FTC Issues Final Privacy Report

By Mehmet Munur

Today, the Federal Trade Commission released its final report titled Protecting Consumer Privacy in an Era of Rapid Change that announces its best practices privacy framework. The final report reinforces the FTC’s commitment to Privacy by Design, Simplified Choice for Consumers, and Greater Transparency principles. The final report reduces the scope of the privacy framework by creating an exception for small businesses and an exception for de-identified data. The report includes further information relating to when companies should provide choice for consumers and creates a new “context of the transactions” standard for choice. The final report calls on Congress to enact base-line privacy legislation. The report also calls on the industry to start complying with the privacy framework as a best practice, even though the FTC may not be able to rely on all of its recommendations in the final report for its enforcement actions. The report also commends industry actions in the behavioral advertising arena while highlighting the need to do more in order to address the implications of the report in both the online and the offline world. The FTC will focus on Do Not Track, Mobile, Data Brokers, Large Platform Providers, and Self-Regulatory Codes throughout this year to promote the implementation of the framework. Therefore, the FTC will continue the development of the privacy framework with stakeholders, industry, consumer groups, and the Department of Commerce. 

Scope of the Privacy Framework.

The final report builds on the preliminary report of the same name released in December 2010, which we discussed at the time of its release. The privacy “framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” The FTC has decided to include a fewer than 5,000 consumers per year small business exception in order to reduce the impact of the privacy framework on small businesses. However, the more important reduction in scope comes in the form of what FTC defines as information that cannot be reasonably linked to a specific consumer, computer, or other device.

In its preliminary report, the FTC referenced the problems in anonymization and the disappearing distinction between personally identifiable information and non-personally identifiable information. The FTC relied on articles such as Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization by Paul Ohm and the Robust De-anonymization of Large Sparse Datasets by Arvind Narayanan and Vitaly Shmatikov relating to Netflix. However, the FTC narrowed down the reasonably linked to specific consumer, computer, or other device standard by creating another exception. A company will be able to take advantage of this exception if the company 1) takes reasonable measures to ensure that the data is de-identified, 2) publicly commits to maintaining and using the data in a de-identified fashion, and not to attempt to re-identify the data, and 3) contractually prohibits any other entities from re-identifying the data—if it shares the information with others. This approach is different than the approach suggested by Jane Yakowitz in the Tragedy of the Data Commons article, which would have allowed a freer flowing stream of anonymized data. Nevertheless, it allows entities to retain de-identified data for longer periods for research and share it with others with reasonable assurances that they will not be held liable under the privacy framework. 

Privacy by Design.
Since the release of the preliminary report, the FTC has reinforced the importance of the Privacy by Design prong of the privacy framework with the Google and Facebook enforcement actions. Therefore, the FTC remains committed the encouraging companies to create privacy as a default option in the products and services they offer. As a result, FTC believes that “[c]ompanies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.”

While the FTC’s data security requirements are easier to article under its enforcement actions, the boundaries of the reasonable collection limits data accuracy remain less clear. The Sears enforcement action and the FrostWire enforcement action likely remain important for reasonable collection limits for the online context. In this final report, the FTC explains that “[c]ompanies should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law.” As a result, the relationship with the consumer play a large role in what type of information should be collected from the consumer. This requirement also fits well with the Obama administration’s Consumer Privacy Bill of Rights Respect for Context principle.

However, the FTC’s approach to the Privacy By Design prong of the framework appears to be flexible because different industries will need to collect different information. 

Simplified Consumer Choice.

The FTC has further elaborated the different actions that companies should obtain choice for while omitting choice in other, more obvious circumstances. The FTC states that “[c]ompanies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.” FTC further elaborates “whether a practice requires choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer’s existing relationship with the business, or is required or specifically authorized by law.” The reasons for this revision appear to be two-fold: comply with the Consumer Privacy Bill of Rights context principle and providing a more objective standard for providing choice. Nevertheless, the FTC still believes that the five practices in the preliminary report—fulfillment, fraud prevention, internal operations, legal compliance and public purpose, and most first-party marketing—provide good examples of practices that would meet this standards.

With regards to practices that require choice, the FTC states that “companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data.” At least two of those circumstances would be when “(1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes.” However, the FTC notes that the time and manner that the choice is offered will change from industry to industry and that there is not a one-size-fits all solution. In the online setting, the FTC suggested that making the choice at account creation may be advantageous. However, in an offline retailer, this choice may be made later after waiting “for a disclosed period before engaging in practices for which choice is being offered.”

Finally, the FTC alluded to the possibility that a take-it-or-leave-it approach may be appropriate in some circumstances—such as where 1) there is adequate competition, 2) transaction does not involve an essential product or service, and 3) company clearly and conspicuously discloses the terms of the transaction. 

Transparency.

With the Transparency prong of the framework, the FTC once again calls for “clearer, shorter, and more standardized” privacy policies, reasonable access to data, and consumer education. The FTC believes in standardized elements for privacy policies; however, it calls on the industry to develop the format and terminology for these. The FTC also states that it will work the Department of Commerce in developing these standardized elements.

The FTC also states that the right to access should be reasonable and, therefore, “proportional to the sensitivity and the intended use of the data at issue.” Once again, the FTC takes a sliding-scale approach to the disclosure of the information held by companies about individuals: the more sensitive the information, the more individualized the notice, access, and corrections rights attached to the data. 

Conclusion.

The FTC has answered some questions with this final report, at the same time; it has left a lot to be decided by various industry groups, the Department of Commerce, and future workshops. As a result, the final report feels incomplete.

However, the final report is now supported by enforcement actions. FTC has been able to get the industry to move mainly based on the enforcement actions it has brought since the preliminary report, including Google, Facebook, cookies, and mobile apps. Therefore, FTC has brought substantive enforcement actions to support many of the prongs of the preliminary report, even though other parts of the report appear to be best practices. However, the FTC seems to be looking forward to the solutions that are in the works by the World Wide Web Consortium and the major browser developers for issues relating to behavioral advertising.

On the other hand, Congress has failed to pass any baseline privacy and data security legislation that the FTC called for. Therefore, FTC’s privacy framework will likely continue to be a work-in-progress that will take more concrete shape with each future workshop. Companies should make plans to abide by the major points of the privacy framework created by the report and to contribute to the workshops and call for comments by the FTC and Department of Commerce.

Read More...

FTC Announces Behavioral Tracking Enforcement Action

By Mehmet Munur

The Federal Trade Commission announced an enforcement action today against an online advertising network that restarted tracking of users 10 days after those users had opted out of online tracking. This is likely the first FTC enforcement action in the behavioral tracking context and likely the first time browser cookies played a central role in an FTC enforcement action. The enforcement action sets a serious precedent for importance of making accurate statements regarding the use of behavioral tracking and following through on those statements.

The consent order also includes numerous requirements regarding the deletion of data, displaying new notices regarding the opt-out, and developing a method of opting out apart from the controls already present in users’ browsers. Clearly, the FTC remains willing to bring enforcement actions against online practices it believes to be deceptive, regardless of congressional action in the field of online behavioral tracking and regardless of how small the harm may seem.

Chitika is an online advertising network and works in the field of online behavioral targeting. Chitika tracks its users with the aid of browser tracking cookies placed on a user’s device. Chitika adds information to the tracking cookie about the user’s browsing activities after it is set and uses this information to serve the user with relevant advertisement. However, this tracking, according to the FTC, is “not visible to the consumer, unless the consumer uses sophisticated web diagnostics tools.” Furthermore, the FTC was concerned that the tracking would continue indefinitely so long as the user visited a website using the Chitika network with the same browser.

In its complaint, the FTC also alleges that Chitika implied that its tracking would cease for a reasonable period of time but that the tracking resumed after 10 days. As a result, Chitika’s representations were deceptive. Chitika’s privacy policy played a central role. It stated:

When users visit a page in the Chitika network, one or more cookies - a small file containing a string of characters - are set to the computer that uniquely identifies the users (sic) browser. Chitika uses cookies to improve the quality of the targeting service by storing anonymous activity data and tracking user trends, such as how people search and browse. Users can reset their browsers to refuse all cookies or to indicate when a cookie is being sent. . . . Chitika encourages and promotes business practices that protect and honor the privacy of users. You can opt-out of receiving Chitika cookies by using the button below.

After users clicked the opt-out button, Chitika told the user that they were opted out. However, these opt-out cookies expired after 10 days and Chitika restarted tracking after this time. Users were not told that the opt-out cookie would expire after 10 days. The FTC concludes that Chitika represented “expressly or by implication, that when consumers opt out of targeted advertising by Chitika, such opt-out [would] last for a reasonable period of time.” The fact that the tracking resumed after 10 days, resulted in deception in the FTC’s view.

The consent order that followed the FTC investigation requires Chitika not to

misrepresent in any manner, expressly or by implication: (A) the extent to which consumers may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities, or (B) the extent to which data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.

The consent order also requires Chitika to place disclosures on its websites about the expired opt out and

provide a mechanism, separate and apart from any preferences or controls offered by consumers’ browsers, to enable Chitika users to prevent respondent from collecting data that can be associated with a Chitika user or a Chitika user’s computer or device, or that contains any unique identifier, including Chitika user ID or Internet Protocol (IP) address; from redirecting Chitika users’ browsers to third parties that collect data, absent a click or other affirmative action by such Chitika user; and from associating any previously collected data with any Chitika user’s computer or device. This mechanism shall require no more than one additional click for consumers to exercise their choice(s), and shall remain in effect for a minimum time period of five (5) years, unless the consumer deletes his or her cookies or takes deliberate action to disable the mechanism.

Finally, within 90 days, Chitika must include a link in its ads to the website that would allow individuals to opt out of the tracking. Chitika must also destroy all IP addresses and unique identifiers and all information stored in user’s cookies.

As is typical of FTC enforcement actions, the order lasts for 20 years. However, there is no biennial audit requirement. Instead, for a period of 5 years, Chitika must maintain and make available to the FTC any documents, that relate to the collection of information from users, including FAQs, privacy policies, and Terms of Use.

This most recent enforcement action from the FTC is not unexpected. FTC recently released the Do Not Track report that we blogged about. There, the FTC stated that consumers should be entitled to choice about online behavioral tracking and that

The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads. Commission staff supports this approach, sometimes referred to as “Do Not Track.”

Thus, the Chitika enforcement action is completely in line with the persistent online tracking choices that FTC would like to encourage.

The FTC now reiterates its willingness to change practices in the arena of online behavioral tracking by putting the cookies center stage. It is also noteworthy that the enforcement action comes before the Do Not Track report is finalized. After all, that report was a preliminary report.

As a result, statements and practices about cookies, especially behavioral tracking cookies, are now more important than ever. These practices will only increase in importance as the FTC reviews all the comments relating to its report and issues a final report. It appears that regardless of legislation in this area, the FTC will continue to bring enforcement actions against deceptive practices relating to behavioral tracking.

Read More...

FTC Issues Final Breach Notification Rules as Required by the Stimulus Bill

By Mehmet Munur

On August 18, Federal Trade Commission issued the final rules on breach notification as required by the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. The rules will take effect in 30 days from publication in the Federal Register. The FTC will only begin enforcement after 180 days of the publication of the final rules.

The final rules addressed the public comments to the proposed rules, clarified certain issues such as the broad scope of the rules, the application of either the HHS or FTC breach notification rules, notifying individuals by email, notifying the FTC for breaches involving more than 500 individuals, and privacy notices.

FTC received 129 comments related to its notice of proposed rulemaking. Google (see our previous blog post on Google Health) was noticeably absent from the list, while Microsoft (see our previous blog post on HealthVault) commented on several issues including email notices and use of cloud computing storage. Microsoft’s concerns related to cloud computing prompted FTC to require that vendors of PHR and PHR related entities notify their third party service providers of their status as vendors of PHR.

The FTC adopted the definition of personal health record without modification. Under the proposed rules, breach of name and credit card numbers would have triggered a notification. The FTC backed away from that interpretation and now states that name and credit card numbers alone will not constitute personal health record. On the other hand, FTC renewed its statement that de-identified data would not be considered personal health record “[g]iven the small risk that such data will be re-identified by unauthorized third parties.” Such references show FTC’s renewed interest in the identification of individuals using non-personally identifiable information. FTC had previously mentioned the issue in February in the Behavioral Advertising Staff Report.

The FTC confirmed the wide scope of the new breach notification rules. The proposed rule applies to vendors of PHR and PHR related entities “irrespective of any jurisdictional tests in the Federal Trade Commission Act.” Therefore, even if an entity is not covered by the FTC Act, it may fall under the scope of the breach notification. Additionally, the Commission reiterated that “foreign entities with U.S. customers must provide breach notification under U.S. laws.” Similar to the EU Data Protection Directive, the rules appear to apply to the individual’s data regardless of the data’s location.

The FTC agreed with some of the commentators to the proposed rules that some entities would be covered by both the FTC and the HHS rules. Therefore, the FTC “consulted with HHS to harmonize the two rules, within the constraints of the statutory language.” A related issue concerned the provision of a single breach notification for a single breach, though several entities may be involved. The FTC addresses this issue by providing examples of when entities may comply with both the FTC and the HHS requirements to provide notice.


The final rules also addressed privacy notices and, with it, FTC’s recent incursion into privacy enforcement and behavioral advertising. FTC addressed privacy notices because the “final rule provides that a breach of security means acquisition of information without the authorization of the individual.” FTC stated that “an entity’s use of information to enhance individuals’ experience with their PHR would be within the scope of the individuals’ authorization, as long as such use is consistent with the entity’s disclosures and individuals’ reasonable expectations.” The FTC reiterated its suspicion of lengthy privacy notices, which it originally voiced in the Behavioral Advertising Staff Report, by stating that “the Commission expects that vendors of personal health records and PHR related entities would limit the sharing of consumers’ information, unless the consumers exercise meaningful choice in consenting to such sharing. Buried disclosures in lengthy privacy policies do not satisfy the standard of “meaningful choice.”” The FTC cited to the recent Sears enforcement to reinforce its seriousness in enforcing the meaningful choice doctrine. There, Sears had buried its data mining activities deep in its privacy policy instead of providing clear and conspicuous notice of the broad scope of its activities. This could be an indication that the FTC may consider data processing without adequate notice as a data breach.

The final rules now make it easier to provide individual notice through email as well. The FTC is persuaded that the relationship between the vendors of PHR, PHR related entities, and consumers take place online, email notice can be used as a default option. Individual’s express affirmative consent to notify by email is no longer necessary. Nevertheless, the consumers must still have a meaningful choice not to receive notice by email. Additionally, the FTC made it clear that no confirmation is required for the receipt of emails, only “reasonable efforts to contact all individuals” is required. EPIC advocated for social media breach notification. The FTC declined to adopt such measure, but stated that the rule did not preclude other forms of notice in addition to the required forms. We are looking forward to public reactions to the first social media breach notification on Twitter, Facebook, or LinkedIn.

Web postings related to breaches on entities’ websites now need not be maintained for 6 months. The FTC shortened the public posting on websites to 90 days. With respect to notifying the FTC of breaches for breaches involving more than 500 people, the FTC increased the time to provide notice to FTC to 10 business days from 5. In addition, entities may use the form created by the FTC to notify the FTC about breaches. Email notification of the FTC is not an option at this time due to security concerns.

While the effective date of the rules were set by the Stimulus Bill and cannot be changed, the FTC stated that it will “will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered” 180 after the publication of the final rules. The HHS should shortly follow with its final rules on the Stimulus Bill.

Read More...