be associated with a Chitika user or a Chitika user’s computer or device, or that contains any unique identifier, including Chitika user ID or Internet Protocol (IP) address; from redirecting Chitika users’ browsers to third parties that collect data, absent a click or other affirmative action by such Chitika user; and from associating any previously collected data with any Chitika user’s computer or device. This mechanism shall require no more than one additional click for consumers to exercise their choice(s), and shall remain in effect for a minimum time period of five (5) years, unless the consumer deletes his or her cookies or takes deliberate action to disable the mechanism.

Finally, within 90 days, Chitika must include a link in its ads to the website that would allow individuals to opt out of the tracking. Chitika must also destroy all IP addresses and unique identifiers and all information stored in user’s cookies.

As is typical of FTC enforcement actions, the order lasts for 20 years. However, there is no biennial audit requirement. Instead, for a period of 5 years, Chitika must maintain and make available to the FTC any documents, that relate to the collection of information from users, including FAQs, privacy policies, and Terms of Use.

This most recent enforcement action from the FTC is not unexpected. FTC recently released the Do Not Track report that we blogged about. There, the FTC stated that consumers should be entitled to choice about online behavioral tracking and that

The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads. Commission staff supports this approach, sometimes referred to as “Do Not Track.”

Thus, the Chitika enforcement action is completely in line with the persistent online tracking choices that FTC would like to encourage.

The FTC now reiterates its willingness to change practices in the arena of online behavioral tracking by putting the cookies center stage. It is also noteworthy that the enforcement action comes before the Do Not Track report is finalized. After all, that report was a preliminary report.

As a result, statements and practices about cookies, especially behavioral tracking cookies, are now more important than ever. These practices will only increase in importance as the FTC reviews all the comments relating to its report and issues a final report. It appears that regardless of legislation in this area, the FTC will continue to bring enforcement actions against deceptive practices relating to behavioral tracking.

Read More...