Privacy Policies and Data Collection

In December 2010, a class action lawsuit alleged that McDonald's, Microsoft, Mazda, and CBS violated the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and New York state law by using their ads as a cover for data-mining of personal information through browser history sniffing. This lawsuit is the first one targeted at advertisers rather than their agents. The plaintiff states that she was unaware that the defendants were monitoring her online activities. All the defendants worked with Interclick, a behavioral advertising specialist, that is named in a separate suit. The plaintiff asserts that the defendants deceptively used Flash cookies to insert tracking data onto consumers' computers that would collect data even if consumers set their browsers to block third-party cookies. The outcome of this case could be instructive for behavior advertising campaigns in the future. The case suggests that consumers may want choice in how marketers acquire and use their personal information.

At the end of 2010, the FTC released its preliminary staff report titled “Protecting Consumer Privacy in an Era of Rapid Change” (http://www.ftc.gov/os/2010/12/101201privacyreport.pdf). The report acknowledged that consumers want innovative new products and services that often rely on their PII. At the same time, the report cautioned that there is a need to balance technological advances in marketing with consumers' desire for privacy. The report endorsed a “Do Not Track” mechanism that would allow consumers to opt out of marketers' invisible tracking of PII. The FTC also announced that it will be monitoring the marketplace carefully and taking enforcement action against companies that violate consumer privacy or use PII indiscriminately. The FTC is accepting public comments on its report until Jan. 31, 2011.

At the same time, the advertising industry announced its self-regulatory program for online behavioral advertising. At http://www.aboutads.info/, the nation's largest media and marketing associations provide detailed information to consumers about behavioral advertising and how to opt out of targeted marketing techniques. In addition, the Web site announces an industry-wide initiative to use an “advertising option icon” on Web sites. The icon launched on Jan 1, 2011. When a consumer sees the icon displayed on a Web site, he will know that the Web site owner is using best practices in behavioral advertising to protect privacy. The icon also indicates that the consumer can exercise choice about the tracking of his data at the Web site he is visiting.

Guiding Principles

If your clients are doing any data collection about their customers in 2011, it is likely that you will want to keep a close eye on legislative developments in the area of privacy. It is likely that Congress will jump into this conversation. The following principles should guide your clients' data collection practices in the coming year:

1) Privacy Policies: Do your clients have policies in place? If not, they need to draft them, keeping in mind governing statutes in California, Massachusetts, and FTC guidelines. If your client already has a policy but it has not been recently reviewed, now is the time to do so.

2) Informed Consent: Web site operators should be sure that consumers have full access to their policies. Consumers should understand how site operators are aggregating personal data before they share information on social media or a Web site. The privacy policy should have a prominent location on the Web site or social media platform. It should be clearly and conspicuously disclosed. A check-off box indicating that consumers have agreed to the privacy policy may no longer be sufficient to protect clients. The policy's language should be comprehensible to the average consumer.

3) Opt-in Choices: Consumers should have clear and understandable choices that they can make when opting into data sharing. Remember Facebook had to revamp its privacy settings in 2009 when users rebelled against a complicated platform that was difficult to navigate.

4) PII: There is an increasingly blurred distinction between PII and non-PII data. Technology has advanced to the point where even non-PII data can be used to identify individuals, and even when PII has been rendered anonymous, the technology exists to reconstruct the person's identity. In pursuing data collection, it is important to consider whether even non-PII data need protection.

5) Data Collection: What is the client's data collection policy? What is it asking consumers to share? Does it need all the data it is requesting? What is it doing with the data once it has collected them? How long is it storing the data? Is it safeguarding data privacy? Is it sharing the data with any third parties? If so, is it encrypted and is it sharing only what is absolutely necessary?

6) Transparency: Has the client shared details of its data practices with consumers? Is it honoring consumers' choices? If the data were transferred from a third party who did the collection, is the client disclosing how it is using consumers' information once they arrive at the client's site?

7) Medium Driven Concerns: Is the data collection happening on mobile devices? Disclosures may be done differently because of the size of the mobile screen. At a minimum, clients should link to their Web sites, but that may not be sufficient. They should initiate a plan for follow up texts, assuming the consumer has consented to receive them, that explains why the consumer is being sent to the privacy page. Is the client co-marketing with another party? Has it coordinated data collection policies and privacy disclosures?

8) Sensitive Areas: Certain areas require special handling. Any kind of data regarding children, health and medical status, or sexual preference needs extra security. Clients should decide whether they really need this information and want the responsibility of storing it. If the client is retaining such data, it needs to create multiple layers of protection. If dealing with children under the age of 13, COPPA compliance is a must. Be aware that the FTC is reviewing COPPA to see if its reach should extend beyond Web sites to marketing messages sent through other forms of technology, such as text messaging or location-based marketing.

9) Material Changes: The days of quietly changing the terms of a privacy policy and relying on a disclaimer that allows changes are over. If the client wants to make a material change to its privacy policy, it needs to publicize the change and be sure consumers are informed of the changes and have consented.

10) Security Breach Policies: Clients should have a policy in place for handling security breaches. The policy should outline circumstances for internal notification and notification of third-party affiliates, vendors, and users of the secure data. It should require internal tracking of company responses to the security breach and investigative procedures. The policy should also outline how to handle media inquiries. Furthermore, be mindful that some state laws may require notification of consumers, credit bureaus, and state regulators. Even if state law is silent, consider whether it is prudent from both a legal and public relations standpoint to notify local authorities and work with them to contain the breach.

11) Opt-out Mechanism: With “Do Not Track” lurking in the regulatory landscape, clients should consider implementing a “do not track” option of their own and publicizing it on their marketing platforms.

Kyle-Beth Hilfer, Esq. specializes in advertising, marketing, promotions, intellectual property and new media law. For more information about her law practice, please visit http://www.kbhilferlaw.com/. ' Kyle-Beth Hilfer, P.C. 2010.

For Twitter, LinkedIn and Facebook followers, click here to subscribe to The Intellectual Property Strategist newsletter at a special introductory rate of $329. This offer is valid for new subscribers only.

2011 will test the boundaries of personal privacy in marketing. Consumers share their personally identifiable information (“PII”) on social media networks with little understanding that marketers silently track their preferences, their dislikes, and their PII. In many instances, marketers store the information and even resell it to third parties. The conflict between marketers' targeted use of PII and respect for consumers' personal privacy will be at the forefront of regulatory efforts this year.

Several Milestones

In 2010, several milestones paved the way for concerns about privacy throughout the marketplace. In March 2010, Massachusetts enacted a new data security law (201 CMR 17.00) to protect consumers' personal information. The law has broad coverage, applying to any entity that owns, licenses, receives, stores, maintains, processes or has access to personal information about a Massachusetts resident, regardless of where the entity is located. Personal information includes such data as social security numbers, driver's license numbers, credit card information, or bank passwords. The statute requires entities to create a written information security program, implement technical security controls, including encryption, and verify that third-party service providers can protect personal information. It is not clear yet how this statute will be enforced.

In December 2010, a class action lawsuit alleged that McDonald's, Microsoft, Mazda, and CBS violated the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and New York state law by using their ads as a cover for data-mining of personal information through browser history sniffing. This lawsuit is the first one targeted at advertisers rather than their agents. The plaintiff states that she was unaware that the defendants were monitoring her online activities. All the defendants worked with Interclick, a behavioral advertising specialist, that is named in a separate suit. The plaintiff asserts that the defendants deceptively used Flash cookies to insert tracking data onto consumers' computers that would collect data even if consumers set their browsers to block third-party cookies. The outcome of this case could be instructive for behavior advertising campaigns in the future. The case suggests that consumers may want choice in how marketers acquire and use their personal information.

At the end of 2010, the FTC released its preliminary staff report titled “Protecting Consumer Privacy in an Era of Rapid Change” (http://www.ftc.gov/os/2010/12/101201privacyreport.pdf). The report acknowledged that consumers want innovative new products and services that often rely on their PII. At the same time, the report cautioned that there is a need to balance technological advances in marketing with consumers' desire for privacy. The report endorsed a “Do Not Track” mechanism that would allow consumers to opt out of marketers' invisible tracking of PII. The FTC also announced that it will be monitoring the marketplace carefully and taking enforcement action against companies that violate consumer privacy or use PII indiscriminately. The FTC is accepting public comments on its report until Jan. 31, 2011.

At the same time, the advertising industry announced its self-regulatory program for online behavioral advertising. At http://www.aboutads.info/, the nation's largest media and marketing associations provide detailed information to consumers about behavioral advertising and how to opt out of targeted marketing techniques. In addition, the Web site announces an industry-wide initiative to use an “advertising option icon” on Web sites. The icon launched on Jan 1, 2011. When a consumer sees the icon displayed on a Web site, he will know that the Web site owner is using best practices in behavioral advertising to protect privacy. The icon also indicates that the consumer can exercise choice about the tracking of his data at the Web site he is visiting.

Guiding Principles

If your clients are doing any data collection about their customers in 2011, it is likely that you will want to keep a close eye on legislative developments in the area of privacy. It is likely that Congress will jump into this conversation. The following principles should guide your clients' data collection practices in the coming year:

1) Privacy Policies: Do your clients have policies in place? If not, they need to draft them, keeping in mind governing statutes in California, Massachusetts, and FTC guidelines. If your client already has a policy but it has not been recently reviewed, now is the time to do so.

2) Informed Consent: Web site operators should be sure that consumers have full access to their policies. Consumers should understand how site operators are aggregating personal data before they share information on social media or a Web site. The privacy policy should have a prominent location on the Web site or social media platform. It should be clearly and conspicuously disclosed. A check-off box indicating that consumers have agreed to the privacy policy may no longer be sufficient to protect clients. The policy's language should be comprehensible to the average consumer.

3) Opt-in Choices: Consumers should have clear and understandable choices that they can make when opting into data sharing. Remember Facebook had to revamp its privacy settings in 2009 when users rebelled against a complicated platform that was difficult to navigate.

4) PII: There is an increasingly blurred distinction between PII and non-PII data. Technology has advanced to the point where even non-PII data can be used to identify individuals, and even when PII has been rendered anonymous, the technology exists to reconstruct the person's identity. In pursuing data collection, it is important to consider whether even non-PII data need protection.

5) Data Collection: What is the client's data collection policy? What is it asking consumers to share? Does it need all the data it is requesting? What is it doing with the data once it has collected them? How long is it storing the data? Is it safeguarding data privacy? Is it sharing the data with any third parties? If so, is it encrypted and is it sharing only what is absolutely necessary?

6) Transparency: Has the client shared details of its data practices with consumers? Is it honoring consumers' choices? If the data were transferred from a third party who did the collection, is the client disclosing how it is using consumers' information once they arrive at the client's site?

7) Medium Driven Concerns: Is the data collection happening on mobile devices? Disclosures may be done differently because of the size of the mobile screen. At a minimum, clients should link to their Web sites, but that may not be sufficient. They should initiate a plan for follow up texts, assuming the consumer has consented to receive them, that explains why the consumer is being sent to the privacy page. Is the client co-marketing with another party? Has it coordinated data collection policies and privacy disclosures?

8) Sensitive Areas: Certain areas require special handling. Any kind of data regarding children, health and medical status, or sexual preference needs extra security. Clients should decide whether they really need this information and want the responsibility of storing it. If the client is retaining such data, it needs to create multiple layers of protection. If dealing with children under the age of 13, COPPA compliance is a must. Be aware that the FTC is reviewing COPPA to see if its reach should extend beyond Web sites to marketing messages sent through other forms of technology, such as text messaging or location-based marketing.

9) Material Changes: The days of quietly changing the terms of a privacy policy and relying on a disclaimer that allows changes are over. If the client wants to make a material change to its privacy policy, it needs to publicize the change and be sure consumers are informed of the changes and have consented.

10) Security Breach Policies: Clients should have a policy in place for handling security breaches. The policy should outline circumstances for internal notification and notification of third-party affiliates, vendors, and users of the secure data. It should require internal tracking of company responses to the security breach and investigative procedures. The policy should also outline how to handle media inquiries. Furthermore, be mindful that some state laws may require notification of consumers, credit bureaus, and state regulators. Even if state law is silent, consider whether it is prudent from both a legal and public relations standpoint to notify local authorities and work with them to contain the breach.

11) Opt-out Mechanism: With “Do Not Track” lurking in the regulatory landscape, clients should consider implementing a “do not track” option of their own and publicizing it on their marketing platforms.

Kyle-Beth Hilfer, Esq. specializes in advertising, marketing, promotions, intellectual property and new media law. For more information about her law practice, please visit http://www.kbhilferlaw.com/. ' Kyle-Beth Hilfer, P.C. 2010.

For Twitter, LinkedIn and Facebook followers, click here to subscribe to The Intellectual Property Strategist newsletter at a special introductory rate of $329. This offer is valid for new subscribers only.