For-profit education institutions may have breathed a sigh of relief on June 30, 2012, when a federal judge struck down most of the Department of Education’s Gainful Employment rule. The decision came none too soon, as the U.S. District Court for the District of Columbia issued the ruling literally on the eve of the day the regulations were slated to take effect. But these colleges and universities should not rest on their laurels. While the court sided with the private sector in this instance, the judge’s opinion keeps the door open for more and similar regulation.
To address concern over the seeming disconnect between debt burden and employment prospects of graduates of for-profit colleges and universities, the DOE last year published its Gainful Employment rule. The rule was instituted to test schools’ compliance with the Higher Education Act’s requirement that certain institutions must “prepare students for gainful employment in a recognized occupation” in order to qualify for federal funds. To accomplish this, the rule set forth three tests, one or more of which a school would need to meet, to qualify for federal funds. The tests required that:
1. At least 35 percent of graduates must be repaying their loans,
2. The median graduate’s estimated annual loan payments must not exceed 12 percent of earnings, or
3. The median graduate’s estimated annual loan payments must not exceed 30 percent of discretionary income.
The rule further required that subject schools make certain disclosures to prospective students and obtain DOE approval for new programs.
The Gainful Employment rule stirred up consternation in the for-profit world, as concerns mounted over the costs of compliance. The Association of Private Sector Colleges and Universities, the main association representing the for-profit education industry (with over 1800 members), challenged the rule in court.
The APSCU argued that the Gainful Employment rule exceeded statutory authority by stretching the meaning of the term “gainful employment.” The court squarely sided with the DOE on its authority, noting that “gainful employment” is not an unambiguous term and that the DOE has the authority to assess whether educational programs prepare students for gainful employment. The only question, according to the court, was whether the DOE had reasonably promulgated rules to test programs’ ability to prepare students.
Working through an analysis of the rules, the court ultimately determined that the debt repayment standard (No. 1 above) “was not based upon any facts at all. No expert study or industry standard suggested that the rate selected by the Department would appropriately measure whether a particular program adequately prepared its students, the court wrote. The reason: The rule was solely based upon statistics that at the 35 percent rate, roughly 25 percent of schools subject to the rule would fail, i.e. the rate was set because it would knock out the bottom quarter of schools.
The judge rightly ruled that this basis — merely picking a compromise figure — “is not reasoned decisionmaking.” Since the other standards were so intertwined with the debt repayment test, the judge struck them down as well, leaving remaining only the disclosure provisions of the rule.
The APSCU and the for-profit industry have hailed the judge’s decision as a victory. But the industry needs to understand that it may be just the first of a series of regulatory battles. The court’s opinion read largely like an opinion favoring the DOE. Notably, the judge stated that “the Department has gone looking for rats in ratholes — as the statute empowers it to do.” And the court squarely upheld the DOE’s regulatory authority to go about enforcing something just like the Gainful Employment rule, so long as the basis is grounded in sufficiently reasoned standards.
It is not clear yet how the DOE will proceed, and whether it will go about another round of rulemaking. But the court’s opinion provides ample incentive for the administration to take another turn at Gainful Employment.
After nearly a decade of persuading hundreds of thousands of parents that their babies were geniuses, the popular company, Your Baby Can Read, is shutting its doors. Its demise is the result of an FTC investigation prompted by the Campaign for a Commercial-Free Childhood advocacy group, which challenged claims by the company that newborns have the ability to absorb reading and spelling skills when they are as young as three months old. According to the company’s website, the cost of fighting these legal battles has left the company with no option but to close.
Your Baby Can Read consists of interrelated videos, flash cards and books designed to teach infants as young as three months old to read. Developed in the late 1990s by Robert Titzer, an educator with a Ph.D. in human performance from Indiana University, the product claims that babies have a small window in which they absorb spelling at an extraordinary pace. Although these claims have never been substantiated through any kind of credible research, fans of the products, which are priced at $200, have given them glowing reviews. More than a million families have used the products, which the company extensively advertised on TV, at exhibitions, and on its own website, Facebook page and YouTube channel.
In April 2011, a class of consumers who purchased the educational programs filed a class action complaint against the company in California challenging the effectiveness of the product. Additionally, the Boston-based Campaign for a Commercial-Free Childhood (CCFC) filed a complaint against the company with the FTC, leading the way for a series of campaigns against what critics call the “genius baby” industry. The national watchdog group previously successfully campaigned against the way that the “Baby Einstein” program marketed its products. In its complaint with the FTC, CCFC argued that Your Baby Can Read’s claims of teaching infants to read lacked scientific support. The group requested that the FTC stop the company from continuing its allegedly deceptive marketing practices and that the company offer full refunds to “all parents who have been duped.” According to CCFC director Dr. Susan Linn, the company “exploited parents’ natural tendency to want what’s best for their children” by making grandiose promises that find no support in science.
The problem with these types of educational products appears to be twofold. First, doctors and scientists who have tested the products have reportedly found that infants using the products are not reading, but rather are memorizing the shapes of the letters presented. Second, as the CCFC points out, the program can actually be harmful to children, as it encourages them to sit in front of television screens and computer monitors, getting them “hooked on screens” too early in life. In fact, the group notes that if parents follow the “Your Baby Can Read” instructions, by nine months, babies would have spent more than a full week of 24-hour days in front of a screen.
Although the company is going out of business, the FTC will not automatically cease its investigation. The FTC says it aims to protect the most vulnerable classes in society — and perhaps none are more vulnerable than young children, or, in this case, their overachieving parents who just want their bragging rights. It will be interesting to see which group of consumers will come out on top in the FTC investigation – the thousands of parents who were satisfied with the product or the class-action parents whose children were perhaps not as smart as they believed them to be.
Michelle Cohen recently joined Ifrah Law as a partner. Here is an edited transcript of a recent interview with Ms. Cohen.
Question: What are some of your legal experiences and strengths that you’d like to highlight?
Answer: I have many years of experience representing clients engaged in various industry sectors before state attorney generals, the FTC and the FCC, particularly in investigations and enforcement matters. I have a deep knowledge of marketing law and have counseled and defended clients in dozens of matters involving the Telephone Consumer Protection Act, the federal Can Spam Act, and state and federal telemarketing laws and regulations. I also sat for and passed the Certified Information Privacy Professional examination administered by the International Association of Privacy Professionals. This demonstrates my broad capabilities in the field of privacy law.
Some recent matters of note include managing a data loss incident for a client that entailed notifications to several state attorney generals’ offices, assisting the client with remediation and public relations management, and reviewing existing data retention policies, as well as a follow-up investigation at the state level. The client was able to move forward without any enforcement activity.
On the Telephone Consumer Protection Act side, I have supervised teams of attorneys in defending class and individual actions and resolved FCC enforcement matters (including without any penalties).
My training as both a litigator and a regulatory/corporate advisor allows me to offer a wide range of services to clients. I take great pride in knowing that my regulatory advice to clients in how to craft their business practices and establish meaningful policies has resulted in these clients avoiding enforcement actions and litigation.
Question: There has been a lot of publicity these days about data breaches that have caused serious harm to a number of retailers, credit card companies, banks, and others. Do you think there has been a real uptick in the number of such breaches, and if so, why has it occurred?
Answer: I think the increased publicity stems more from the growing awareness on the part of companies and the press that there are various types of data breaches and data losses that are covered by federal and state laws and that need to be reported and remediated. Some years back, if a laptop containing sensitive information was stolen from an employee’s car, the company might disable the account and report the theft, but the event did not necessarily trigger potentially thousands of notices to those affected, state attorney generals and consumer protection offices, publicity (via news reports and blogs that cover daily breaches) and possible lawsuits and enforcement activity. Today, that one event can result in all of those actions occurring.
Question: What is your advice to companies that may someday face a data breach?
Answer: A couple of months ago, I wrote an article regarding data breaches. The central point was that no organization should consider itself immune. Rather, a data breach (in the form of a bad actor) or a data loss (for instance, by negligent but unintentional employee action) WILL occur, no matter how many precautions a company takes. The key is to have policies in place regarding data security, to train employees in an effort to prevent negligent actions, and to be prepared for actions that will need to be taken when an event occurs. Organizations should have a team in place (human resources, legal, public relations, etc.) for dealing with these types of problems. Data loss events require swift, but considered action. In particular, some of the state breach laws have deadlines, and companies have found themselves under investigation (or involved in litigation) when their responses to a breach have been too slow or failed to meet the requirements of the law. These legal ramifications, combined with the negative publicity that WILL follow, can often be much worse than the actual data loss event.
Question: Are some companies failing to put the best safety provisions in place?
Answer: Most large companies have incorporated data safety policies; however, many medium size and smaller businesses have not done so. In addition, I think that many companies, both large and small, do not realize the scope and applicability of many of the laws. For example, consider a large company based in Texas, with most of its employees in that state. Its managers may not realize that if the company has three employees in Massachusetts, they are covered by Massachusetts’ data protection law. This statute has very specific requirements, including a requirement for a Massachusetts-specific information security plan. Let’s say the Texas company has a data loss and has to notify the Massachusetts employees and the Massachusetts Attorney General’s office along with all of its other employees. The company may get a follow-up inquiry from the Massachusetts AG asking for a copy of that company’s Massachusetts-compliant written information security policy. If the company does not have one, because it never realized it fell within that state’s law, it may find itself in some hot water there.
Accordingly, all organizations need to be proactive in their data security planning and must provide continuing updates to their policies, training, and understanding of what federal, state, and international laws may apply to their operations.
The barely year-old Consumer Financial Protection Bureau came out of the gate this week with its first enforcement action. Capital One has the dubious honor of being CFPB’s premier target under the bureau’s authority to take action against entities that it believes engage in unfair, deceptive, or abusive practices in the offering of consumer financial products and services. Congress created the CFPB as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act. That law broadly empowers the CFPB to supervise and enforce the nation’s consumer financial laws.
The CFPB claimed that Capital One’s telemarketing vendors used certain deceptive marketing practices to pressure or mislead consumers into paying for “add-on” products such as payment protection and credit monitoring. The practices of particular concern to the CFPB included:
• Misleading consumers about the benefits of the products – for instance that the product would improve credit scores when that was inaccurate
• Deceiving consumers about the nature of the products – CFPB claims some consumers were told the products could be cancelled, while canceling was difficult to accomplish
• Taking orders from ineligible consumers and then denying claims later based upon eligibility
• Leading consumers to believe the products were free when they were not
• Enrolling consumers without the consumer’s express consent
Capital One agreed to a consent order, in which the bank neither admits nor denies the allegations. The consent order provides for refunds to two million consumers of at least $140 million and a $25 million penalty. The consent decree also places additional restrictions and oversight on Capital One, including a requirement that it stop the marketing of these products until it has presented an acceptable compliance plan to ensure these acts do not recur. Capital One must also submit to an independent audit to determine if it has met the conditions of the consent decree, and it must ensure the refunds are automatic so that consumers do not have to take any action to obtain their refunds.
In addition to the consent order and the associated press release, the CFPB also issued a compliance bulletin stressing that institutions will be held liable for actions by third-party vendors operating on their behalf. The agency stressed certain proactive actions that companies should take to ensure that marketing materials and customer service interactions do not violate the law. Among these practices are the review of scripts, ads, radio and TV commercials to make sure they reflect the actual terms of the products and are not deceptive or misleading. The CFPB also cautioned that employee incentive and compensation programs tied to add-on products should require that employees adhere to guidelines and not create incentives for employees to provide inaccurate information.
Those familiar with FTC enforcement will note many similarities, as the CFPB has stated it will follow FTC precedent on “unfair” and “deceptive” practices. The CFPB has also made clear that service providers and others who “knowingly or recklessly provide substantial assistance to a covered person or service provider” may face the CFPB’s wrath.
While this is the first CFPB action, others are sure to follow as the CFPB is engaged in ongoing examinations and has issued subpoenas. The CFPB is also working closely with state attorneys general and the FTC, sharing information on potential violations and coordinating enforcement actions. We expect to see several additional CFPB actions as the new agency flexes its enforcement muscles, particularly in the mortgage, credit card, educational and “pay day” loan arenas.
Kim Kardashian, the reality star, is accustomed to the public eye, but now she faces a lawsuit that may not bring her good publicity at all. Along with her sisters Khloe and Kourtney, Kim has been named as a defendant earlier this year in a class action over QuickTrim, a dietary supplement that they have been promoting.
The complaint, filed in the U.S. District Court for the Southern District of New York, accuses the Kardashians (along with QuickTrim’s manufacturer, Windmill Health Products; the retailer GNC; and others in the sales and marketing chain) of false and deceptive marketing of the diet aid. The plaintiffs, hailing from several states, brought claims under their respective states’ consumer protection laws alleging false and deceptive advertising, as well as other claims under federal and state common law. The corporate defendants are represented by John Robert Vales of Riker Danzig Scherer Hyland Perretti of Morristown, N.J.
The basis for the suit appears to be the Food and Drug Administration’s findings on the use of caffeine in dietary supplements. According to the lawsuit, the FDA has determined that caffeine is not a safe or effective treatment for weight control. Since QuickTrim’s main ingredient, according to the plaintiffs’ complaint, is caffeine, QuickTrim is not a safe or effective treatment — and thus, QuickTrim consumers were sold an unsafe, ineffective treatment.
Where Kim & Ko fit in is that they are the product’s face, with their images plastered across QuickTrim’s labeling, packaging, and advertising. They have also actively promoted the QuickTrim product line on their Twitter and Facebook accounts and personal web pages. Their promotional activities include Twitter feeds like: “Hi dolls, have you seen the QuickTrim buy one get one free sale at GNC? Just in time for bikini season!” Or: “Aw thanks doll! I try 2 work out every morning in my Shapeups and I use QuickTrim. It’s important to stay in shape.” Plaintiffs allege that they were deceived into buying QuickTrim products – products that are “worthless” and of “no value” – by the sisters’ promotional activities.
The plaintiffs’ complaint is already in its third iteration. The latest version, filed July 2, 2012, is a clear response to the Kardashians’ Motion to Dismiss filed in June. The Kardashians moved to dismiss an earlier version of the plaintiffs’ complaint, arguing that there are no reported cases supporting a private right of action for spokesperson liability. They further argued that the Kardashians were not alleged to be sellers or merchants of QuickTrim, which is required to successfully assert breach of warranty and contract claims. Finally, they argued the plaintiffs’ state law claims of deceptive advertising failed because there are no allegations or proof (1) that the Kardashians were not bona fide users of QuickTrim products at the time they made public statements, (2) that the public statements did not reflect the Kardashians’ honest opinions, findings, beliefs or experiences, and (3) that the Kardashians knew, based upon their personal experiences, that the advertising claims of the manufacturer, which the sisters repeated, were false.
The July 2 amended complaint attempts to overcome these deficiencies by peppering the filing with allegations (1) that “[t]he Kardashian sisters deal in goods of this kind – weight loss and fitness products – and hold themselves out as having knowledge or skill peculiar to the weight loss field” and (2) that “the Kardashian sisters are not bona fide users of QuickTrim, and their public statements endorsing the products do not reflect their honest opinions, findings, beliefs and experiences.”
It will be interesting to see what the court does with the case and whether it will allow it to survive another likely round of dismissal requests. It is clear from the Federal Trade Commission’s 2009 revised guidelines on celebrity endorsements that a celebrity product sponsor may get into hot water for repeating unsubstantiated health claims about a product. But a possible enforcement action by the FTC does not translate into a private right of action for consumers. Celebrity endorsers should have some degree of immunity from these types of suits. Otherwise, they risk being beleaguered by consumer publicity-seekers. The more appropriate course of sanction for disgruntled consumers is the filing of an FTC complaint, which the FTC can review and determine whether there is a basis for action.
On June 21, 2012, in FCC v. Fox Television Stations Inc., the U.S. Supreme Court struck down the Federal Communications Commission’s effort to apply its indecency standard to brief broadcasts of nudity and “fleeting expletives.” But the Court relied not on the First Amendment’s free-speech guarantees but rather on the Fifth Amendment’s due process clause.
The Court held that Fox and ABC were not given fair advance notice that their broadcasts, which occurred prior to the announcement of the new indecency policy, were covered. This retroactive application violated their due process rights.
Broadcasters were hoping for a much broader First Amendment ruling that would have permanently hamstrung efforts by the agency to police indecency on the air. Instead, although a $1.4 million fine against ABC and its affiliates and a declaration by the FCC that Fox could be fined as well were both overturned, the agency remains free to create new indecency policies and case law under 18 USC 1464, which bans the broadcast of any” obscene, indecent, or profane language.”
In ABC’s case, the transgression was showing a seven-second shot of an actress’s buttocks and the side of her breast on NYPD Blue in 2003, and in Fox’s case, it was some isolated indecent words uttered by Cher and Nicole Richie on awards shows.
Prior FCC policy stressed the difference between isolated indecent material (which was not punished) and repeated broadcasts (which resulted in enforcement action). The Court held that Fox and ABC did not have sufficient notice that these brief moments, which occurred before the new policy went into effect, could be targeted.
The U.S. government tried to argue that a 1960 statement by the FCC gave ABC notice that broadcasting a nude body part could be contrary to the prohibition on indecency. The Supreme Court said “no dice,” as FCC had in other, later decisions declined to find brief moments of nudity actionable. If the FCC is going to fine ABC and its affiliates $1.24 million, it had better provide clear, fair notice of its indecency policies.
Since the case doesn’t affect the enforceability of the FCC’s current standard, as applied to current (rather than past) broadcasts, however, broadcasters still live in fear of the possibility of big fines levied against them for a couple of obscenities or a few seconds of nudity.
We agree with longtime public interest advocate Andrew Schwartzman, who said of this ruling, “The decision quite correctly faults the FCC for its failure to give effective guidance to broadcasters. It is, however, unfortunate that the justices ducked the core 1st Amendment issues. The resulting uncertainty will continue to chill artistic expression.”
The courts can certainly review challenges to the FCC’s indecency standards, and related issues will continue to come before the courts, including the issue of whether the current indecency standard violates the First Amendment rights of broadcasters and whether any changes the FCC may make will survive First Amendment scrutiny.
Meanwhile, with this case resolved, the FCC can finally move forward with a backlog of indecency complaints pending before it. FCC Commissioner Robert M. McDowell said in response to the Supreme Court ruling that there are now nearly 1.5 million such complaints, involving 9,700 television broadcasts, and that “as a matter of good governance, it is now time for the FCC to get back to work so that we can process the backlog of pending indecency complaints.”
Domain names on the Internet are about to get much more varied and creative. Soon websites will not just end in the few familiar suffixes like “com” or “edu,” but could end in things like “.movie” or ”.lawyer” or “.lol.”
On Wednesday, the Internet Corporation for Assigned Names and Numbers (ICANN), the organization tasked with regulating Internet domain names, released a list detailing who has applied for new suffixes, also known as top-level domains (TLD). This is the third major expansion ICANN has allowed of domain name suffixes, in addition to a few others that have been allowed on an ad hoc basis. The new system will streamline the application process and allow for up to 1,000 new domain suffixes a year.
The application process allowed companies to apply for their own brand name to use as their domain suffix name. For instance, Apple applied for the “.apple” suffix. Amazon applies for 76 names including “.amazon” and “.zappos.” Google applied for over 100 suffixes, including “.google” and “.youtube,” as well as “.lol,” and “.book.”
An interesting development related to the world of online gaming is that four groups applied for domain names that would end in “.poker.” The companies that applied for the “.poker” suffix are U.S.-based Binky Mill, LLC and Dot Poker, LLC as well as European-based dot Poker Limited and Afilias Domains No. 5. Limited.
Now that the initial list of applicants for TLD’s has been released, the public will have 60 days to comment. This time period will allow for companies and organizations to see whether others’ applications conflict with their interests or their intellectual property. After conflicts are resolved, there will be an appeals process. The new addresses likely will not launch until next year.
It remains to be seen whether these new domain extensions will become popular. Some companies may be able to capitalize on the marketing opportunities presented by the new TLD’s and other generic TLD’s that could become much more common. In any event, domain names are surely going to be more creative starting very soon.
The media world has changed radically since the last time that the Federal Trade Commission took a look at the marketing efforts of the nation’s major alcoholic beverage producers. So the FTC is taking a fresh look, emphasizing the recent explosive growth of social media in its continuing effort to determine whether the industry is self-regulating its marketing efforts as well as it should.
The FTC is requiring fourteen major producers, including Anheuser-Busch, Diageo and Bacardi, to release information about their Internet and digital marketing presence. The FTC will then use the data collected in the study to make recommendations about how the industry should regulate itself.
The commission’s last marketing study was completed in 2008 and was based on data from 2005. In 2005, Twitter did not exist yet, YouTube had just been launched, and Facebook was a year old. In that study, of the companies surveyed, only 1.9 percent of their $3.3 billion in marketing expenditures were spent on digital media.
This study marks the first time that the FTC is asking alcohol producers to provide detailed information on their Internet and social media practices, data collection and tracking practices of visitors. The 14 major alcoholic producers must produce responses to the FTC by June 11, 2012.
The FTC is limited in what it can do with the data collected, but the goal is a report that would help determine future advertising rules for websites and social media. The FTC generally lets the industry set its own advertising guidelines, and the three main alcoholic beverage industry trade associations have compliance systems in place to ensure that advertising targeted at underage audiences is minimized. Two of the three trade associations have implemented new guidelines to address marketing on social media sites.
This is an ambitious action by the FTC that could lead to increased government involvement in Internet activities. Industry self-regulation has been effective thus far and can continue to be effective. It remains to be seen what recommendations the FTC will develop after this study, but we will keep you posted.
On May 30, 2012, the Federal Trade Commission held a workshop at its conference center in Washington, D.C., entitled “Advertising and Privacy Disclosures in the Digital World.” This workshop was intended both to provide guidance to the public concerning the FTC’s advertising requirements and to solicit input from the public for updates to the FTC’s existing online advertising guidelines, “Dot Com Disclosures” (DCD). The FTC hopes to update the DCD to take into consideration advancements in technology and advertising since the guidance document was initially introduced in 2000, including the discussion of platforms such as mobile devices and social networking.
Of particular interest to us was the panel entitled “Universal and Cross-Platform Advertising Disclosures.” This panel focused on how to make disclosures, rather than on the particular information that needs to be disclosed or who should be liable for failures to disclose. The panel hoped to explore and develop best practices for this purpose and discussed public comments for the FTC’s consideration in updating the guidelines. The panel, moderated by Michael Ostheimer, a staff attorney in the agency’s Division of Advertising Practices, was composed of consumer advocates, advertiser representatives, academics, corporate counsel, and an assistant state attorney general.
The panel emphasized that there are valid ways to allow merchants and advertisers flexibility in marketing on space-constrained forums while still making adequate disclosures to consumers. The panelists stated that it is impractical to try to put all relevant terms on one page, and that it may be counterproductive to do so since consumers will only read a fraction of the information. Therefore, clearly labeled hyperlinks may be used to draw attention to essential terms.
For example, a web page advertisement for coolers stating “satisfaction guaranteed” might be considered deceptive if a hyperlink lower on the page simply marked “Disclosures” led to a page disclosing that a material potential investment, such as a restocking fee for returned items, limits the guarantee. Therefore, the advertisement could be more compliant if the disclosure were closer to the relevant claim (“satisfaction guaranteed”) and if the hyperlink stated clearly the material term, such as “Disclosure – Restocking Fees Apply.”
The panel also agreed that the disclosures required to prevent deception are directly tied to the claims made in the advertisement. By limiting the dissemination of triggering claims, the advertiser also limits the necessary disclosures. Also, the complexity of the offer dictates the necessary disclosures. If an offer includes a continuity plan or other conditions or restrictions, the disclosures will necessarily also be more complex to prevent deception. It is important to note that a disclosure that contradicts an advertisement is not sufficient to make an advertisement non-deceptive.
The panel recommended that the FTC guidelines deal only with substantive issues and that the specific form of the disclosures, as opposed to their substance, be left to the discretion of the advertisers and merchants. For example, while disclosures must be prominent, there should not be a requirement that certain conditions be in bold, italics, or a certain font size. With text-based advertisements, such as tweets or sponsored search results, such a contrast is not possible. Therefore an upfront text disclosure, such as “Purchase Required,” should be sufficient to meet the standard.
The panelists were right to emphasize the need for advertisers to have flexibility and self-regulation without imposing FTC guidelines that do not comport with how business is done in the modern world.
We hope that the FTC will keep pace with evolving technology and business needs to allow advertisers flexibility to promote their products in ways that will best reach consumers.
A good bit of fanfare surrounded the Obama Administration’s release of its Consumer Privacy Bill of Rights in late February. The publication reflects the Administration’s efforts to improve online consumer privacy protections while not stifling the growth of the Internet industries.
The document is entitled, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.”
The “Bill of Rights” is supposed to establish a “baseline of clear protections for consumers and greater certainty for companies,” providing for the following:
• Transparency: Consumers have a right to easily understandable information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
But in our view, there is not that much here that is new, and the privacy protections that it purports to provide are not as comprehensive as they sound.
The framework is based in part upon the concept that the Federal Trade Commission will have the power to enforce privacy policies established by companies themselves. But that is something that the FTC has already been doing; see here for an example.
It is true that lately, more companies have been signing on to privacy policies with “Do Not Track” features. Through the Digital Advertising Alliance, member companies (including Google, Yahoo, Microsoft and AOL) have agreed to a “Do Not Track” option on their browsers that would let consumers opt out of certain data tracking. But again, that’s something that’s already been in the works. See an example here. And the exceptions to the “Do Not Track” option make it pretty weak.
The “Do Not Track” policies provided for would not apply to search engines or other first-party sites; they would apply only to third-party sites. So when the Administration touts the cooperation of these industry leaders through the Digital Advertising Alliance, it should be understood that the leaders are giving their blessing to restraints on others, not so much on themselves (although Google subsidiaries that are third-party sites, like DoubleClick, would be covered).
Under the “Do Not Track” policy, first-party sites can still collect user data and serve users ads based upon that data. Even third-party sites under the policy can maintain and use consumer data. They are simply restricted in how they can use it: They can use it only for market research and analytics.
Another major exception to the “Bill of Rights” is that it only applies to commercial use of data.
The White House’s publication notes that “Americans value privacy and expect protection from intrusions by both private and governmental actors.” But governmental actors are not subject to this “Bill of Rights.” The statement says in a footnote that it does not cover the government’s access to data in the possession of private parties.
We generally think of a “Bill of Rights” as having universal application. Perhaps the Administration shouldn’t have been so hasty to publish something and instead have waited and taken the time to prepare a statement that would have been more meaningful.