On January 21, Federal Trade Commission (“FTC”) Bureau of Consumer Protection Director Jessica Rich outlined in a speech before advertising industry professionals how businesses using targeted advertising may avoid legal trouble with the FTC and other authorities.
Rich focused her speech on the use of increasingly sophisticated online tracking that is “often invisible to users.” Rich described the use of “single, universal identifiers” to track consumers who use multiple devices, including “smartphones, tablets, personal computers, connected TVs, and even smartwatches and other wearables,” as well as device fingerprinting. “In the case of device fingerprinting, there are no simple means for users to prevent it — which, unfortunately, may be precisely why some companies have embraced this technology,” Rich added. As a result, Rich said, “[e]ven those consumers who know about tracking and want to avoid it can’t do so effectively.” Rich’s focus on “invisible” online tracking invokes recent controversy surrounding the use of “zombie” cookie programs, which circumvent a user’s ability to delete cookies. Some advertising tracking services may employ these methods, and companies may unknowingly receive copies of “respawned” cookies in violation of their own privacy policies.
Rich said the agency expects companies to fully disclose their tracking technology. “To be meaningful and non-deceptive, the information and choices you provide consumers must cover all of your tracking practices, not just a subset,” Rich said. In other words, no matter how complex companies’ data collection practices become, corporate disclosures should apply to all forms of those collection practices. “Otherwise,” Rich says, “the protections being offered are illusory, applying only to a small percentage of the practices that are actually occurring.”
This recommendation places the burden on companies to learn about the practices of their online tracking service providers or programs, where employed, so that the company can provide the transparency and choice to consumers required by the FTC. Rich warns that companies will be held responsible for doing business with bad actors. As a result, companies should verify a business partner’s privacy and verify that service providers adequately protect personal information.
As a third take-away, Rich advised that disclosures cannot “include exceptions that swallow the rules.” For example,” Rich notes, “if they purport to limit tracking based on sensitive data, they shouldn’t play games about what ‘sensitive data’ means, such as defining medical data to mean only official medical records,” as opposed to, for instance, health information collected through wearable devices.
Fourth, not only should privacy policies be easy to find and use, but “companies . . . [should] separately provide key information and choices at the time that consumers are providing their data or making other decisions about it.” This advice is consistent with the first principle in the Obama Administration’s Consumer Privacy Bill of Rights, which is likely to be considered by Congress this year.
Rich also reminded audience members to use “privacy by design” principles. That is, “[c]ompanies should build-in privacy protections at every stage as they develop their products and services.” Rich advised that companies should limit data collection and retention, but when a company retains data, the data must be de-identified and not re-identified later in time.
As online tracking technologies evolve, companies should consider Rich’s recommendations as best practices in order to mitigate the risk of FTC scrutiny, especially when crafting data privacy policies and notices to consumers and also when contracting with third-party service providers.