Analytics are crucial for web site and mobile app operators to understand their audience in order to provide a better user experience and to improve traffic and sales. The Federal Trade Commission (“FTC”), on October 22, 2012, settled claims against web analytics company Complete, Inc. that its consumer data practices violated users’ rights under federal law. The settlement follows an earlier action against a company that had licensed Complete’s user data tracking technology, which Complete offers companies to integrate into their own toolbars and rewards programs. If your company has a web site or mobile app, it uses analytics and probably has engaged multiple vendors to collect and analyze user information. To avoid law enforcement actions and consumer class action litigation (approximately 200 consumer data privacy class actions have been filed in the last 2 years), companies should be looking closely at their data practices and policies, and those of third parties with which they work.

Complete represented, in its privacy policy and FAQs, that the web pages a user visited would be tracked so that Internet browsing behavior data could be anonymously transmitted to Complete and anonymously pooled with data from other users and that if personal information was collected it would make commercially reasonable efforts to strip out the personally identifiable information before transmitting it and to purge such data from Complete’s servers if it was inadvertently received. However, the technology apparently regularly collected far more than basic browsing behavior, including in some cases personally identifiable and sensitive information, and transmitted it in an unsecured manner. As a result, Complete was alleged to have misrepresented its data practices and failed to take reasonable efforts to protect user data, violating Section 5 of the FTC Act as both a deceptive and an unfair act or practice.

There are lessons that can be learned from Complete’s troubles. It is important to 1) make sure that you understand and accurately, clearly and conspicuously, disclose what user information is collected on your site or app, whether by you or those to which you give access, and how it is collected, stored, used and shared and that privacy policies and terms of use are carefully crafted to protect the company; 2) make sure that the technology used by you and your vendors does not collect more than is intended and was disclosed; 3) employ protocols to appropriately protect the security of data as it is collected, transmitted, stored and used; 4) carefully consider the terms of agreements with vendors and other parties that can access your users’ data; and 5) develop and support a privacy culture.

  1. Audit your data practices and update your Privacy Policy and Terms of Use

The FTC alleged that Complete’s privacy policy did not accurately describe what data it collected and inaccurately told users that the data would be anonymized. All too many privacy policies do not accurately reflect the company’s actual data practices and the FTC has brought dozens of enforcement actions in recent years arising out of such failures, including one resulting in a $22.5 Million settlement this year with Google. And its not just the big boys that are targets, the FTC, state attorneys general and the class action bar have small and large publishers and advertisers in their sights.

Typically, inaccuracies in privacy policies are not intentional. Rather, insufficient diligence may have been done regarding actual data practices, or those practices may have changed over the years and the company failed to update its privacy policy and terms of use. Also, online and mobile analytics and advertising have become very complex, with most sites and apps using many third party technologies and services (including use of cookies and other tracking technologies). Privacy policies need to accurately reflect what is happening under the hood. To do so, site operators need to audit and monitor their practices and those of third parties, including analytics and other vendors and third party advertisers and ad networks and exchanges, that interact with their sites and apps. Failure to understand what is happening and disclose it in the privacy policy can lead to law enforcement actions and class action law suits.

In addition to what a privacy policy says, companies need to disclose all material data practices in a clear, conspicuous and effective manner. For instance, a couple years ago the FTC brought an action against the retailer Sears for collecting detailed online activity data from some of its web site users without sufficiently explaining what they were collecting. Sears had actually gotten the users to subscribe to the program and paid them a modest monthly payment for letting it track them, however, the FTC felt that consumers would not have expected the tracking would be as intrusive as it was and that explaining that sensitive information was going to be collected, including during e-commerce transactions on third party sites, several clicks away from registration and buried deep in a long privacy policy was inadequate notice. The FTC has for years been counseling industry to move to layered privacy policies (that explain the big picture in short simple terms and then link to more detail) and to give short and simple disclosures at the point of data collection and, when applicable, user subscription or registration and at the online point of transaction. Further this approach, the FTC this week indicated that it is working on a model short form disclosure akin to food nutrition labels that sites and apps could display to quickly inform users on five (yet to be announced) privacy terms.

There are also various specific privacy-related issues that may need to be addressed in certain ways and these should be considered during privacy audits and assessments. With respect to targeted advertising, there are self-regulatory guidelines that may need to be complied with that require hyper-notice and an ability for users to opt-out of the practice. Text marketing requires opt-in (with very specific requirements), whereas e-mail marketing largely is an opt-out regulatory scheme. Special rules apply to sites and apps directed to children under 13, where verified parental consent may be required before collecting certain user information. Similarly healthcare, video consumption and financial-services-related information, and other sensitive data, are subject to specific state and federal regulatory schemes. Further, if a site or app targets users located in Europe, consent from users to tracking is required and various European jurisdictions differ as to the form in which that consent can be obtained (e.g., an opt-out option as implied consent as compared to an express opt-in requirement). And closer to home, California has some unique consumer privacy laws, and the failure to follow them can be the basis for a class action suit as several companies have discovered this year. Amongst these are requirements that every site and app have a privacy policy that contains certain disclosures and gives notice in specific ways and that if certain information about a company’s consumers is shared by the company with third parties for the third party’s direct marketing purposes, consumers have certain notice and/or choice rights unless a qualifying exemption is available.

Finally, a company can go a long way to protect itself from claims by how it crafts certain provisions of its privacy policy and terms of use, how the two documents work together and how they are disclosed to and accepted by users. For example, consent to tracking is a defense to various causes of action class action plaintiffs have been bringing against web site and mobile app publishers. In addition, since the U.S. Supreme Court held that the Federal Arbitration Act preempted state laws making arbitration and class action waivers in consumer contracts unenforceable, defendants in privacy class action lawsuits have successfully obtained dismissals where such terms were included in their terms of use. Where the inclusion of such provisions is clearly and conspicuously disclosed to consumers, and not merely buried in boilerplate, they should be effective in avoiding attraction of the class action bar.

  1. Collect only what you need and take measures to prevent collecting more

Web site and mobile app operators need to understand the technology they use. Complete’s technology is alleged to have captured information during registration and e-commerce activities and in doing so collected and insecurely transmitted user names, passwords, credit card numbers and other personal information. Its filters, designed to exclude such information, are alleged to have not worked well and the FTC criticized Complete for not using common algorithms to screen out sensitive data like credit card numbers. Collecting more data than intended has been the basis of other FTC actions and of class action litigation.

  1. Protect the data you collect and have a breach response plan

The vast majority of states require protection of certain personal information, particularly sensitive data, and have requirements for notice and corrective action in the event security is compromised. The FTC takes the position that failure to employ security measures reasonably appropriate for the applicable type of data is an unfair practice prohibited by the FTC Act and thus companies have an affirmative duty to take steps appropriate under the circumstances to protect user data. The level of security for data like credit card information is far greater than that required for less sensitive data like user name and password. However, the FTC brought an action against Twitter for lax IT security protocols that resulted in hackers getting access to user names and passwords. The level of security should match the potential harm that may flow out of a security compromise, and what is commercially reasonable under the circumstances. However, all user data must be reasonably secured and should only be retained as long as reasonably needed. Accessing what is reasonable, what risks are foreseeable and testing the integrity of security measures should be done regularly and companies should have a written plan addressing data security and what to do if security is breached.

  1. Obligate those you allow to access user data and know your obligations to them

Carefully look at your agreements with web site developers, cloud providers, ad exchanges and networks, analytics vendors, interactive agencies, marketing partners and other third parties that employ technology on your site or app or deal with your consumer and employee data. To the fullest extent practical under the circumstances, such agreements should spell out what the third party can and cannot do with the data, how the data will be secured and what must be done if security is or may have been compromised, require indemnity and provide for insurance coverage. If sensitive data is involved, this is crucial. Also, these third parties may require you to undertake certain obligations such as giving notice to users of the third party’s privacy practices and linking to their privacy policy and opt-out mechanisms. Companies should accordingly audit their current situation to access if appropriate agreements are in place and being followed and should consider what terms are appropriate on an ongoing basis when entering into new arrangements with others where user or employee data is involved.

  1. Appoint a Privacy Czar and Implement Privacy By Design

We live in the era of big data and information about consumers is amongst companies’ most valuable assets. At the same time, consumer advocates and governments here and abroad are increasingly concerned about making sure consumers have meaningful notice and choice regarding the collection and use of data about them. If a company has not developed a culture of data protection, it may find it very difficult to even sort out what data it is collecting, where it is stored, how it is secured and how and with whom it is shared and for what purposes. The first step is to undertake a deep audit to understand your actual data practices and to assess the adequacy of policies and procedures. To do so requires involvement of all the organs of the company that have an interest in data -- IT, legal, HR, marketing, sales and interactive. Appointment of a privacy committee with representatives from each group, lead by a Chief Privacy Officer, is a good way to manage the discovery what is going on, educate stakeholders and address, on an ongoing basis, privacy and data security issues when products, services, activities and campaigns are in the development. This later function has become known as “privacy by design”, which stands for the proposition that it is more efficient to address privacy and security issues during the development stage rather than as an after thought.

For more information on In Re Complete, Inc. (FTC File No. 102 3155) see:

Complaint: http://www.ftc.gov/os/caselist/1023155/121022competeinccmpt.pdf

Consent Order: http://www.ftc.gov/os/caselist/1023155/121022competeinccmpt.pdf

FTC Analysis:http://www.ftc.gov/os/caselist/1023155/121022competeincanal.pdf

News Release: http://www.ftc.gov/opa/2012/10/compete.shtm