On May 15, 2014, Maneesha Mithal, Associate Director of the Division of Privacy and Identity Protection at the Federal Trade Commission (“FTC” or “Commission”) testified, on behalf of the FTC, before the U.S. Senate Committee on Homeland Security and Governmental Affairs addressing the Commission’s work regarding three consumer protection issues affecting online advertising: (1) privacy, (2) malware and (3) data security. Below is a summary of the Commission’s testimony regarding these three key areas and the Commission’s advice for additional steps to protect consumers.

Privacy

Privacy has been a top priority for the Commission since the early 1990s. In March 2012, the Commission released its Privacy Report, and it continues to engage in privacy enforcement actions involving the online advertising industry. In its testimony, the Commission highlighted several key enforcement actions in this area that demonstrate significant principles regarding privacy:

  • Chitika, Inc., No. C-4324 (F.T.C. June 7, 2011) – The FTC alleged that Chitika, an online advertising network, violated section 5 of the FTC Act when it offered consumers the ability to opt out of the collection of information to be used for targeted advertising – without telling them that the opt-out lasted only 10 days.
  • ScanScout, Inc., No. C-4344 (F.T.C. Dec. 14, 2011) – The FTC charged that ScanScout deceptively claimed that customers could opt out of receiving targeted ads by changing the computer’s web browser settings to block cookies, when, in fact, ScanScout used Flash cookies, which browser settings could not block.
  • Epic Marketplace, Inc., No. C-4389 (F.T.C. Mar. 13, 2013) – The company settled charges that it used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues, ranging from fertility and incontinence to debt relief and personal bankruptcy. 
  • Google, Inc., No. C-4336 (F.T.C. Oct. 13, 2011) – Google agreed to pay a $22.5 million civil penalty to settle charges that it misrepresented to Safari browser users that it would not place tracking cookies or serve targeted ads to them, violating an earlier privacy order with the Commission.

Spyware and Other Malware

The Commission’s testimony emphasized that spyware and malware can cause substantial harm to consumers and to the Internet as a medium of commerce. Since 2004, the Commission has initiated a number of malware-related enforcement actions, which focus on three key principles:

  • Installing Software: A consumer’s computer belongs to him or her, not to the software distributor, and it must be the consumer’s choice whether or not to install software. Downloading spyware to a consumer’s computer without his/her knowledge is a violation of section 5 of the FTC Act.
  • Disclosures: Buried disclosures of material information necessary to correct an otherwise misleading impression are not sufficient in connection with software downloads. Burying material information in an End User License Agreement will not shield a malware purveyor from liability under section 5 of the FTC Act.
  • Removal of Malware: If a distributor puts a program on a computer that the consumer does not want, the consumer should be able to uninstall or disable it.

Data Security

The security measures implemented by companies to protect consumer data from third parties accessing such data without permission has been the focus of 53 enforcement actions initiated by the FTC. In addition to enforcement of the FTC Act, the Commission enforces several specific statutes and rules that impose obligations upon businesses to protect consumer data, including the Commission’s Safeguard Rule implementing the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act. Through its 53 data-security-related enforcement actions, the Commission has developed the following principles, which apply to online advertising networks, as well as other businesses:

  • Reasonable and appropriate security measures must be continuously assessed to address risks
  • There is no one-size-fits-all data security program
  • The Commission does not require perfect security, but assesses security measures for reasonableness in light of the sensitivity and volume of consumer information held by the company, the size and complexity of the company’s data operations, and the cost of the available security tools

Recommendations for Next Steps

To continue to protect consumers in the areas of privacy, malware, and data security – particularly with respect to online advertising – the Commission offered three recommendations:

  • More widespread consumer education about how consumers can protect their computers against malware
  • Continued industry self-regulation to ensure that ad networks are taking reasonable steps to prevent the use of their systems to display malicious ads to consumers
  • Enactment of a strong federal data security and breach notification law to prevent breaches and protect consumers from identity theft and other harm