Evolving Online Advertising Techniques

And the Obama Administration announced support for federal baseline consumer data-privacy legislation, largely tracking recommendations from a Commerce Department “green paper” issued in December 2010. (See, www.ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf and www.ntia.doc.gov/internetpolicytaskforce.) Finally, no less than four federal consumer data-privacy bills were announced over the preceding 30 days, including a “do-not-track” bill. March seemed to bring a more active federal government effort to regulate evolving media to protect consumers from deceptive practices and address consumer data-privacy and security concerns.

Guidance on the Guides

More than a year into the FTC's revised Guides Concerning Use of Endorsements and Testimonials in Advertising (“Guides”), FTC inquiries and enforcement actions are illuminating how the Commission will enforce the principles outlined in that advisory document regarding evolving media. Although the Guides, which require that sellers ensure material connection disclosures between promoters and posters, were intended as self'regulatory guidance, marketers' failure to comply with the Guides is grounds for FTC enforcement actions under its authority to regulate “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. '45(a)(1). The new Guides became effective Dec. 1, 2009, and suggest, among other things, that advertisers institute social and evolving media promotions policies and procedures.

The FTC's new guidance makes clear that companies, both rogue and well-intentioned, involved in encouraging a message about their products or services in non-traditional media ' basically sponsoring the messages ' will be responsible as the advertiser. Although the FTC acknowledges limited ability to clear and control these kinds of messages in social and other evolving media, it places the burden of the risk on the sponsor and speaker. The Commission notes, in '255.0 of the Guides, that finding of deception and exercise of Section 5 authority will depend on specific factual circumstances, suggesting reasonable efforts, such as implementing appropriate polices, education, and monitoring and corrective action, along with consumer perception based on Netiquette, may shape enforcement decisions.

Although the Guides address many ways endorsements should avoid deception and consumer confusion, the need to disclose material connections is getting the most attention. Material connections between endorser and seller of a promoted product must be disclosed when they “might materially affect the weight and credibility of the endorsement (i.e., the connection is not reasonably expected by the audience).” Any material connection, then, between advertiser and consumer/endorser must be fully disclosed, including that the comment poster is employed by, or receives anything of value from, the advertiser. Accordingly, if the consumer is paid or promised compensation or anything else of value before endorsing the product, that connection must be clearly and conspicuously disclosed. Similarly, if prior to offering his or her endorsement, the consumer has reason to know he or she will be offered a benefit (such as the chance to appear on television) should he or she speak positively of the product, the advertisement must clearly and conspicuously say so. In essence, if the consumer might be endorsing the product as quid pro quo, the connection must be disclosed so the audience can assess the endorser's credibility. See, Guides '255.5. (For a more detailed look at the Guides, see this author's two-part series, “Interpreting FTC's New Endorsement Guidelines,” in the Dec. 2009 and Jan. 2010 issues of e-Commerce Law & Strategy, available at www.lawjournalnewsletters.com/issues/ljn_ecommerce/archives.html.)

FTC Activities

Legacy Learning Systems

Last month, the FTC entered a settlement agreement and consent order with the seller of guitar-lesson DVDs, Legacy Learning Systems Inc. (“LLS”), which included payment to the FTC of $250,000. In re matter of Legacy Learning Systems, Inc., et al., Agreement Containing Consent Order, File No. 120 3055. The FTC alleged LLS had violated Section 5 of the FTC Act by instituting an online affiliate sales program whereby Internet users were recruited to be “Review Ad affiliates” and got lead-generation sales commissions. The “affiliates” posted positive statements and reviews in articles, blog posts and other online editorial copy that contained hyperlinks to LSI's Web site, but failed to disclose the material connection to LLS that they would make commissions on sales generated through the links. In re matter of Legacy Learning Systems, Inc., et al., Complaint, File No. 120 3055. The endorsement's authors then received 20% to 40% of the purchase price from consumers linking through and purchasing. The disclosure omissions were allegedly attributable to LLS, which was alleged to “have [thereby] represented, directly or indirectly, expressly or by implication, that the reviews ' represented endorsements from persons who had used or reviewed those instructional videos ' [and] failed to disclose, or disclose adequately, that the endorser receives financial compensation from the sale[s] ' [,]a deceptive practice.”

In a Commission analysis issued with the announcement of the settlement, the FTC noted that it found “[LSS] failed to implement a reasonable monitoring program to ensure that these postings clearly and prominently disclosed the compensated nature of the affiliates' relationship to [LSS].” FTC Analysis of Proposed Consent Order to Aid Public Comment in the Matter of Legacy Learning Systems, Inc., File No. 102-3055. In its settlement press release, the FTC explained how LSS' activities failed to comply with guidance given in the Guides, and FTC Director of Consumer Protection David Vladeck reiterated the FTC's view that sellers are obligated to educate and monitor those such as employees and affiliates they engage to use social media to promote products and services.

AnnTaylor LOFT

This action and settlement should be a wake-up call to online marketers. As it typically does with new initiatives, the FTC educates then starts enforcement with ever-escalating repercussions. A month after the Guides were in effect, the FTC fired its first warning shot across the bow of industry by opening an inquiry into AnnTaylor LOFT's practice of inviting fashionista bloggers to preview its new line and giving them gift bags as they left. The FTC was “concerned that bloggers who attended [the event] failed to disclose that they received gifts for posting blogging about the event” and that “the company expected that they would post blog content about the company's LOFT division.” The Commission ultimately elected to close the inquiry without enforcement, based on it being an apparently isolated incident involving only a few people and, importantly, because “LOFT adopted a written policy in February 2010 stating that LOFT will not issue any gift to any bloggers without first telling the blogger that the blogger must disclose the gift in his or her blog.” The FTC expects LOFT will honor the policy and take reasonable steps to monitor bloggers' gift-disclosure compliance. Thus, the FTC reinforced its guidance on companies having a policy, educating posters, monitoring and taking corrective action.

PR Firm, Individual Blogger

Last summer, the FTC announced that it settled its first enforcement action related to evolving media use and violation of Guides principles. This resulted in a proposed consent order against a small public relations firm and its owner, whose employees posted positive online product reviews of video games published by the firm's client without disclosing the material relationship.

The order mandated the firm and a blogger, wherever employed, not to misrepresent themselves as independent users or ordinary consumers of the products or services, and to clearly and prominently disclose any material connections. For 20 years, every employee or contractor of the firm or the blogger must read the consent order and sign a statement acknowledging a de facto policy and education program for current and future staff.

Based on FTC stepped-up enforcement of other initiatives, the next monetary settlement could approach seven figures. The Commission clearly feels industry has had time to apply the Guides in evolving media. Every company should have, and enforce, policies and practices for its own social or other evolving media use, and use by its employees, spokespersons, vendors and agents, including regarding how consumers are engaged, educated, monitored and handled.

Twitter

The Commission has long targeted companies that don't honor promises to consumers on privacy options and data-security protections. On March 11, the FTC accepted as final a June 2010 settlement and consent order with Twitter over allegations it failed to adequately safeguard user data. The FTC had alleged Twitter deceived consumers by representing that it undertook reasonable data-security measures, when it in fact allowed its systems to be vulnerable to hackers. On two occasions in 2009, hackers accessed non-public user information and Tweets that had some level of privacy, and gained the ability to send phony Tweets from user accounts.

Twitter had promised: “We employ administrative, physical and electronic measures designed to protect your information from unauthorized access.” The FTC, though, alleged data breaches occurred in part because Twitter allowed employees to use easy passwords that were vulnerable to password-hacking programs, had sloppy password security protocols, and allowed too many employees access to administrative controls. The consent decree requires Twitter to impose better password and other security measures, institute a comprehensive data-security plan, conduct training and monitoring, and for 10 years conduct independent information-security audits biennially. This is significant because sensitive data such as credit card numbers or medical information, was not involved in the corrective actions, which should be seen as best practices for all companies.

Chitika Inc.

On March 13, the FTC announced, subject to final approval, a consent agreement with the Internet advertising network Chitika Inc. Chitika is an Internet ad server network that acts as an intermediary between advertisers and Web site publishers, enabling advertisers to buy and employ contextually relevant ads for targeted audiences. It uses tracking devices such as cookies on consumers' browsers to see user activities, build behavioral profiles and serve relevant ads, a practice known as behavioral advertising.

Consistent with industry self-regulation and best practices, Chitika's privacy policy allowed consumers to opt out of behavioral tracking. The FTC alleged that, at least between May 2008 and February 2010, the opt-out was effective for only 10 days, that Chitika would thereafter reinstitute tracking and that it failed to disclose these limitations of the opt-out, making this a deceptive practice.

The consent decree requires consumers be given a more meaningful opt-out option. How it requires that may be instructive on FTC direction for the rest of industry.

Every targeted ad must include proximate and conspicuous notice of tracking attached to the ad and of a “do-not-track” option with a hyperlink to the opt-out.

Chitika must also employ effective measures to ensure opt-out remains effective for five years. The corrective action ordered seems an implicit Commission endorsement of the principle behind the new advertising option icon and October 2010 self-regulatory principles for online behavioral advertising adopted by more than a half dozen leading advertising and business trade organizations, joined together as the Digital Advertising Alliance (“DAA”) (www.aboutads.info). The principles put the notice and opt-out on the ad, and not in a privacy policy a consumer viewing the ad would arguably never see. It also suggests the industry needs to employ technology that will maintain respect for such choice for a significant period.

Seeking More Authority

Turning from its present-day enforcement actions under the current regulatory scheme where enforcement essentially relies on companies overpromising and under delivering on their privacy and data-security representations, the FTC has been working for greater authority and a regulatory scheme requiring more clear and affirmative consent from consumers. The Obama Administration recently supported the Commission and many in Congress appear receptive to changes.

The FTC suggested to Congress in June 2010 that the current so-called notice-and-choice model of privacy, under which the FTC has deemed a deceptive practice not to accurately disclose how consumer data is collected, used and shared, was proving inadequate. The Commission spent much of 2010 holding privacy roundtables for industry and consumer input. In December 2010, the FTC issued a preliminary staff report calling for an evolution from the current “notice-and-choice” and “harm-based” approaches to a new framework emphasizing:

• Privacy by design;
• Simplification of consumer choice; and
• Greater transparency.

A specific recommendation FTC floated and invited public comment on was a “do-not-track” option ' “a universal setting similar to a persistent cookie on a consumer's browser and conveying that setting to sites the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted
advertisements.” Many argue a single universal system is necessary for effective opt-out.

Meanwhile, in 2010, the Commerce Department issued its green paper with 10 recommendations for a federal data-privacy framework, and requested public comment. It received over 100 comments, at www.ntia.doc.gov/comments/101214614-0614-01.
On March 16, 2011, Assistant Secretary of Commerce Lawrence E. Strickland presented the Administration's response to those comments to the U.S. Senate Committee on Commerce, Science, and Transportation, recommending:

Legislation to provide a stronger framework to protect consumer' online privacy interests [, which] should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections ' that is, a “consumer privacy bill of rights.” Second, legislation should provide the FTC with authority to enforce any baseline protections. Third, legislation should create a framework that provides incentives for the development of codes of conduct that are consistent with baseline protections [and potential safe harbors for following them].

Strickland also recommended that any legislation:

• Not add duplicative or overly burdensome regulatory requirements to businesses;
• Be technology neutral, so that it allows firms flexibility in deciding how to comply with its requirements and encourages business models that are consistent with baseline principles but use personal data in ways not yet contemplated; and
• Provide a basis for greater transnational cooperation on consumer privacy enforcement issues, as well as more streamlined cross-border data flows and reduced compliance burdens for U.S. businesses facing numerous foreign privacy laws.

Proposed federal privacy legislation has not garnered significant traction in recent years, with former Rep. Boucher's 2010 bill getting the farthest to a proposal for broad and comprehensive, though many would say ill-conceived, changes. The Rockefeller Internet Sales Practices Act, which, among other things, prohibits online merchants from sharing certain online transaction data “used by a customer of the initial merchant, to any post-transaction third party seller for use in [an add-on/up sale transaction],” also arrived in 2010.

This year has, however, already seen four federal consumer data-privacy bills. For instance:

• HR 611 is a comprehensive privacy bill introduced by Rep. Bobby Rush (D-IL) on Feb. 10 calling for universal privacy requirements, including mandating the posting of privacy policies and disclosures regarding tracking.
• HR 653 is a financial privacy act introduced by Rep. Jackie Speier (D-CA) on Feb. 11.
• HR 654 is a “do-not-track” proposal, also introduced by Speier on Feb. 11.
• On March 16, Sen. John Kerry (D-MA) announced the Kerry-McCain Omnibus Privacy Bill, which provides opt-out requirements for collection of non-sensitive personally identifiable information, and opt-in consent for sensitive information collection and targeted advertising.

Furthermore, the FTC's report on what, if any, changes should be made to the Children's Online Privacy Protection Act (“COPPA”) is expected later this year.

The Administration's support for legislative action and greater power for the FTC may help push legislative efforts.

Absent comprehensive consumer data-privacy legislation, plaintiffs' class action bar stands ready to change the industry's practices. No fewer than 25 class-action lawsuits challenging behavioral advertising and related consumer data-privacy practices have been filed in the last six months.

Coming: More U.S. Scrutiny

The FTC has sent several messages to companies in online and social media that it will hold them responsible for their failure to disclose their relationship to sellers and other deceptive activities, and will increase enforcement this year.

Companies must have policies and monitoring efforts in place to guard against inappropriate online promotional activities on their behalf. 2011 also appears to be the year with a real potential for a federal consumer data-privacy scheme to come to fruition. In the meantime, the FTC is likely to continue looking for privacy and data-security cases where notice is insufficient or representations are not accurate.

Companies must audit their policies and practices to ensure they are honoring privacy and data-security promises they make, and use consumer-friendly disclosures. Following industry self-regulatory principles and best practices is highly recommended.

Finally, companies should avoid practices that are spawning class-action litigation, such as use of Flash cookies for tracking consumer behavior (due to their ability to make consumer browser “do-not-track” settings ineffective).

The federal government roared into March like a lion on online advertising, privacy and data'security practices, but hardly left like a lamb.

The Federal Trade Commission (“FTC”) finalized its 2010 proposed settlement with Twitter for failure to adequately maintain reasonable data in security safeguards to protect user information. And it entered a tentative consent decree with a provider of online behavioral-advertising services requiring a “do-not-track” notice and opt-out mechanism near targeted ads its serves.

The FTC also announced a proposed settlement requiring a $250,000 payment with an e-commerce merchant over bloggers' and others' failure to disclose their financial relationship with the seller when linking from their online posts to the seller's e-commerce site.

And the Obama Administration announced support for federal baseline consumer data-privacy legislation, largely tracking recommendations from a Commerce Department “green paper” issued in December 2010. (See, www.ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf and www.ntia.doc.gov/internetpolicytaskforce.) Finally, no less than four federal consumer data-privacy bills were announced over the preceding 30 days, including a “do-not-track” bill. March seemed to bring a more active federal government effort to regulate evolving media to protect consumers from deceptive practices and address consumer data-privacy and security concerns.

Guidance on the Guides

More than a year into the FTC's revised Guides Concerning Use of Endorsements and Testimonials in Advertising (“Guides”), FTC inquiries and enforcement actions are illuminating how the Commission will enforce the principles outlined in that advisory document regarding evolving media. Although the Guides, which require that sellers ensure material connection disclosures between promoters and posters, were intended as self'regulatory guidance, marketers' failure to comply with the Guides is grounds for FTC enforcement actions under its authority to regulate “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. '45(a)(1). The new Guides became effective Dec. 1, 2009, and suggest, among other things, that advertisers institute social and evolving media promotions policies and procedures.

The FTC's new guidance makes clear that companies, both rogue and well-intentioned, involved in encouraging a message about their products or services in non-traditional media ' basically sponsoring the messages ' will be responsible as the advertiser. Although the FTC acknowledges limited ability to clear and control these kinds of messages in social and other evolving media, it places the burden of the risk on the sponsor and speaker. The Commission notes, in '255.0 of the Guides, that finding of deception and exercise of Section 5 authority will depend on specific factual circumstances, suggesting reasonable efforts, such as implementing appropriate polices, education, and monitoring and corrective action, along with consumer perception based on Netiquette, may shape enforcement decisions.

Although the Guides address many ways endorsements should avoid deception and consumer confusion, the need to disclose material connections is getting the most attention. Material connections between endorser and seller of a promoted product must be disclosed when they “might materially affect the weight and credibility of the endorsement (i.e., the connection is not reasonably expected by the audience).” Any material connection, then, between advertiser and consumer/endorser must be fully disclosed, including that the comment poster is employed by, or receives anything of value from, the advertiser. Accordingly, if the consumer is paid or promised compensation or anything else of value before endorsing the product, that connection must be clearly and conspicuously disclosed. Similarly, if prior to offering his or her endorsement, the consumer has reason to know he or she will be offered a benefit (such as the chance to appear on television) should he or she speak positively of the product, the advertisement must clearly and conspicuously say so. In essence, if the consumer might be endorsing the product as quid pro quo, the connection must be disclosed so the audience can assess the endorser's credibility. See, Guides '255.5. (For a more detailed look at the Guides, see this author's two-part series, “Interpreting FTC's New Endorsement Guidelines,” in the Dec. 2009 and Jan. 2010 issues of e-Commerce Law & Strategy, available at www.lawjournalnewsletters.com/issues/ljn_ecommerce/archives.html.)

FTC Activities

Legacy Learning Systems

Last month, the FTC entered a settlement agreement and consent order with the seller of guitar-lesson DVDs, Legacy Learning Systems Inc. (“LLS”), which included payment to the FTC of $250,000. In re matter of Legacy Learning Systems, Inc., et al., Agreement Containing Consent Order, File No. 120 3055. The FTC alleged LLS had violated Section 5 of the FTC Act by instituting an online affiliate sales program whereby Internet users were recruited to be “Review Ad affiliates” and got lead-generation sales commissions. The “affiliates” posted positive statements and reviews in articles, blog posts and other online editorial copy that contained hyperlinks to LSI's Web site, but failed to disclose the material connection to LLS that they would make commissions on sales generated through the links. In re matter of Legacy Learning Systems, Inc., et al., Complaint, File No. 120 3055. The endorsement's authors then received 20% to 40% of the purchase price from consumers linking through and purchasing. The disclosure omissions were allegedly attributable to LLS, which was alleged to “have [thereby] represented, directly or indirectly, expressly or by implication, that the reviews ' represented endorsements from persons who had used or reviewed those instructional videos ' [and] failed to disclose, or disclose adequately, that the endorser receives financial compensation from the sale[s] ' [,]a deceptive practice.”

In a Commission analysis issued with the announcement of the settlement, the FTC noted that it found “[LSS] failed to implement a reasonable monitoring program to ensure that these postings clearly and prominently disclosed the compensated nature of the affiliates' relationship to [LSS].” FTC Analysis of Proposed Consent Order to Aid Public Comment in the Matter of Legacy Learning Systems, Inc., File No. 102-3055. In its settlement press release, the FTC explained how LSS' activities failed to comply with guidance given in the Guides, and FTC Director of Consumer Protection David Vladeck reiterated the FTC's view that sellers are obligated to educate and monitor those such as employees and affiliates they engage to use social media to promote products and services.

AnnTaylor LOFT

This action and settlement should be a wake-up call to online marketers. As it typically does with new initiatives, the FTC educates then starts enforcement with ever-escalating repercussions. A month after the Guides were in effect, the FTC fired its first warning shot across the bow of industry by opening an inquiry into AnnTaylor LOFT's practice of inviting fashionista bloggers to preview its new line and giving them gift bags as they left. The FTC was “concerned that bloggers who attended [the event] failed to disclose that they received gifts for posting blogging about the event” and that “the company expected that they would post blog content about the company's LOFT division.” The Commission ultimately elected to close the inquiry without enforcement, based on it being an apparently isolated incident involving only a few people and, importantly, because “LOFT adopted a written policy in February 2010 stating that LOFT will not issue any gift to any bloggers without first telling the blogger that the blogger must disclose the gift in his or her blog.” The FTC expects LOFT will honor the policy and take reasonable steps to monitor bloggers' gift-disclosure compliance. Thus, the FTC reinforced its guidance on companies having a policy, educating posters, monitoring and taking corrective action.

PR Firm, Individual Blogger

Last summer, the FTC announced that it settled its first enforcement action related to evolving media use and violation of Guides principles. This resulted in a proposed consent order against a small public relations firm and its owner, whose employees posted positive online product reviews of video games published by the firm's client without disclosing the material relationship.

The order mandated the firm and a blogger, wherever employed, not to misrepresent themselves as independent users or ordinary consumers of the products or services, and to clearly and prominently disclose any material connections. For 20 years, every employee or contractor of the firm or the blogger must read the consent order and sign a statement acknowledging a de facto policy and education program for current and future staff.

Based on FTC stepped-up enforcement of other initiatives, the next monetary settlement could approach seven figures. The Commission clearly feels industry has had time to apply the Guides in evolving media. Every company should have, and enforce, policies and practices for its own social or other evolving media use, and use by its employees, spokespersons, vendors and agents, including regarding how consumers are engaged, educated, monitored and handled.

Twitter

The Commission has long targeted companies that don't honor promises to consumers on privacy options and data-security protections. On March 11, the FTC accepted as final a June 2010 settlement and consent order with Twitter over allegations it failed to adequately safeguard user data. The FTC had alleged Twitter deceived consumers by representing that it undertook reasonable data-security measures, when it in fact allowed its systems to be vulnerable to hackers. On two occasions in 2009, hackers accessed non-public user information and Tweets that had some level of privacy, and gained the ability to send phony Tweets from user accounts.

Twitter had promised: “We employ administrative, physical and electronic measures designed to protect your information from unauthorized access.” The FTC, though, alleged data breaches occurred in part because Twitter allowed employees to use easy passwords that were vulnerable to password-hacking programs, had sloppy password security protocols, and allowed too many employees access to administrative controls. The consent decree requires Twitter to impose better password and other security measures, institute a comprehensive data-security plan, conduct training and monitoring, and for 10 years conduct independent information-security audits biennially. This is significant because sensitive data such as credit card numbers or medical information, was not involved in the corrective actions, which should be seen as best practices for all companies.

Chitika Inc.

On March 13, the FTC announced, subject to final approval, a consent agreement with the Internet advertising network Chitika Inc. Chitika is an Internet ad server network that acts as an intermediary between advertisers and Web site publishers, enabling advertisers to buy and employ contextually relevant ads for targeted audiences. It uses tracking devices such as cookies on consumers' browsers to see user activities, build behavioral profiles and serve relevant ads, a practice known as behavioral advertising.

Consistent with industry self-regulation and best practices, Chitika's privacy policy allowed consumers to opt out of behavioral tracking. The FTC alleged that, at least between May 2008 and February 2010, the opt-out was effective for only 10 days, that Chitika would thereafter reinstitute tracking and that it failed to disclose these limitations of the opt-out, making this a deceptive practice.

The consent decree requires consumers be given a more meaningful opt-out option. How it requires that may be instructive on FTC direction for the rest of industry.

Every targeted ad must include proximate and conspicuous notice of tracking attached to the ad and of a “do-not-track” option with a hyperlink to the opt-out.

Chitika must also employ effective measures to ensure opt-out remains effective for five years. The corrective action ordered seems an implicit Commission endorsement of the principle behind the new advertising option icon and October 2010 self-regulatory principles for online behavioral advertising adopted by more than a half dozen leading advertising and business trade organizations, joined together as the Digital Advertising Alliance (“DAA”) (www.aboutads.info). The principles put the notice and opt-out on the ad, and not in a privacy policy a consumer viewing the ad would arguably never see. It also suggests the industry needs to employ technology that will maintain respect for such choice for a significant period.

Seeking More Authority

Turning from its present-day enforcement actions under the current regulatory scheme where enforcement essentially relies on companies overpromising and under delivering on their privacy and data-security representations, the FTC has been working for greater authority and a regulatory scheme requiring more clear and affirmative consent from consumers. The Obama Administration recently supported the Commission and many in Congress appear receptive to changes.

The FTC suggested to Congress in June 2010 that the current so-called notice-and-choice model of privacy, under which the FTC has deemed a deceptive practice not to accurately disclose how consumer data is collected, used and shared, was proving inadequate. The Commission spent much of 2010 holding privacy roundtables for industry and consumer input. In December 2010, the FTC issued a preliminary staff report calling for an evolution from the current “notice-and-choice” and “harm-based” approaches to a new framework emphasizing:

• Privacy by design;
• Simplification of consumer choice; and
• Greater transparency.

A specific recommendation FTC floated and invited public comment on was a “do-not-track” option ' “a universal setting similar to a persistent cookie on a consumer's browser and conveying that setting to sites the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted
advertisements.” Many argue a single universal system is necessary for effective opt-out.

Meanwhile, in 2010, the Commerce Department issued its green paper with 10 recommendations for a federal data-privacy framework, and requested public comment. It received over 100 comments, at www.ntia.doc.gov/comments/101214614-0614-01.
On March 16, 2011, Assistant Secretary of Commerce Lawrence E. Strickland presented the Administration's response to those comments to the U.S. Senate Committee on Commerce, Science, and Transportation, recommending:

Legislation to provide a stronger framework to protect consumer' online privacy interests [, which] should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections ' that is, a “consumer privacy bill of rights.” Second, legislation should provide the FTC with authority to enforce any baseline protections. Third, legislation should create a framework that provides incentives for the development of codes of conduct that are consistent with baseline protections [and potential safe harbors for following them].

Strickland also recommended that any legislation:

• Not add duplicative or overly burdensome regulatory requirements to businesses;
• Be technology neutral, so that it allows firms flexibility in deciding how to comply with its requirements and encourages business models that are consistent with baseline principles but use personal data in ways not yet contemplated; and
• Provide a basis for greater transnational cooperation on consumer privacy enforcement issues, as well as more streamlined cross-border data flows and reduced compliance burdens for U.S. businesses facing numerous foreign privacy laws.

Proposed federal privacy legislation has not garnered significant traction in recent years, with former Rep. Boucher's 2010 bill getting the farthest to a proposal for broad and comprehensive, though many would say ill-conceived, changes. The Rockefeller Internet Sales Practices Act, which, among other things, prohibits online merchants from sharing certain online transaction data “used by a customer of the initial merchant, to any post-transaction third party seller for use in [an add-on/up sale transaction],” also arrived in 2010.

This year has, however, already seen four federal consumer data-privacy bills. For instance:

• HR 611 is a comprehensive privacy bill introduced by Rep. Bobby Rush (D-IL) on Feb. 10 calling for universal privacy requirements, including mandating the posting of privacy policies and disclosures regarding tracking.
• HR 653 is a financial privacy act introduced by Rep. Jackie Speier (D-CA) on Feb. 11.
• HR 654 is a “do-not-track” proposal, also introduced by Speier on Feb. 11.
• On March 16, Sen. John Kerry (D-MA) announced the Kerry-McCain Omnibus Privacy Bill, which provides opt-out requirements for collection of non-sensitive personally identifiable information, and opt-in consent for sensitive information collection and targeted advertising.

Furthermore, the FTC's report on what, if any, changes should be made to the Children's Online Privacy Protection Act (“COPPA”) is expected later this year.

The Administration's support for legislative action and greater power for the FTC may help push legislative efforts.

Absent comprehensive consumer data-privacy legislation, plaintiffs' class action bar stands ready to change the industry's practices. No fewer than 25 class-action lawsuits challenging behavioral advertising and related consumer data-privacy practices have been filed in the last six months.

Coming: More U.S. Scrutiny

The FTC has sent several messages to companies in online and social media that it will hold them responsible for their failure to disclose their relationship to sellers and other deceptive activities, and will increase enforcement this year.

Companies must have policies and monitoring efforts in place to guard against inappropriate online promotional activities on their behalf. 2011 also appears to be the year with a real potential for a federal consumer data-privacy scheme to come to fruition. In the meantime, the FTC is likely to continue looking for privacy and data-security cases where notice is insufficient or representations are not accurate.

Companies must audit their policies and practices to ensure they are honoring privacy and data-security promises they make, and use consumer-friendly disclosures. Following industry self-regulatory principles and best practices is highly recommended.

Finally, companies should avoid practices that are spawning class-action litigation, such as use of Flash cookies for tracking consumer behavior (due to their ability to make consumer browser “do-not-track” settings ineffective).