Analytics are crucial for web site and mobile app operators to understand their audience in order to provide a better user experience and to improve traffic and sales. The Federal Trade Commission (“FTC”), on October 22, 2012, settled claims against web analytics company Complete, Inc. that its consumer data practices violated users’ rights under federal law. The settlement follows an earlier action against a company that had licensed Complete’s user data tracking technology, which Complete offers companies to integrate into their own toolbars and rewards programs. If your company has a web site or mobile app, it uses analytics and probably has engaged multiple vendors to collect and analyze user information. To avoid law enforcement actions and consumer class action litigation (approximately 200 consumer data privacy class actions have been filed in the last 2 years), companies should be looking closely at their data practices and policies, and those of third parties with which they work.
- Collect only what you need and take measures to prevent collecting more
Web site and mobile app operators need to understand the technology they use. Complete’s technology is alleged to have captured information during registration and e-commerce activities and in doing so collected and insecurely transmitted user names, passwords, credit card numbers and other personal information. Its filters, designed to exclude such information, are alleged to have not worked well and the FTC criticized Complete for not using common algorithms to screen out sensitive data like credit card numbers. Collecting more data than intended has been the basis of other FTC actions and of class action litigation.
- Protect the data you collect and have a breach response plan
The vast majority of states require protection of certain personal information, particularly sensitive data, and have requirements for notice and corrective action in the event security is compromised. The FTC takes the position that failure to employ security measures reasonably appropriate for the applicable type of data is an unfair practice prohibited by the FTC Act and thus companies have an affirmative duty to take steps appropriate under the circumstances to protect user data. The level of security for data like credit card information is far greater than that required for less sensitive data like user name and password. However, the FTC brought an action against Twitter for lax IT security protocols that resulted in hackers getting access to user names and passwords. The level of security should match the potential harm that may flow out of a security compromise, and what is commercially reasonable under the circumstances. However, all user data must be reasonably secured and should only be retained as long as reasonably needed. Accessing what is reasonable, what risks are foreseeable and testing the integrity of security measures should be done regularly and companies should have a written plan addressing data security and what to do if security is breached.
- Obligate those you allow to access user data and know your obligations to them
- Appoint a Privacy Czar and Implement Privacy By Design
We live in the era of big data and information about consumers is amongst companies’ most valuable assets. At the same time, consumer advocates and governments here and abroad are increasingly concerned about making sure consumers have meaningful notice and choice regarding the collection and use of data about them. If a company has not developed a culture of data protection, it may find it very difficult to even sort out what data it is collecting, where it is stored, how it is secured and how and with whom it is shared and for what purposes. The first step is to undertake a deep audit to understand your actual data practices and to assess the adequacy of policies and procedures. To do so requires involvement of all the organs of the company that have an interest in data -- IT, legal, HR, marketing, sales and interactive. Appointment of a privacy committee with representatives from each group, lead by a Chief Privacy Officer, is a good way to manage the discovery what is going on, educate stakeholders and address, on an ongoing basis, privacy and data security issues when products, services, activities and campaigns are in the development. This later function has become known as “privacy by design”, which stands for the proposition that it is more efficient to address privacy and security issues during the development stage rather than as an after thought.
For more information on In Re Complete, Inc. (FTC File No. 102 3155) see:
News Release: http://www.ftc.gov/opa/2012/10/compete.shtm