[6-1 307pm] Privacy Webinar #2 - Intersection of ... Privacy Into Advertising and... · Recent Cases FTC v. Phillip A. Flora • FTC Complaint filed February 23, 2011 • Sent 5.5

1

www.khlaw.comWashington, D.C. ● Brussels ● San Francisco ● Shanghai

Tracy P. MarshallPartner

Keller and Heckman LLP1001 G Street, N.W.

Washington, DC 20001202-434-4234

[email protected]

Building Privacy Into Advertising and Marketing:The Intersection of Advertising and Privacy

June 2, 2011

Sheila A. MillarPartner


Washington, DC 20001202-434-4143

[email protected]

│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20112

PresentersSheila A. Millar is a Partner at Keller and Heckman and counsels corporate and association clients on a range of consumer protection regulatory and public policy matters. Ms. Millar advises clients on privacy and security policies and programs, data breach responses, data transfers and cloud computing. She also counsels clients on privacy and regulatory compliance aspects of promotions, social media policies, website terms and online sales. Noted for her expertise on children's issues, Ms. Millar has participated in Federal Trade Commission (FTC) workshops on children's privacy and advertising literacy.

2


Presenters

Tracy P. Marshall is a Partner at Keller and Heckman LLP. She assists for-profit and non-profit clients with a range of business and regulatory matters. In the Internet, privacy, and advertising areas, Ms. Marshall provides counsel on e-commerce transactions and online promotions, privacy and data security policies and programs, and data breach management.


Preliminary Word

This presentation provides information about the law. Legal information is not the same as legal advice, which involves the application of law to an individual's specific circumstances. The interpretation and application of the law to an individual’s specific circumstance depend on many factors. This presentation is not intended to provide legal advice. The information provided in this presentation is drawn entirely from public information. The views expressed in this presentation are the authors’ alone and not those of the authors’clients.

3


The Issues

Balancing benefits of online advertising and social media against privacy implications of collection, use, and sharing of data Managing legal obligations stemming from global privacy laws and best practices


Agenda

Media-specific privacy lawsOnline behavioral advertising/ interest based advertisingAdvertising to childrenGeolocation dataSocial mediaCookies

4


Upcoming The Privacy Playbook: A Practical Guide For Businesses Webinars Series

June 16 -- Privacy Considerations in the Employment Context

June 30 -- Best Practices for Protecting Data and Managing Data Breaches

July 14 -- Practical Tips for Avoiding Privacy Enforcement and Lawsuits

July 28 – Towards Privacy by Design: Smart Grid and Other Technologies

All webinars will be held from 11:00 a.m. – 12:30 p.m. ET


How Companies Communicate

Company websites

E-mail messages

Text messages

Social networking sites

Blogs

Telephone solicitations

Faxes

5


Applicable Laws

Telephone ConsumerProtection Act of 1991 (TCPA) Telemarketing Sales Rule(TSR)

CAN-SPAM Act • Mobile Service Commercial

MessageTCPA • Short Message Service

CAN-SPAM Act

Digital Millennium Copyright ActFTC Endorsements and Testimonials GuidesFTC Green GuidesState lawsThird party terms and conditions/ guidelines

Telemarketing and Faxes:

Social Media/Online:

E-mail:

Text Messaging:


THE THE ““DO NOTDO NOT”” LAWSLAWS

6


DO NOT CALL!

Overview of Telemarketing Laws• Can’t abandon > 3% of calls answered by a person• Must transmit caller ID information when available• No autodialer or artificial or prerecorded voice calls to cell

phone, pager, etc. where party is charged • No prerecorded voice calls to residences without prior

express consent• No solicitations to residences before 8 a.m. or after 9

p.m.


Do-Not-Call Registry

National Do-Not-Call registry jointly established by FCC and FTCCovers residential and personal wireless phone numbers; registration valid for five yearsProhibits telephone solicitations to numbers on the Do-Not-Call list, except • With prior express permission• By or on behalf of a tax-exempt non-profit• With an established business relationship (EBR)

7


Enforcement of Telemarketing Laws

47 U.S.C. § 227FCC enforcesPrivate Right of Action –numerous class action lawsuitsUp to $16,000 per violation/ messageUp to $500 per violation/ message for civil action

16 CFR Part 310FTC enforces, maintains “Do Not Call” registryNo Private Right of ActionUp to $16,000 in fines perviolation/message

Telephone Consumer Protection Act (TCPA)

Telemarketing Sales Rule (TSR)


DO NOT FAX!

TCPA - No fax ads without prior written consentEBR exception (unless recipient opted out)Covers both business and consumer linesFax must include• ID & phone number of originator• ID of fax broadcaster (if applicable)• Legal name of originator• Date & time sent• Opt-out mechanism and honor

opt out requests within 30 days

8


DO NOT SPAM!

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act effective January 1, 2004 Basics:• If “primary purpose” of email is

commercial, it is subject to CAN-SPAM• FTC has clarified aspects of CAN-SPAM:

– Primary purpose– Multiple “senders”– Refer-a-friend emails


CAN-SPAM Act Requirements

Clear and conspicuous identification that the message is an advertisementAccurate and non-misleading header/subjectValid postal address for the “sender”• Who is a Sender? Any person who initiates a

commercial email message and whose product, service, or Internet web site is advertised or promoted by the message

Working online opt-out mechanism Honor opt-out requests within 10 business days

9


What is a Commercial Email Message?

Any email message the primary purpose of which is • The commercial advertisement or

promotion of –A commercial product or service–Content on a website operated for a

commercial purpose–Some non-profit communications

deemed “commercial”


What is Commercial Primary Purpose?

If recipient reasonably interpreting the subject line would conclude that the message contains an ad or promotion for a commercial product or service

If transactional or relationship content does not appear at the beginning of the message

10


Transactional/ Relationship Messages

Communicate with customers about ordersConduct market research surveysCommunicate with employees/ former employees/ retirees about benefits, accounts, employee discounts, etc.Send press releases, etc. to shareholders

• In all cases, whether an email qualifies as transactional/ relationship depends on satisfaction of “primary purpose” test


Multiple “Senders”

Multiple “senders” of a single e-mail can designate one “sender” if that person• Would be deemed a “sender” under the

Act• Is identified in the “from” line• Complies with the CAN-SPAM Act

11


“Refer-a-Friend” CampaignsRefer-a-friend emails sent with consideration or inducement are subject to CAN-SPAM Act• Consideration/ inducement includes money, coupons,

discounts, awards, additional sweepstakes entries

If email is sent by automatic technical process to an address provided by the forwarder, then it is a “routine conveyance” exempt from the Act

Cannot use child’s name as “sender” for refer-a-friend campaigns at kids sites


Civil penalties up to $16,000 for each e-mail in violation

Criminal penalties– including imprisonment –for: • Accessing someone else’s computer to send spam

without permission• Using false information to register for multiple e-mail

accounts or domain names• Relaying or retransmitting multiple spam messages

through a computer to mislead others about the origin of the message

CAN-SPAM Penalties

12


CAN-SPAM permits unsolicited communications as long as the basic requirements are followedElectronic Communications Privacy Directive (Directive 2002/58/EC) only permits electronic communications with the recipient’s consent• Consent can be obtained through website tick boxes,

but not pre-checked boxes• Established business relationship excepted• Affiliates treated like third parties• Opt-out mechanism required

CAN-SPAM vs Directive 2002/58/EC


Canada’s Spam Law

Fighting Internet and Wireless Spam Act (“FISA”) – Bill C-28• Passed on December 15, 2010• Prohibits sending unsolicited commercial

communications without consent (opt-in)• Covers all forms of commercial electronic messages,

including text messages• Must identify sender and (if different) person on

whose behalf the message is sent, contact information, and an unsubscribe mechanism

• Permits private right of action; fines up to $1M for individuals and $10M for business

13


Recent Cases

FTC v. Phillip A. Flora• FTC Complaint filed February 23,

2011• Sent 5.5 million spam text

messages, pitching loan modification assistance, debt relief, and other services

• Violated CAN SPAM Act by advertising services through multiple email messages with no opt-out mechanism

• Sold information collected from consumers to marketers as “debt settlement leads”


Facebook CAN-SPAM Litigation

Facebook, Inc. v. MaxBounty, Inc.(March 28, 2011)• Company used fake Facebook pages,

accounts, and applications to offer non-existent products/services

• Caused Facebook users to SPAM friends and/or use the data to sign-up for a host of subscription services

• Court found that messages sent by Facebook users to their friends’ walls, news feeds or home pages are “electronic mail messages” under the CAN-SPAM Act

14


CAN-SPAM Best Practices

What do you want to do?• Register consumers for updates, newsletters,

sweepstakes and other promotions• Share consumer registration information with

third parties for marketing• Use rented/ purchased e-mail lists• Confirm transaction and send marketing

message


DO NOT TEXT!

Prior written consent required to send text messagesMobile Service Commercial Message (MSCM)• Subject to CAN-SPAM Act

Short Message Service (SMS)• Subject to TCPA

Mobile Marketing Association (MMA)Guidelines

15


DO NOT TRACK!

Online Behavioral Advertising (OBA)/ Interest Based Advertising (IBA) • Collecting anonymous information (e.g., IP

addresses) from a particular computer or device across the Internet

– Via cookies, pixel tags• Using information about preferences to serve

ads


Self-Regulation

FTC Self-Regulatory Principles for Online Behavioral Advertising• Coalition of major ad organizations• 7 Principles:

– Consumer education– Transparency– Consumer choice– Data security/ limited data retention– Consent for material changes to OBA practices– Limited collection of sensitive data– Accountability (enforcement/compliance)

Internet Browsers

16


OBA/IBA Legal Landscape FTC, DOC Privacy Reports

Legislation Introduced in 112th Congress• “Commercial Privacy Bill of Rights Act of 2011” (S. 799)

– Senators John Kerry (D-MA) and John McCain (R-FL)• “Consumer Privacy Protection Act of 2011” (H.R. 1598)

– Rep. Cliff Stearns (R-FL)• “BEST PRACTICES Act” (H.R. 611)

– Rep. Bobby Rush (D-IL) reintroduced from 111th Congress• “Do Not Track Me Online Act” (H.R. 654)

– Rep. Jackie Speier (D-CA)• “Do Not Track Online Act of 2011” (S. 913)

– Sen. Jay Rockefeller (D-WV)• “Do Not Track Kids Act of 2011”

– Reps. Edward Markey (D-MA) and Joe Barton (R-TX)


First FTC OBA Case: Chitika, Inc.

Company misrepresented consumers’ability to opt-out of OBAAfter 10 days, company would place tracking cookies back on browsers and continue to serve targeted ads FTC alleged that opt-out mechanism was deceptive and violated FTC Act Section 5

17


CHILDREN’S PRIVACY


COPPA Basics

Children’s Online Privacy Protection Act of 1998 (COPPA); FTC COPPA RuleApplies to the online collection of personal information from children under 13

Verifiable Parental ConsentOperator may not require a child to disclose more information than is reasonably necessary to participatePreempts inconsistent state laws

COPPA Rule Review

18


Online Marketing to Kids

Can interface online directly with kids under some exceptions; permitted data collection very limited• One-time use – prompt deletion required• Multiple e-mails with notice to parents

Use care in refer-a-friend e-mailsVerifiable parental consent• Can use “e-mail plus” for internal marketing• No public postings


COPPA Enforcement

U.S. v. Playdom (sub of Disney) and Howard Marks• Largest-ever penalty for COPPA violation

($3 million)• Mandatory deletion of all kids’ records• Age-screening failure at sites appealing to

kids noted• Due diligence with acquisitions needed

19


MOBILE GEOLOCATION


Geolocation Data

Emerging issue for mobileRole of app developers, service providers, advertisers unclearLinked to OBA in some proposed legislation

20


Location Data Developments

FCC and FTC to hold a forum this month on the use of smartphone location data for targeted ads and other purposesU.S. Senate held hearings on consumer privacy and the treatment of location data, focusing on Apple, Google, and Facebook


Apple Lawsuits

Alleged violations of privacy of iPhone, iPad and iTouch users by transmitting the devices’ unique identifiers to application developersAlleged that application developers Pandora, The New York Times Co., WebMD, Yelp, and Groupon illegally transmitted users’ personal data, including application use, to third party advertisers without consent

21


ADVERTISING AND ADVERTISING AND SOCIAL MEDIA SOCIAL MEDIA


Social Media and Privacy

Social Media uses tools such as blogs, wikis, and social networking sites to connect people and build relationships with consumers “Getting to know” consumers has privacy implications

22


Advertising in Social Media

Forms of Advertising• Based on user’s network

of friends • Direct advertising placed

on social networking site • Through 'groups' or

'pages' Types of Online Ads• Banner ads• Keyword, contextual• OBA ads (tracking)• Pop-ups• Video ads


FTC Endorsement GuidesSubstantiate claimsEndorsement should reflect personal opinion, beliefs of endorserDisclose payments where necessaryDisclose “material connection” between advertiser and endorserDisclose expected results• “Results not typical” no longer

a safe harbor

23


More Litigation

In re Facebook Privacy Litigation• Claim that Facebook intentionally and

knowingly transmitted users’ personal information to third party advertisers without consent

• CA judge granted in part and denied in part Facebook’s motion to dismiss and allowed suit to proceed


MySpace Litigation

Linda Virtue and Lily Castro v. MySpace, No. 11-CV-1800 (E.D. NY, April 13, 2011)• Alleged that MySpace violated state law, Stored

Communications Act, and its own privacy policy by transmitting data used to identify MySpace members to advertising companies and data aggregators

• The data associated users’ names, ages and other information with their Internet browsing histories

• Lawsuit sought class action status

24


CA Social Networking Bill (SB 242)

Social networking site users must opt in before the site can display information other than user's name and city of residence Social networking sites must permit users to set privacy settings as part of registration process and explain options in plain languageSocial networking sites must remove a user’s personal identifying information upon request (or upon a parent’s request, for users under age 18)


ARE COOKIES EATING YOU?

25


New EU Cookies Law

Website operators must get informed consentbefore using cookies and other technologies to store and retrieve information on users’computers• Previously companies had to disclose how cookies

were used and provide opt-out• ICO suggests obtaining consent through browser

settings, pop ups, terms and conditions

Exception: If “strictly necessary”for a service requested by the user


Cookies Lawsuits

Class action suit Mortensen, et. al. v. Bresnan Communication, LLC (Montana, 2011)• Bresnan (ISP) allowed appliance to be installed by

Internet ad company, NebuAd• Appliance disabled users’ security features and

placed tracking cookies on computer for ad targeting• Court allowed claims under Computer Fraud and

Abuse Act and for trespass to chattel• Court denied claims under Electronic

Communications Privacy Act and for invasion of privacy

26


Cookies Lawsuits

Ringleader Digital settled lawsuit over Media Stamp® technology• Complaint alleged that the company

improperly tracked users by placing “cookies”on their phones

• Ringleader required to place a link where cookies are stored and allow consumers to opt-out of receiving targeted ads on mobile websites


Flash Cookies & History Sniffing

“Flash cookies,” or local shared objects, are ‘super cookies’ that never expire and are protected from deletion• Class action lawsuits in 2010 against Disney, Hulu,

Jib-Jab, and others“History sniffing” peeks into a user’s Internet visitation history to create a profile of the user• Several lawsuits in 2010 against Interclick,

McDonald’s, adult websites and others

27


What’s Next?

More focus on “hidden” tracking“Opt-in” v. “opt-out” debate continuesMore enforcementSignificant increase in litigation


Compliance Tools

Build privacy, security awareness• Train marketing staff, agencies, consultants• Address in corporate policies

Ask why is data being collected; how; whether it is personal/ non-personal; linkage to personal data; necessity of info• Checklists, audits

Contractually address privacy, security in agreements with agencies, service providers

28


A Final Word: Best Practices

Know what you do• Know what information is collected, through

what technologies, and how it is usedSay what you do• Review and update privacy polices

Do what you say• Periodic reviews essential to make sure that

new technologies, marketing initiatives do not involve data collection or practices that violate policies


Questions?

29


Upcoming The Privacy Playbook: A Practical Guide For Businesses Webinars Series

June 16 -- Privacy Considerations in the Employment Context

June 30 -- Best Practices for Protecting Data and Managing Data Breaches

July 14 -- Practical Tips for Avoiding Privacy Enforcement and Lawsuits

July 28 – Towards Privacy by Design: Smart Grid and Other Technologies

All webinars will be held from 11:00 a.m. – 12:30 p.m. ET


Thank you!Tracy P. Marshall

PartnerKeller and Heckman LLP

1001 G Street, N.W.Washington, DC 20001

[email protected]

Sheila A. MillarPartner


Washington, DC 20001202-434-4143

[email protected]

[6-1 307pm] Privacy Webinar #2 - Intersection of ... Privacy Into Advertising and... · Recent Cases FTC v. Phillip A. Flora • FTC Complaint filed February 23, 2011 • Sent 5.5

Documents