The chairmen of the Congressional Bipartisan Privacy Caucus just released the responses they received from nine major data brokers whom they queried in July about how each broker collects, assembles and sells consumer information to third parties. In their responses, the nine companies — Acxiom, Epsilon, Equifax, Experian, Harte-Hanks, Intelius, Fair Isaac, Merkle and Meredith Corp. – generally asserted that they were not data brokers. Some companies claimed they analyze data rather than broker it. Copies of the brokers’ responses and the original letters can be found here.
Interestingly, several of the brokers acknowledged obtaining their data from social networks such as LinkedIn and Facebook, in addition to telephone directories, government agencies, and financial institutions.
The legislators issued a joint statement in which they noted shortcomings in the brokers’ answers, stating that “many questions about how these data brokers operate have been left unanswered, particularly how they analyze personal information to categorize and rate consumers.”
Members of Congress have indicated that they will continue to scrutinize the data brokerage industry. Issues of particular concern for the legislators include: the sale of personal information to third parties for targeted advertising, the gathering and selling of information relating to children and teenagers, and the lack of transparency in data brokers’ practices and available information. The Privacy Caucus has expressed concern that many Americans do not know how the industry operates and that controls may be lacking for individuals over their own information.
The FTC has already called on Congress to address data brokers’ practices through legislation. In March, the FTC advocated for legislation to “address the invisibility of, and consumers’ lack of control over, data brokers’ collection and use of consumer information.” We anticipate continued review of data brokers by Congress and federal agencies including the FTC. Companies in the data compilation business should continue to monitor ongoing proceedings.
It should be noted, however, that not all companies that gather personal information actually “broker” it in a manner that raises concern. Some companies compile information and remove identifying data before providing it to third parties; other companies gather information under contract for a business with whom a consumer has an existing business relationship – as a means to promote better customer service by tailoring offerings that will be of interest to consumers generally or to a particular consumer. Many consumers have indicated a willingness to receive these types of tailored offerings.
Progress in the world of biometrics should cause us all to shudder. Cameras in public locations can now employ facial recognition to direct advertising to us based upon an assessment of our age, sex, and other characteristics. Cameras can determine our reaction to and engagement in video games and movies. It sounds a bit like a world composed of two-way mirrors. But instead of shuddering, we sometimes knowingly, sometimes carelessly, support the technology – and other data collection practices – through our online and commercial activities.
How many of us constantly update and tag our Facebook pages with pictures of us and our loved ones and where we’ve been? How many take advantage of product/service discounts by scanning our smart phones and “liking” products on Facebook? How many of us are now buying into dating apps and social apps that are based on facial recognition technology? The fact is that much of our data can be, and is being, collected and we consumers (especially in the United States) seem to have no problem with it, even volunteering for it.
Perhaps fortunately, some regulators are stepping in and keeping a watchful eye on these developments and looking for ways to curb the potentially nefarious use of consumer data. The FTC and its Division of Privacy and Identity Protection recently published its list of best practices for companies who use facial recognition technologies. The publication, “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies,” underlines important concerns about being able to identify anonymous individuals in public and about attendant security breaches such as hacking. The FTC’s proposed best practices include the following:
• Companies should maintain reasonable data security protections to prevent unauthorized information “scraping” of consumer images and biometric data.
• Companies should maintain appropriate retention and disposal practices.
• Companies should consider the sensitivity of information when developing facial recognition products and services, e.g., they should avoid placing signs in sensitive areas, such as bathrooms, locker rooms, health care facilities, or places where children congregate.
• Companies using digital signs capable of demographic detection should provide clear notice to consumers that the technologies are in use, before consumers come into contact with the signs.
• Social networks should provide consumers with (1) an easy-to-find, meaningful choice not to have their biometric data collected and used for facial recognition; and (2) the ability to turn off the feature at any time and delete any biometric data previously collected.
• Companies should obtain a consumer’s affirmative express consent before using a consumer’s image or any biometric data in a materially different manner than they represented when they collected the data.
• Companies should not use facial recognition to identify anonymous images of a consumer to someone who could not otherwise identify him or her, without obtaining the consumer’s affirmative express consent.
The guidelines come only a few months after the FTC’s March 2012 Privacy Report (“Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers”) and are a logical follow-on to the report. They incorporate the Privacy Report’s core principles: privacy by design, simplified consumer choice, and transparency. These principles and guidelines are a step in the direction of responsible data collection and responsible technological advancements.
We should point out that neither the Privacy Report nor the Best Practices in Facial Recognition are binding or enforceable as they do not fall under FTC’s legal authority. And the FTC prominently makes this disclaimer, noting that the guidelines are merely recommendations without the force of law. It is clear, however, that the FTC is appropriately preparing to assume enforcement authority, should Congress pursue privacy legislation (something the FTC recommends in the Privacy Report). That is obvious from the mere fact that the agency has established a Privacy and Identity Protection Division.
Companies that are developing or seeking to employ biometrics – or that employ other data collection practices – would be well advised to pay attention to the FTC’s recommendations. The guidelines provide insight into how an enforcement authority is likely to approach biometrics and other data collection practices. The guidelines also provide a framework for responsible use of consumer data. And even though consumers currently seem passive or dismissive about biometrics and data collection, it would take just one scandal or highly publicized incident for public opinion to change. Companies will benefit in the long run by building good will among consumers.
On August 1, 2012, the Federal Trade Commission announced that is issuing a Supplemental Notice of Proposed Rulemaking to modify certain of its rules under the Children’s Online Privacy Protection Act (COPPA). Industry has been waiting on FTC action regarding COPPA, as the agency previously undertook a COPPA rulemaking in September 2011 and proposed modifying certain COPPA rules to account for changes in technology, particularly mobile technology.
The FTC received over 350 comments during that time. After reviewing those comments, the FTC has decided to propose certain additional changes to its COPPA rule definitions.
In summary, COPPA gives parents control over the information websites can collect from their kids. It applies to websites designed for children under 13 – or those that have reason to know they are collecting information from a child. It requires a specific privacy notice and that consent be obtained from parents in many circumstances before children’s information may be collected and/or used.
The FTC has proposed several changes that are of interest. Some are meant to “tighten” the COPPA rule, others are meant to provide some additional flexibility to operators.
• The proposed change would make clear that an operator that chooses to integrate the services of third parties that collect personal information from visitors (like ad networks or plug-ins) would itself be considered a covered “operator” under the Rule.
• The FTC is also proposing to allow websites with mixed audiences (e.g., parents and over 13) to age-screen visitors to provide COPPA’s protections only to those under 13. However, kid-directed sites or services that knowingly target under-13s as their primary audience or whose overall content is likely to attract kids under that age could not use that method.
• Also, the FTC has proposed modifying the definition of what constitutes “personal information” relating to children to make it clear that a persistent identifier falls within that definition if it can be used to recognize a user over time or across different sites or services. The FTC is considering whether activities like site maintenance and analysis, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual ads, and protecting against fraud and theft should not be considered the collection of “personal information” as long what’s collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising.
Comments on the FTC’s proposed rule changes are due by September 10, 2012.
The Congressmen’s letter is in response to the recent Path address book fiasco in which Path acknowledged – and apologized for – its collection of consumer address book information without notifying users. News surrounding Path’s activities led to Congressional concerns over the extent to which consumer data, especially contact information, is being collected and stored for future harvesting, all without the consumer’s knowledge or permission. The Waxman-Butterfield letter quotes the Guardian: “there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies likely have your address book stored in their database.”
The congressmen called for Apple to address how its app policies and practices protect consumer privacy. Apple was swift to respond, and within the day vowed to release a software update to prevent data collection that would violate the company’s privacy policies.
On the heels of the Waxman-Butterfield letter (but in the works well beforehand) comes a report by the FTC: “Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing.” The report title pretty much says it all. The FTC surveyed some 960 kid-based apps sold through Apple and Android to determine, from the various app’s promotion pages and websites, the extent to which the developers disclose what [child] consumer data is collected and how it is used. The FTC reported that it was disappointed with the results – that disclosures were scant or nonexistent.
Tying its authority over mobile apps with its authority to enforce children’s privacy protections online through the Children’s Online Privacy Protection Act (COPPA), the FTC warned that it will be reviewing more mobile apps directed at children over the next six months, but this time, it will be enforcing– not just surveying – COPPA compliance. COPPA requires operators of online services directed to children under age 13 to provide notice and obtain parental consent before collecting items of “personal information” from children.
Several times in the FTC report the agency suggested the need for clear, concise, consistent and timely information on data collection and usage. That means disclosures of how the app (or third party advertisers) will/may use the consumer data should be upfront and precede download so that parents can determine whether or not to allow their children to use the app. Disclosures should include any connections to other social media.
The FTC report also identified (several times) the types of data that could be collected – from contact information, to location information, to call data, as well as in-app data. App developers and third party advertisers should take into account the importance of full disclosure.
Perhaps most importantly, the FTC report and the Waxman-Butterfield letter demonstrate that the government views Apple and Android (and other app stores) not just as the marketplace for app sales, but also as the gatekeepers. The FTC report pointed to Apple and Android as providing the architecture for disclosures and suggested that app stores could incorporate icons to make disclosures more easily identifiable. The Congressmen’s letter all but accuses Apple for its app’s failings.
We have been seeing increasing backdoor regulation by the government through major online presences in a couple of places, including here and here. Since government regulators acknowledge the difficulties in keeping up with developments in new technologies, it’s fair to assume they will look to major online presences to have a hand in helping keep them up to speed and keeping advertisers and developers under wraps.
There’s been a lot of talk of late about the cost to industry of government regulation. The president of the U.S. Chamber of Commerce, Tom Donohue, asserted at a job summit on Monday that recent government initiatives are “unjustified and uncalled for in a free society and a free economy” and are “killing American jobs.”
Case in point: a recent set of proposed “voluntary” principles for food manufacturers set out by the FTC and three other government agencies. The proposed guidelines have caused quite a stir in the food industry for their breadth, their impending chilling effect on commercial speech, and their likely economic costs (one analysis suggested the guidelines would do away with 75,000 jobs annually). In fact, in response to the “voluntary” principles, food manufacturers themselves have just announced their own, less stringent guidelines, in an effort to supplant the government’s efforts.
The government’s proposed principles were put together by the Interagency Working Group (IWG), a group established by congressional directive and composed of representatives from the FTC, Food and Drug Administration, Department of Agriculture and Centers for Disease Control. The IWG was directed by Congress to develop principles to “guide industry efforts to improve the nutritional profile of foods marketed directly to children ages 2 to 17 years.”
Hence, a sweeping set of principles was published at the end of April “suggesting” that “[b]y the year 2016, all food products within the categories most heavily marketed directly to children should meet two basic nutrition principles. Such foods should be formulated to: (A) make a meaningful contribution to a healthful diet; and (B) minimize the content of nutrients that could have a negative impact on health and weight.” The report comes with detailed formulations of how to arrive at Principles A and B. It also comes with “proposed definitions of advertising, promotion, and other marketing activities targeting children ages 2-11 years and adolescents ages 12-17 years to which the nutrition principles would apply.”
The IWG report and principles clearly are directed at food manufacturers’ commercial speech. And were the “principles” labeled “regulations” instead, there’s little question that they wouldn’t pass muster under the First Amendment. That is perhaps why the report and FTC statements regarding it repeat the term “voluntary” with annoying frequency. But how voluntary are these proposed guidelines? Dan Jaffe, of the Association of National Advertisers, has asked, “Can anyone doubt that these proposals are not ‘voluntary’ but thinly veiled governmental commands?” And ever thin is the veil: just how voluntary is a guideline that comes with a five-year implementation period?
David Vladeck, the FTC’s consumer protection director, tried to dispel concerns over the force and impact of the report with a nonchalant blog post in which he suggested those concerned over the guidelines “switch to decaf.” Vladeck maintained the government position that the guidelines are merely voluntary. His statements do nothing to change a reality well understood by industry execs that “suggestions” by regulators come with consequences.
Fortunately, food manufacturers are not standing down…entirely. The Sensible Food Policy Coalition, which includes General Mills, Kellogg and PepsiCo, recently hired former Obama White House Communications Director Anita Dunn for this food fight, spending some $6.6 million in lobbying efforts regarding obesity in the first quarter of this year alone.
Industry leaders have just announced they will establish their own standards. Though less stringent than those proposed by the government, the companies’ announcement could be seen as a concession, bowing to pressure from the feds. It will be interesting to see what happens to a company that listens neither to the government nor to these food companies’ guidelines. Will consumer groups be after them, armed with a new standard of “reasonableness”?
Nobody ever went broke underestimating the apathy of the American parent.
If a parent drops off a child at a candy store, handing the child a credit card and saying nothing more than he’ll be back in 15 minutes, should that parent be angry with the candy store owner if the child ends up buying lots and lots of candy? Should the candy store owner have some special legal obligation to limit the price or quantity of candy that someone can purchase because his goods are more enticing than those sold at the neighboring hardware store?
This is a somewhat imperfect analogy to an issue recently raised with the FTC by three members of Congress. In early February, Rep. Edward Markey and Sens. Amy Klobuchar and Mark Pryor wrote to FTC Chairman Jon Leibowitz expressing concern over the ease with which children can rack up real dollars playing games on the Apple iPhone and iPad. The letters were sent after The Washington Post published an article on Apple’s in-app purchase system, which offers many apps for free download that subsequently charge for actions within the application. The big charging culprits are children’s games, such as Smurf’s Village and Tap Zoo. The article provided some fairly egregious examples of children charging hundreds of dollars to their parents’ iTunes accounts to decorate their virtual Smurf gardens and homes with not-so-virtual pricey smurfberries and the like.
Leibowitz responded to the letter by noting the FTC’s shared concern “that consumers, particularly children, are unlikely to understand the ramifications of these types of purchases.” He promised that the FTC would look into industry practices for the marketing and delivery of such applications. Leibowitz’s response also referenced the FTC settlement in the Reverb case .But this reference was not apropos: the case, which involved nondisclosures in product endorsements, had little to do with the issue at hand.
Admittedly, it does raise eyebrows that an app like Smurf’s Village, which clearly caters to young children, would charge exorbitant prices for in-game content. It may seem even more suspicious when the app itself is free to download.
But these red flags don’t mean that FTC action is necessary. Parents are first and foremost responsible for their children’s purchases. If parents dismissively hand their iPhones over to their children, without setting restrictions with the children or on the device, that’s primarily the parents’ problem.
The one major caveat is whether or not parents are aware that games like Smurf’s Village include real dollar purchase options. This is why the kid in the candy store with dad’s charge card is an imperfect analogy. A parent should know that there are monetary consequences to leaving a child with limitless purchasing power alone in a candy store. The same parent may not know that he’s giving that same purchasing power to his child when allowing his child to play a game on his iPhone.