EPIC Unlikely to Prevail in Challenge to FTC Stance on Google Privacy

A federal judge in the U.S. District Court for the District of Columbia agreed earlier this month to fast-track a lawsuit by a privacy group against the Federal Trade Commission, arguing that the FTC has failed to enforce the terms of a settlement agreement it reached with Google last year after the FTC accused Google of violating privacy regulations in the launch of Google Buzz.

Last year, Google and the FTC agreed on a settlement stemming from allegations that Google violated its own privacy promises to consumers when it launched its social network, Google Buzz. That investigation began with a complaint filed by the Electronic Privacy Information Center (EPIC), the same group that is the plaintiff in this current case. EPIC is not suing Google and was not a party to the settlement reached between Google and the FTC. At the time of the settlement, the FTC said it “bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program and calls for regular, independent privacy audits for the next 20 years.” 

We wrote earlier about Google’s new privacy policy, set to take effect on March 1, that would streamline and consolidate about 60 disparate policies of Google products and services.  As part of the new policy Google will aggregate data it collects on users across its products, with the exception of Google Wallet and Google Books, and develop a mega-profile on each user. The data collection includes a user’s Google searches, Gmail message content, contacts, YouTube favorites, and physical location.

On February 17, the FTC filed a memorandum in opposition to the EPIC suit and a motion to dismiss it. The agency asserted that EPIC has no legal ground for its attempt to compel it to enforce the settlement and that the lawsuit “seeks to deprive the Commission of the discretion to exercise its enforcement authority.”

EPIC’s reply, filed February 21, asserted that Google’s privacy policy changes violate the FTC’s consent order and that irreparable injury is “likely.” EPIC’s brief also suggested that there is precedent allowing for judicial review of agency rulings.

Earlier this month the European Union’s data protection authorities asked Google to delay the release of its new privacy policy until it has verified that it does not violate the EU’s data protection laws. Google responded to the EU request by sending a letter saying that it has no intention of delaying the March 1 implementation of its new policy changes.

Also earlier this month Rep. Mary Bono Mack (R-Calif.) and Rep. G.K. Butterfield (D-N.C.), the top ranking Republican and Democrat on the House Energy and Commerce Committee Subcommittee on Commerce, Manufacturing and Trade, which has jurisdiction over data-privacy issues, wrote to Google asking for more answers about changes to its privacy policy.

Earlier this week, more than 30 state attorneys general wrote to Google CEO Larry Page saying that the new Google policy forces consumers to allow information to be shared across several forums without the ability to opt out or choose their preferences for how their personal information is used. The letter also points out that Google has become known as a company that put a premium on the offering users choice in the use of their information, but now that information is being “held hostage.”

EPIC alleged in its complaint that Google has misrepresented its intention to use combined data for behavioral advertising. EPIC also alleges that the agreement gives the FTC the power to stop Google from making the planned privacy changes and that Google’s new policy requires the users’ consent. A key issue in the protests against the new policy had been that account holders will not be able to opt out of it.

Google has rejected the claims by EPIC, stating that the company has taken extra steps to notify users of the changes to the privacy policy. Google also maintains that it is not changing how any personal information is shared outside of Google and that it has created a stringent compliance policy.

A key issue in this case will be whether EPIC, a non-party to the agreement, can force the FTC to take action against Google. EPIC did not bring this action under the Federal Trade Commission Act, which is the source of the vast majority of FTC enforcement actions. Instead, this suit was brought under a section of the Administrative Procedures Act allowing challenges to agency action that is “unlawfully withheld.” 

There may be strong precedent against EPIC in this case. The Supreme Court stated in 1985 in Heckler v. Chaney that “an agency decision not to enforce often involves a complicated balancing of a number of factors which are peculiarly within its expertise . . . The agency is far better equipped that the courts to deal with the many variable involved in the proper ordering of its priorities.”

Although EPIC brings an interesting argument, it is not likely to prevail. However, with the ability of Google to unilaterally enforce its privacy changes against users and Congress and the FTC failing to take action to protect consumers, it becomes unclear who will stand up to protect privacy interests of consumers. We will continue to follow any new developments in this case.

Developers of New Apps Need to Consider Privacy Issues

There’s been much talk of Google’s upcoming streamlined privacy policy. Now come new demands for cleaner, user-friendly data collection and usage disclosures in the mobile app world. Two recent events highlight changes that online advertisers and app developers need to prepare for: (1) a letter from Congressmen Henry Waxman and G.K. Butterfield to Apple regarding the security of user address books and contacts stored on iOS devices and (2) an FTC report regarding privacy disclosures for mobile apps directed at children.

The Congressmen’s letter is in response to the recent Path address book fiasco in which Path acknowledged – and apologized for – its collection of consumer address book information without notifying users. News surrounding Path’s activities led to Congressional concerns over the extent to which consumer data, especially contact information, is being collected and stored for future harvesting, all without the consumer’s knowledge or permission. The Waxman-Butterfield letter quotes the Guardian: “there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies likely have your address book stored in their database.”

The congressmen called for Apple to address how its app policies and practices protect consumer privacy. Apple was swift to respond, and within the day vowed to release a software update to prevent data collection that would violate the company’s privacy policies.

On the heels of the Waxman-Butterfield letter (but in the works well beforehand) comes a report by the FTC: “Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing.” The report title pretty much says it all. The FTC surveyed some 960 kid-based apps sold through Apple and Android to determine, from the various app’s promotion pages and websites, the extent to which the developers disclose what [child] consumer data is collected and how it is used. The FTC reported that it was disappointed with the results – that disclosures were scant or nonexistent.

Tying its authority over mobile apps with its authority to enforce children’s privacy protections online through the Children’s Online Privacy Protection Act (COPPA), the FTC warned that it will be reviewing more mobile apps directed at children over the next six months, but this time, it will be enforcing– not just surveying – COPPA compliance. COPPA requires operators of online services directed to children under age 13 to provide notice and obtain parental consent before collecting items of “personal information” from children.

Several times in the FTC report the agency suggested the need for clear, concise, consistent and timely information on data collection and usage. That means disclosures of how the app (or third party advertisers) will/may use the consumer data should be upfront and precede download so that parents can determine whether or not to allow their children to use the app. Disclosures should include any connections to other social media.

The FTC report also identified (several times) the types of data that could be collected – from contact information, to location information, to call data, as well as in-app data. App developers and third party advertisers should take into account the importance of full disclosure.

Perhaps most importantly, the FTC report and the Waxman-Butterfield letter demonstrate that the government views Apple and Android (and other app stores) not just as the marketplace for app sales, but also as the gatekeepers. The FTC report pointed to Apple and Android as providing the architecture for disclosures and suggested that app stores could incorporate icons to make disclosures more easily identifiable. The Congressmen’s letter all but accuses Apple for its app’s failings.

We have been seeing increasing backdoor regulation by the government through major online presences in a couple of places, including here and here. Since government regulators acknowledge the difficulties in keeping up with developments in new technologies, it’s fair to assume they will look to major online presences to have a hand in helping keep them up to speed and keeping advertisers and developers under wraps.

New Google Policy Reminds Us All of Trade-Off Between Privacy and Efficiency

There has been much noise over Google’s new privacy policy, which is slated to take effect on March 1. It has been a cacophony of cheers and protestations. Some think the new policy brings clarity and transparency, while others complain it leaves consumers without control over their information. Above the hubbub, one thing is clear: at this point, users have to make a choice between new technologies and expectations of privacy.

The new policy will consolidate and streamline some 60 disparate policies of Google products and services. In the overview it has provided to users, Google says that it has tried to keep the policy as simple as possible. And it is an easy-to-read, relatively brief statement that is much more user-friendly than the agreements that we regularly click through in haste to access some enticing new service.

As a part of the new policy, Google will aggregate data it collects on users across its products (with the exception of Google Wallet and Google Books) and develop a “mega-profile” on each user. That data collection includes a user’s Google searches, Gmail messages content, YouTube favorites, and contacts. It also includes location tracking.

Google touts the benefits of its new policy as creating “a beautifully simple, intuitive user experience across Google.” For instance, if you search for pizza, the Google location tracker will look for a nearby pizza place. The Google calendar combination will provide reminders, based on your location, if you’re going to be late for a meeting.

The benefits sound enticing, and the user-friendly format of the privacy policy is refreshing. Apparently, the Google Dashboard will allow you to review and control the information stored in your account.

But lest we forget, the reality is that Google has acknowledged that it is collecting massive amounts of data on its users. Regardless of the usefulness and efficacy of some of its new features, users are beholden to Google (1) to securely store and (2) to defend their personal data.

Much of the negative noise over the new privacy policy stems from the fact that Google accounts users will not be able to opt out of the new policy. To prevent data from being aggregated, they would have to jump through many hoops, including creating different accounts across Google apps.

This inability to opt out is one of the prime reasons that members of Congress have had questions about the new policy. Several members sent a letter to Google CEO Larry Page, asking for detail on what would be collected, how it would be used, and what could come of that data. Google representatives ended up in a closed-door briefing with Congressional members on February 2. From initial reports, it does not appear that the members’ concerns were satisfactorily addressed in the briefing. This gives reason to question what could become of individual user’s “mega-profiles.”

Google’s new policy, and all the accompanying noise, serves as a good reminder that, in the age of new technologies, we are constantly waiving our privacy rights. How often do we click through a user agreement in haste so we can have access to a cool app? How often do we reflect on whether the benefits of the new technology truly outweigh the costs?

Compare the controversy over Google’s new policy with the recent Supreme Court holding in United States v. Jones that warrantless GPS tracking of a criminal suspect violated the Fourth Amendment. Justice Samuel Alito’s concurring opinion in the case hinted at lowering privacy expectations with new technologies: “The availability and use of these and other new devices will continue to shape the average person’s expectations about the privacy of his or her daily movements.” As we press forward in an age in which it is ever easier to get the who, what, when and why of each of us, based upon our own preference for convenience and coolness, we must face the consequences: Privacy will suffer, unless Congress does something about it.

FTC Enlists Surprising Watchdogs to Police Marketers’ Practices

The FTC is building up its army of watchdogs to police online marketing content and practices.  Who those watchdogs are – and their relationship to the industry – might surprise you.

Earlier this month, the agency entered into a settlement agreement with Central Coast Nutraceuticals, an Internet marketer of weight-loss and health products.  The agreement settles charges that were initiated against the company in 2010.  The company is one of the many marketers targeted by the FTC for its tactics in selling acai berry diet products.  Like more recent FTC targets, Central Coast was charged with deceptive advertising and unfair billing.  The deceptive advertising allegations were based on (1) the marketer’s use of phony endorsements by Rachael Ray and Oprah Winfrey and (2) the marketer’s unsubstantiated claims about the benefits of its products.  The unfair billing allegations were based on the marketer’s “free trial” scheme that baited consumers into pricy negative continuity programs.

Those  tracking the FTC’s enforcement actions against online diet marketers are familiar with these allegations.  Last spring, the FTC halted the sites of 10 operators who marketed acai berry diet pills for alleged fake endorsements from major media networks and unsubstantiated claims about the pills’ efficacy.  An eleventh operator was slapped with an action last December for the same issues, including the use of negative continuity programs.

Since Central Coast was the first of these marketers to come under the agency’s fire, and the first to enter into a settlement agreement (the actions of the other 12 operators are still pending), it is likely that the Central Coast settlement agreement will be the template for the suits to follow. (The  FTC uses its settlement agreements to establish its legal standards.)

A term in the settlement agreement that caught our attention is a requirement that the company monitor affiliate marketers it does business with in the future.  This obligation includes reviewing marketing materials to make sure that  those materials comply with the provisions of the settlement agreement.  Again, the Central Coast agreement likely will be the standard for subsequent enforcement actions, so these monitoring duties likely will be included in future agreements with other companies.

There have been a few FTC actions in the past that have imposed monitoring duties on companies who find themselves in hot water with the agency.  In March of last year, a seller of instructional DVDs entered into an agreement  with the FTC that requires the company to periodically monitor and review affiliates’ representations and disclosures.  That includes monthly visits to top affiliate websites “done in a way designed not to disclose to the affiliates that they’re being monitored.”

What does this mean?  Corporate spying has taken on new meaning, thanks to FTC sanctions.  Affiliate marketers have their business partners as their proverbial Gladys Kravitz.  It is likely that this type of government-imposed self-regulation will become increasingly the norm.  The FTC doesn’t like affiliate marketers or the layers of puffery they create between advertiser and consumer.  Policing for free through private companies is a win-win for the agency.

Ifrah Law is a leading white-collar criminal defense firm that specializes in financial services.

HCG Marketers Face Hot Pursuit by FDA, FTC

Putting a snag in New Year’s resolutions for pound-shedding, the FDA and the FTC recently sent out warning letters to several companies that sell HCG-based diet products online. (These companies include Nutri-Fusion Systems LLC, Natural Medical Supply, HCG Platinum, LLC, theoriginalhcgdrops.com, HCG Diet Direct, LLC, and Hcg-miracleweightloss.com.)

The warning letters, which came at the outset of the holiday season (and just before the January windfall for the diet industry, which the government may or may not have had in mind), allege that the companies are in violation of federal law (1) for selling unapproved and misbranded new drugs and (2) for advertising the health benefits of products without sufficient back-up research.

The products at issue, generally liquid drops, contain the human chorionic gonadotropin (HCG) hormone, which comes from human placenta and is extracted from pregnant women’s urine. HCG has been popular for weight loss since the 1950s, when a British doctor published a study that the hormone aided dramatic weight loss (of up to a pound a day) by mobilizing fat stores without affecting muscle or normal/structural fat. The popularity of HCG-based diet products escalated in 2007 when the notorious infomercial man, Kevin Trudeau, published a diet book on HCG.

Responding to the increased demand, in came many enterprising online marketers. But there’s an issue with selling these products – government regulation. HCG is FDA-approved, but only as a prescription drug and only for certain medical conditions, which do not include weight loss.

To get around this government roadblock, companies have marketed their HCG products as “homeopathic.” The FDA allows for the manufacture and distribution – without FDA approval – of homeopathic drugs provided those drugs meet criteria set out in the agency’s Compliance Policy Guide under “Conditions Under Which Homeopathic Drugs May be Marketed (CPG 7132.15).”

But according to the FDA’s warning letters such as this one, the HCG products marketed by these companies don’t meet the Compliance Policy Guide criteria. The biggest issue, which companies are going to have a hard (read impossible) time getting around is that HCG is not an established homeopathic active ingredient. And if a product has any non-homeopathic active ingredients, it falls out of the homeopathic exceptions under the CPG. Since HCG is a regulated drug (several states, including California and New York, list it as a Schedule III controlled substance) and can’t fall under the homeopathic exception, companies marketing HCG-based products are subject to a host of FDA regulations that require FDA involvement and approval. As these companies operated outside the FDA’s purview, they now find themselves in hot water.

The FDA isn’t the only government agency barking up these marketers’ money trees. The FTC joined the investigation and incorporated their allegations into the warning letters. The letters note that the companies’ websites make a host of claims that the government alleges are unsubstantiated. Any advertisement that includes health claims requires “competent and reliable scientific evidence,” such as human clinical studies.

The letters give the companies 15 days to take corrective measures and notify the government of those measures. If you go on these companies’ sites today, you’ll notice a lot of “coming soon” and “products currently being improved”-type language. And this all takes place during the New Year’s resolution timeframe, when these companies could be raking it in.

A few takeaways from the warning letters: (1) If you are going to invest time and money into a product being marketed purely through a regulatory loophole, make sure you satisfy all the criteria to meet that exception. (2) Don’t go where Kevin Trudeau has gone. This is meant to be partially glib, but the fact of the matter is that Trudeau is an FTC pet peeve. You can be sure of FTC involvement if you trek the same path he has. (3) Disclaimers are not enough to avoid the FDA. A couple of the HCG marketers to whom warning letters were issued had included disclaimers on their websites that the products are not intended to treat, cure or prevent disease. Such disclaimers, according to the FDA, could not overcome other health claims and language on the sites. (4) At the end of the day, if the government wants to give you a hard time, there is little you can do about it. Other warning letters issued by the FDA regarding homeopathic products noted that “that there may be circumstances where a product that otherwise may meet the conditions set forth in the CPG may nevertheless be subject to enforcement action.” With this last pointer, all we can say is, do a cost-benefit risk analysis.

FTC Will Propose Broader Children’s Online Privacy Safeguards

Speaking at a Dec. 15 Capitol Hill forum on children’s and teens’ online privacy, Federal Trade Commission Chairman Jon Leibowitz said that the agency is recommending that the Children’s Online Privacy Protection Act (COPPA) expand the definition of personally identifiable information.

Leibowitz explained that he supports expanding the definition of “personally identifiable information” to include geolocation information, photos, videos, IP addresses, and similar items found on computers or mobile devices.

COPPA applies to the online collection of personal information from children under 13 years old. The act applies to websites and online services that are operated for a commercial purpose and are directed at children under the age of 13 or whose operator has actual knowledge that children under 13 are providing information to the site online.

The act outlines what a website operator must include in a privacy policy, the responsibilities of the operator to protect children’s online safety, and how consent can be obtained from a parent.

In September, the FTC announced proposed revisions to the COPPA rules, the first significant changes to the Act since it the rules were issued in 2000. The FTC has been seeking public comments on the proposed revisions since September.

According to Leibowitz, the definition of personally identifiable information should be expanded from information provided by the consumer, to also include information used by the user’s computer or mobile device. This would include information held in cookies, processor numbers, IP addresses, geolocation information, photographs, videos, and audio files. Additionally, the new definition would now include information that web site operators, advertising networks, and others use to track consumers as they use the Internet.

The proposed rule changes would also expand the definition of what it means to “collect” data from children. The new definition would make it clear that personal information is being collected not only when the operator is requiring the personal information but also when the operator prompts or encourages a child to provide the information.

The way parental consent is obtained from parents would also be changed to add several new methods such as electronic scans of parental consent forms and the use of government issued identification that is checked against a database. The rules would also eliminate the popular “e-mail plus” mechanism .

The new rules would also present a data retention and deletion requirement, which would mandate that data that is obtained from children is only kept for the amount of time necessary to achieve the purpose that it was collected for. The rules would also add the requirement that operators ensure that any third parties to whom a child’s information is disclosed have reasonable procedures in place to protect the information.

These proposed changes to COPPA will have a significant effect on online operators, particularly the expansion of the definition of personally identifiable information. We note, particularly, that the expansion of the definition of “personally identifiable information” in the children’s privacy context could lead to a general expansion by the FTC of the definition in all contexts. The FTC has cracked down on COPPA violations in the past, and these new powers will likely continue this trend.

Ifrah Law Blog Wrap-Up for November 2011

In November 2011, we at Ifrah Law expressed our views on a number of current issues in our blogs, Crime in the Suites and FTC Beat. This post summarizes and wraps up our thoughts from the month.

ACLU Wins FOIA Appeal on Prosecutors’ Use of Cell Phone Location Data

The Justice Department must turn over the names and docket numbers of numerous cases in which the government accessed cell phone location data without probable cause or a warrant.

Read the full post here on the Crime in the Suites blog.

Options for Suing the Federal Government Under Bivens Unlikely to Expand

U.S. Supreme Court argument indicates that the Justices are unlikely to extend Bivens to cover cases against private employees.

Read the full post here on the Crime in the Suites blog.

Judge Imposes 15-Year Sentence in FCPA Case; Appeal to Follow

This case will test the Justice Department’s expansive definition of “foreign official” under the statute.

Read the full post here on the Crime in the Suites blog.

High Court Hears Argument in GPS Fourth Amendment Case

The Justices grapple with issues of search and seizure in an online, wired world.

Read the full post here on the Crime in the Suites blog.

In Appeal of Construction Fraud Case, DOJ Seeks Tougher Sentences

This case, arising from Boston’s “Big Dig” project, will test the limits of a trial judge’s sentencing discretion.

Read the full post here on the Crime in the Suites blog.

Self-Regulation Reigns, for Now, on Consumer Data Privacy Issues

The online advertising industry is inching its way to more comprehensive policies regarding the collection of consumer data.

Read the full post here on the FTC Beat blog.

Google, Microsoft Assume Roles of Judge, Jury and Executioner on the Web

The Internet giants cancel the Web connections of companies that are accused by the government of mortgage fraud but have not been convicted.

Read the full post here on the FTC Beat blog.

New House Hearing Shows Strength of Hill Support for Legal Online Gaming

Many members of Congress remain serious that legal and technical obstacles can be overcome and that legislation can be passed in this area.

Read the full post here on the Crime in the Suites blog.

Convicted of Fraud but Changed Their Lives; Appeals Court Takes Note

A couple committed mortgage fraud back in the late ‘90s. The 7th Circuit gives them sentencing credit for self-rehabilitation.

Read the full post here on the Crime in the Suites blog.

More Big Pharma Companies Cough Up Big Dollars in DOJ Settlements

How high will these settlements go? The government has the power to strong-arm drug companies into settlements. How much will it demand?

Read the full post here on the Crime in the Suites blog.

Google, Microsoft Assume Roles of Judge, Jury and Executioner on the Web

Google, Yahoo! and Bing have suspended their accounts with hundreds of advertisers and agents associated with mortgage programs under federal investigation. The move by Google and Microsoft (Microsoft powers Bing and Yahoo!) has basically shut down these businesses: Without the vehicle of the search engines, these sites cannot effectively generate traffic.

Why did Google and Microsoft cut the cord of these companies, and is there anything the companies can do? Google and Microsoft (we’ll call them the Government’s “Judge, Jury, and Executioner” or the “Enforcers”) acted upon the request of SIGTARP, a federal agency charged with preventing fraud, waste, and abuse under TARP’s Home Affordable Modification Program. (The pressure started a while back, as we wrote last March.)

SIGTARP is investigating mortgage programs that it believes have been wrongly charging “struggling homeowners a fee in exchange for false promises of lowering the homeowner’s mortgage.”

According to a source at SIGTARP, the agency handed Google and Microsoft a list of some 125 mortgage “schemes.” Apparently, the Enforcers then took that list, identified advertisers and agents associated with those mortgage programs, and opted to suspend relations with those companies (about 500 advertisers and agents for Google and about 400 for Microsoft). (SIGTARP’s announcements on these actions can be found here and here.)

So it looks as if these companies have been penalized through government action without any adjudicative process, merely through government pressure on private companies, i.e. Google and Microsoft. (More analysis from us on this to come.)

It’s easy to understand why the Enforcers would feel pressure. Google just settled with the Department of Justice and agreed to pay more than $500 million for its role in publishing prescription drug ads from Canada. Those familiar with that settlement may see Google’s recent actions for SIGTARP as follow-on. Likely Google is more apt to buckle to the Feds quickly because of the costly settlement, but the matters are not directly related. In fact, the prescription drug settlement agreement relates to prescription drug ads only.

While the SIGTARP investigation is “ongoing,” and Google and Microsoft are continuing to cooperate with the agency, what can companies who have been caught up in this firestorm do? The Enforcers do, fortunately, have grievance processes (see, for instance, Google’s grievance process here).

Either on their own, or with some added strength through legal representation, the companies can try to make their cases regarding the content and nature of the ads at issue.

What is the next step going to be? If the Federal Trade Commission identifies, say, a group of websites that it believes are promoting bogus weight-loss schemes, will the Enforcers simply move to shut off their access to the Web, without further ado?

Self-Regulation Reigns, for Now, on Consumer Data Privacy Issues

The online advertising industry is inching its way to more comprehensive policies regarding the collection of consumer data. Several announcements this month by different self-regulatory groups show that pressure from government agencies and consumer watchdog groups concerned about consumer privacy is taking effect . . . slowly but surely.

The most recent pronouncement comes from the World Wide Web Consortium (W3C), an international standards body made up of more than 300 members, including Google and Facebook. W3C announced earlier this week two first drafts for standards that provide consumers more information and control over how their data is tracked online.

The first set of standards, Tracking Preference Expression (DNT), is supposed to define means for users to establish their tracking preferences and see whether sites will honor those preferences. The second set of standards, Tracking Compliance and Scope Specification, is intended to set forth practices for websites to comply with a defined “Do Not Track” preference.

W3C’s announcement has generated a good bit of attention on the other side of the pond, where the EU has been pushing for years for more transparency and consumer control over online behavioral advertising. But W3C’s standards are not expected to be finalized until mid-2012.

On this side of the pond, more clamoring has gone on about the Digital Advertising Alliance’s consumer data tracking policies. The DAA, another self-regulatory project put together by the American Advertising Federation, the Interactive Advertising Bureau, the Better Business Bureau, and several other similar groups, announced last week its latest set of principles. These principles, known as Principles for Multi-Site Data, are supposed to govern companies’ collection and use of online consumer data – like earlier DAA standards, but more comprehensive. The DAA appears to have published these in response to the FTC’s concern that prior DAA standards did not sufficiently address forms of Internet tracking.

There seems to be a trend here: companies (and their consortiums) with major online presences are having a hard time reforming their online behavioral advertising (OBA) tracking, and are doing so with the speed and enthusiasm of a satiated pig. It makes sense: advertising, and OBA, has been the center of Web business models. Shaking up the models by giving consumers opt-outs across pages significantly interrupts, for instance, how sellers get leads to their sites, how advertisers track their effectiveness, and how affiliates get paid.

But like it or not, change is the reality for companies who use OBA. Growing concerns over data privacy will force companies to take new approaches, as we’ve discussed thoroughly here already. See this post, this post, and this post, for example.

Slow and steady as self-regulation may be going, it looks like government agencies like the FTC are willing to let companies take the lead on data privacy standards (with the ever ready government prod to coax them). FTC Chairman Jon Leibowitz made this point last week, while praising the DAA’s latest set of principles: “We believe that you, the advertising industry, should give consumers choices about how they are tracked online.”

Companies should be aware, though, that the FTC is not washing its hands of data privacy issues; it rather intends to enforce those company-prescribed standards. So another business beware: whatever data privacy policies you adopt, make sure you adhere to them. If not, the FTC may come to ensure you do. See, for example, this recent enforcement action.

Inside the Privacy Event Keynoted By FTC Chair Leibowitz

Federal Trade Commission Chairman Jon Leibowitz delivered the keynote speech at a forum on Internet privacy on Oct. 11, 2011. He was part of a panel that discussed the protection of consumer data and the tracking of online consumer behavior. The Stanford Law School Center for Internet and Society also released a study the same day showing that data collection on the Internet is not anonymous and information about consumers is often leaked from websites.

Leibowitz emphasized that there are three key principles to protecting the privacy of consumers on the Internet. First, companies in the business of collecting and storing data need to build strong privacy policies. Data should be kept only for legitimate business needs and the more sensitive the data is, the more careful they need to be.

Second, there needs to be transparency. If data is being collected then consumers need to be told what is going on in a manner that they can easily understand. Lastly, there needs to be choice for the consumer. Consumers should have streamlined choices about the collection and usage of data based on their online behavior.

Leibowitz said there is a clear need for the development of a do-not-track mechanism for web users, similar to the do-not-call list that has been successful in blocking telemarketing calls. This mechanism would provide web users the ability to opt out of online tracking, which is used to provide targeted advertising based on a person’s online behavior.

Leibowitz emphasized that it is about providing consumers with the choice not to be tracked online, noting that if given the choice himself he would probably choose not to opt out because he enjoys the targeted advertising.

Leibowitz made clear that he does not care who creates this mechanism, but he does not think it needs to be administered by the government, though some members of Congress have proposed legislation to create a do-not-track system. (Note that the Interactive Advertising Bureau, a trade group for online advertisers, established a code of conduct that states that members should give clear and prominent notice of any online behavioral advertising collection and use. The code went into effect at the end of August.)

Leibowitz applauded Mozilla for going out of its way to provide consumers with the information to decide if they want to opt out of online tracking and said he was hoping other online browsers would soon follow. (Microsoft’s IE9 and Apple’s Safari also have do-not-track options.) Leibowitz emphasized that the FTC did not want to interfere with the normal data flow that makes the Internet efficient and did not see the need for the Internet to be a privacy-free zone, but still wanted to have a mechanism that allows for consumer protection.

Jonathan Mayer, a graduate student fellow at the Center for Internet and Society at Stanford University, and identifier of the “supercookie,” released a new study that showed that information collection from many websites is not as anonymous as many sites claim it is or consumers think it is. Identifying information from consumers was often leaked when the consumers went to various websites, though Mayer said that it was not clear that the leakage by websites was intentional and the study did not attempt to gauge this.

Mayer looked at the top 250 websites and signed up as a member on 185 of those websites. Mayer found that 61 percent of the websites leaked a user name or a user ID. Mayer stated that once an identity is provided in a pseudonymous system then it can be associated with what that person has done in the past and will do in the future. Full results of the study are available here.

The talks were sponsored by the ACLU, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Privacy Information Center, Privacy Rights Clearinghouse, US PIRG, and World Privacy Forum.