Avoiding an FTC Privacy Investigation (and What To Do When You Find Yourself the Target of One) IAPP Global Privacy Summit March 9, 2012 Alysa Z. Hutnik Benita A. Kahn
Avoiding an FTC Privacy Investigation (and What To Do When You Find Yourself the Target of One)
IAPP Global Privacy Summit
March 9, 2012
Alysa Z. Hutnik
Benita A. Kahn
2
Topics of Discussion
5 FTC Privacy triggers to avoid
Tips for avoiding FTC scrutiny
Tips for responding to an FTC CID/access letter
Key Proposed Changes to FTC’s Rules of Practice
3
Sources That Trigger FTC Scrutiny
Media
Media Coverage Congress Consumer Complaints FTC’s Top 10 List
“All companies involved in information
collection and sharing on mobile
devices – carriers, operating system
vendors, applications, and advertisers
– should provide meaningful choice
mechanisms for consumers.
- FTC Staff, December 2010
“Companies that fail to implement
reasonable security safeguards to
protect consumer information will come
under our scrutiny.”
- FTC Commissioner Julie Brill, January 26, 2012
“[FTC] Staff has a number of active
investigations into privacy issues
associated with mobile devices,
including children’s privacy.”
- Jessica Rich, Deputy Director of FTC Bureau
of Consumer Protection, April, 2011
5
5 Privacy Triggers to Avoid
1. Material misrepresentation in privacy policy
2. Inadequate PII safeguards
3. Inadequate consumer choices/control re: use of their PII
4. Inadequate/ disclosures about PII sharing
5. Unauthorized third party access
Usually a combination of more than one of these that triggers attention
6
Lessons Learned: FTC v. Google
Misrepresentation in privacy policy
Automatic user enrollment
Public default settings
Deceptive opt-out provisions
7
Lessons Learned: FTC v. Twitter
Misrepresentation in privacy policy and other statements
Inadequate safeguards
Unauthorized third party access
8
Lessons Learned: FTC v. Facebook
Misrepresentation in privacy policy
and in other statements
Inadequate safeguards
Unauthorized access by third-party
apps and advertisers
Unauthorized access to deleted
user information
Failure to certify security of apps
9
The List Keeps Going….
FTC v. Upromise, Inc.
Accused of misleading users about the
extent to which it collected and transmitted
personal information
Allegedly failed to adequately secure the
user information that was collected
FTC v. Chitika, Inc.
Accused of tracking consumers’ online
activities even after they opted out of online
tracking
FTC v. ScanScout, Inc.
Accused of advising that Flash cookies
could be removed through browser settings.
10
Practical Tips To Avoid Becoming a Target
“Bake It In” – Privacy by Design
Empower Consumers with Real Choices
Say what you do and Do what you say
Transparency
Disclosure
Consent
11
“Bake It In”: Privacy by Design
Means Actually Having A Privacy Program
Designate trained employees
Identify risks to PII (both in product design & PII use)
Assess current safeguards
Implement controls and procedures
Select and retain service providers
Hire independent auditors
12
Empower Consumer Choice
Controls
Simplify choice
So people can understand the choice and act on it
Opt-out provisions
Cautionary tale:
Congressional scrutiny
over upcoming changes to
Google’s privacy policy that
limits consumers’ ability to
opt-out
13
Say What You Do & Do What You Say
Transparency
Collection and protection of information
Consumer control and access
Accessibility to third parties
New or Additional Sharing
Disclosures
Consent
14
Responding to a CID/Access Letter
Initial Steps
CID/Access Letter Scope
ESI
Production
Privilege Log
Advocacy
15
Initial Steps
20-day clock is ticking: take it seriously and take action immediately
Review the document
Nature and scope of the Investigation
Definitions
Instructions
Interrogatories / Document Requests
Hire expert counsel in FTC consumer protection matters
Identify key internal team w/ knowledge
16
Assess Investigation Scope
Creating a Response Framework
What information
do we have that is
responsive?
How difficult will
it be to access the
information?
What information
is the FTC seeking?
Would compliance
with the CID
violate other
statutes?
17
CID Scope cont.
Burden Letter
Identify which requests present an
unreasonable burden (& get realistic on what is
actually going to be considered burdensome)
Develop a detailed narrative and quantify the
burden
Propose reasonable alternatives
Submit to the FTC early in the process and
keep it rolling – Need to demonstrate
cooperation and taking the CID seriously
Also have a good idea of what you can produce
soon and when that production will occur
18
CID Scope cont.
Petition to Limit or Quash
File no later than 20 days after service of the CID unless written extension from appropriate FTC personnel providing extension
Must include all assertions of privilege and objections
Motion to Quash rarely granted
More effective to have detailed discussion with staff to limit scope of CID response based on reasonable alternatives if burdensome
Future note: FTC’s proposed rule revision: meet-and-confer
requirements within 10 days after receipt of process or before deadline
for filing petition to quash, whichever is first
19
Accounting for ESI
Legal Hold Memo
Immediately prepare & send to
relevant employees and officers
Specify dates and types of
information covered by the hold
Suspend auto-delete features
where applicable
Identify internal email
custodians &
databases/systems
20
Production of Responsive Documents
Follow the new BCP Production
Guide or work to resolve with Staff
if there are issues with compliance
Provide a letter that explains the
scope of your response to each
request for information within the
CID
Respond on time
Assert confidentiality protections
and protections against FOIA
requests and SAFE-WEB ACT
sharing
21
Privilege Log
Rules requiring filing no later than production date; see if you can move this to a later date so focus can be on gathering responsive materials
Produce schedule of items withheld
Include type, subject matter, date, names, addresses, positions, organizations of all authors and recipients, and specific grounds for privilege
Future Note: FTC proposed rule revision requires a detailed
log and parties to meet and confer on privilege issues 10 days
after receipt of process or before deadline for filing petition to
quash, whichever is first [MORE STRINGENT THAN Fed
Rules]
22
Advocacy – Tell Your Side of the Story
Proactive Follow-up
Communications with Staff
Gather “Good Facts” for Narrative; work with client to truly gather all facts that may be helpful (usually requires interviews and multiple follow-ups)
Work with client if you need to develop some proactive, remedial steps after further review of business practices
23
Advocacy
Provide Written Narrative (the white paper)
Craft a positive story
Should hit all the key facts that the staff would need to consider in
determining if a violation has occurred
Visually walk through the key disclosures (if a disclosure case) and
the consumer experience in the most positive light
If remedial changes have been incorporated, be upfront about that
Avoid data dump; whitepaper is an investment but it is your chance to
tell the story from the position as the most knowledgeable on the facts
Make it Timely
Send soon after you’ve completed the final document production
24
Advocacy
Built-in Privacy Protections (Privacy by Design)
Data collection, purpose, and retention
Secure consumer and third-party access
Consumer experience
Default settings
Notice and consent
25
Advocacy
Compliant Company Practices
Scope of data collected and permitted uses
Contractual protections/monitoring
Risk assessment
New Initiatives
Based on industry guidelines/best practices
Meeting
Ask for a meeting with staff to discuss the case (and your side of
the story) (should occur well before any decision on a complaint)
26
Key Proposed Changes to FTC Rules of Practice
ESI
“Any writings, drawings, graphs, charts, photographs, sound recording, images and other data or data compilations stored in any electronic medium …”
Mandatory Meet-and-Confer
Within 10 days after receipt of process or before the deadline for filing a petition to quash, whichever is first
Deposition Guidelines
No witness consultation allowed
Privilege Log
Detailed log required at time of production
27
Key Proposed Changes to FTC Rules of Practice
Attorney Misconduct
Reprimand, suspension, or disbarment from practice before
the FTC for conduct that is unethical or obstructionist, or for
knowingly or recklessly giving false/misleading information
Imputed responsibility for attorneys who order, ratify or fail to
mitigate improper conduct
28
Questions?
Alysa Z. Hutnik
PARTNER
Kelley Drye & Warren LLP
Advertising, Privacy &
Information Security
Phone: (202) 342-8603
Connect with Kelley Drye
web: www.kelleydrye.com
blog: www.adlawaccess.com
Benita Kahn
PARTNER
Vorys, Sater, Seymour and Pease LLP
Chair, Technology and Intellectual
Property Group
Phone: (614) 464-6487
Connect with Vorys
web: vorys.com