Online behavioral advertising/tracking litigation: a rising risk facing insurers and insureds

2012 began with over 100 pending consumer class actions alleging various companies’ improper tracking of customer and other users’ behavior online and via mobile devices. Some 60 class actions were filed in December 2011 alone against the mobile industry for tracking user behavior for internal analytics and measurement purposes, and other industries are likely to be targeted as well. Plaintiffs’ attorneys have vowed to institute more claims of these sorts in the months to come.

Insurers face potential exposure both as insurers of other companies that track consumer activities for targeted advertising and other purposes, and as users of tracking of online consumer activities themselves. In light of these activities and exposures, a careful understanding and nuanced appreciation of these developing issues is essential for insurers.

THE EXPLODING BEHAVIORAL ADVERTISING MARKET

Targeted advertising has become global and ubiquitous. Online Behavioral Advert¬ising (OBA) is the term now used to describe the process of company tracking of consumers’ online activities to target them for advertising directed at their specific interests. Digital advertising is currently an $80.2 billion industry,¹ with online ad spending now exceeding that of print advertising. This has generated increasingly scrutiny of the appropriateness of use of OBA, and the level of notice afforded to and consent required of consumers. Other uses of tracking of customer online behavior have also been attacked.

Significant privacy concerns have been raised by regulators, legislators, and in a rash of class actions filed against compa¬nies in a wide range of industries, about user tracking on a variety of mobile devices. Targeted industries include telecommuni¬cations and media companies, internet providers, wireless phone manufacturers and device makers, and software develop¬ment companies.

Given the importance of digital advertising revenue to digital business models, we expect that the issue of tracking and privacy will continue to grow in 2012, with resultant increase in regulatory scrutiny and litigation.

IMPACT ON INSURERS

Insurers may be called upon to address these issues as their insureds tender claims for defense and indemnity. As with many of the claims arising from use of new technologies, such claims can present an unexpected exposure, the challenge of addressing requests for coverage under policies not intended to cover such risks and, in a more positive aspect, an opportunity to develop new products that specifically address these exposures.

As insurers increasingly avail themselves of new technologies and platforms to market their products and connect to their insureds and agents, they too are potentially subject to similar regulatory and legal proceedings as other industries now face. Companies in the insurance industry are or soon will be employing technologies and platforms to engage with or track their insureds, market their products, assess underwriting exposures and identify issues that present significant exposure to both them and their customers. Many are developing technologies that will allow them to combine data from a variety of sources to develop risk profiles for casualty, property and personal line exposures. There is now the potential ability for companies to determine the number of claims filed involving a particular property and the claims filed by or against individuals owning those properties, and to gather information from publicly available sources (including social networks where companies and individuals often have a presence) to be able to develop a risk profile on a potential insured or claimant. Insurers are also using smart phone apps to provide insurance quotes and take down information.

These new practices bring with them new exposures, and companies utilizing online behavioral advertising and other tracking of user behavior should be aware of those exposures and consider protective measures, including updating and redrafting their web privacy policies to take into account their new activities and the developing regulatory and legal landscape.

WEB AND OTHER PLATFORM EXAMPLES

Last year, one credit card brand published patents in which they described advertising databases that could combine consumer purchasing history with other online social networking preferences to be able to develop an advertising profile that could be targeted to particular consumers. Companies in a wide range of businesses operate websites and smart phone applications that contain tracking technology that can identify the websites’ users visit, their specific geographic locations and the pages that they “Like” through Facebook. This tracking has had the benefit of permitting website operators to serve targeted ads which have click through rates that are twice as effective as regular banner ads that users have come to ignore. In addition, tracking for internal analytic purposes has allowed companies to create infrastructure based upon user location, and create new products tailored to users’ interests.

The wide-spread usage of such OBA and tracking has captured the attention of class-action attorneys, who seek the potential financial benefits of asserting violations of various federal and state statutes directed at limiting collection and dissemination of information about individuals and often requiring specific disclosures with statutory penalties and fines for violations, as well as at times alleging common law claims.

THE FEDERAL AND LITIGATION LANDSCAPE

Federal regulators have already taken action based on existing federal statutes, as well as proposed amendments to expand existing legislation to encompass OBA within their scope.

The FTC Recommendations and Enforcement Orders

The Federal Trade Commission (FTC) defines OBA as a process of “tracking consumers’ activities online to target advertising.”² It often, but not always, includes a review of the searches consumers have conducted, the Web pages visited, the purchases made, and the content viewed – in order to deliver advertising tailored to an individual consumer’s interests. In its December 2010 report titled “Protecting Consumer Privacy in an Era of Rapid Change. A Proposed Framework for Business and Policy Makers,” the FTC proposed a “Do Not Track” option to prevent targeted advertising without consumer consent. The final guidance is expected shortly. On September 15, 2011, the FTC also recommended amendments to the Children’s Online Privacy Protection Act (COPPA)³ which would expand the definition of “personal information” to include OBA information. Final comments were due the end of December 2011, with the amendments still to be finalized. Privacy public interest advocates and industry groups provided comments.

Meanwhile, in 2011, the FTC announced four enforcement consent orders against companies for delivering OBA without consumer consent. For each of these actions, the FTC alleged “deceptive” acts in violation of the FTC Act, Section 5 (codified at 15 U.S.C. § 45(a)), and imposed on-going reporting requirements for 20 years.⁴

The Electronic Communications Privacy Act⁵

The Electronic Communications Privacy Act (ECPA) is being argued by plaintiffs to prevent or restrict access and tracking of user behavior without user consent. Sections within the ECPA have become the basis of claims asserted in many of the pending class actions.

The Federal Wiretap Act⁶ is part of the ECPA. To prevail on a claim under the Wiretap Act, plaintiffs must prove that the defendants (1) intentionally (2) intercepted or endeavored to intercept (3) the contents (4) of an electronic communication (5) using a device.⁷ It provides for statutory damages of $10,000 per violation or $100 per day.⁸

The Stored Electronic Communications Act (SCA)⁹ is also part of the ECPA. The SCA prohibits “(1) intentionally access[ing] without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceed[ing] an authorization to access that facility; and thereby obtain[ing], alter[ing], or prevent[ing] authorized access to a wire or electronic communication while it is in electronic storage in such system.”¹⁰

Some courts have shown a willingness to infer consent if a consumer has reviewed a privacy policy that discloses tracking.¹¹

The Consumer Fraud and Abuse Act ¹²

The Computer Fraud and Abuse Act (CFAA), plaintiffs allege, makes it unlawful to track user browsing behavior if this causes $5,000 in economic loss. Where economic harm is not specified, Courts have been willing to dismiss CFAA complaints.¹³

State Law Claims

Plaintiffs in the pending class actions have alleged a wide variety of state law claims, relying heavily on state consumer protection statutes as well as state common law claims. These can impact the class certification issues, as states vary as to whether their consumer protection acts apply to out of state consumers, and can give rise to state law variations among multi-state classes that potentially can be raised as a defense to prevent class certification.

State regulators are also expanding the application of existing state statutes to the new practices. On February 23, 2012, the California Attorney General announced that mobile apps made available to California consumers must include privacy notices in compliance with the California Online Privacy Protection Act.¹⁴

Class Action Litigation

The class action bar has filed more than 115 putative class action lawsuits since January 2011, alleging violations of the ECPA, the Federal Wiretap Act, the SCA, the CFAA, and state statutes and common law. Many include allegations of a broad range of violations of other state statutes in addition to ECPA and CFAA, ranging from state wiretap laws to computer crime laws to state consumer protection statutes, as well as common law causes of action for trespass, misrepresentation, unjust enrichment, and violations of rights to privacy, among others.

Damages are already a major issue, with defendants challenging plaintiffs’ standing to pursue the class action claims based on lack of economic harm as required by statutes such as CFAA, and plaintiffs seeking statutory damages as allowed by certain of the statutes allegedly violated. For example, the Federal Wiretap Act,¹⁵ which is often cited in these actions, provides for statutory damages of $10,000 per violation or $100 per day. The recent claims against the mobile industry for tracking allege monitoring software was installed on 151,000,000 phones, resulting in a floor of alleged damages of $1.5 billion.

Next Generation Litigation

While the first wave of class actions, filed in 2010, focused on cable companies providing Internet services, in recent months targets of putative class action complaints have included companies ranging from online retailers to financial institutions. Allegations range from assertions of improper use f “spyware, “persistent tracking cookies” and other applications to track consumer behavior, to assertions of failure to provide requisite disclosures and obtain requisite consents, as well as a broad range of statutory and common law violations.¹⁶

These class actions are still in the early stages, with issues such as class certification, standing and viability of certain causes of action and alleged damages still to be fully litigated. Some early decisions indicated that plaintiffs may face difficulties pursuing ECPA, CFAA and common law privacy claims in many of the suits, and courts at least initially showed a willingness to infer consent to receive behaviorally targeted advertising if a consumer reviewed privacy disclosures provided by companies. However, these early rulings relate to only a few of the class actions pending, and in many instances portions of the actions have survived and are still pending, or the claims were allowed to be amended.

Proposed “Do Not Track” Legislation

On March 16, 2011, the Obama administration called for a universal privacy bill, and specifically supported the FTC’s “Do Not Track” proposals. Legislators have responded with privacy bills that address tracking.¹⁷

In addition, on January 30, 2012, in response to the filing of numerous recent class actions against the mobile industry for tracking for non-OBA analytic purposes, Representative Ed Markey (D. Mass.) announced his intent to introduce the “Mobile Device Privacy Act” that would require companies to disclose to consumers the capability of software to monitor mobile telephone usage and require the mobile phone users’ express consent before tracking their usage, whether or not such tracking was for advertising purposes.¹⁸ Thus the act of tracking user behavior online or via mobile devices is being scrutinized if not challenged on privacy grounds apart from the concerns raised about OBA. On February 23, 2012, President Obama released the Administration’s long awaited privacy framework.¹⁹ The Framework proposes national legislation focused on required disclosures for OBA.

State legislatures are not far behind. California, which is typically at the forefront of privacy legislation, has proposed a “Do Not Track” bill that contains a private right of action and statutory penalties.²⁰

OBA IS A GLOBAL ISSUE

OBA issues are being grappled with by regulators in other countries as well, including those in the European Union, and Canada.

The European Union, which generally has a greater degree of consumer privacy protection than the U.S., has also been addressing the issues presented by OBA. Effective May 25, 2011, countries in the EU were required to implement regulations to obtain explicit consent before companies collect OBA information. On December 13, 2011, the UK’s Information Commissioner’s Office advised that opt-in consent will be necessary to collect OBA.²¹ On February 27, 2012, Europe’s largest mobile operators and a U.K.-based industry group (GSMA) unveiled voluntary app privacy guidelines.

Canada’s Office of the Privacy Commission (OPC) issued its guidance on OBA and tracking in December 2011. It takes the position that OBA “generally” constitutes personal information,²² and disclosures “cannot be buried in a privacy policy.” If declining cookies “renders a service unusable, then organizations should not be employing that type of technology.” It also states that OBA should not be collected from children, reflecting the concern of those in the U.S. pressing for an expansion of the Children’s Online Privacy Protection Act restrictions to include OBA.²³

CONCLUSION

Any company that advertises online or through mobile phone applications, has a website, or otherwise collects, uses or stores consumer data is potentially exposed to OBA and other types of “Do Not Track” claims.

Insurance companies face exposures from OBA and tracking claims both from practices of their insureds and their own. Insurers as well as their insureds may be engaged in marketing their products online and through smart phone apps, and in tracking customer data for their own internal analytic purposes. Companies in the insurance industry use sophisticated databases to track claims history and merging data into databases to create underwriting profiles. Many of these activities likely entail or in the future will include some component of tracking technology. Thus, it is important for companies in the insurance industry, as well as those in other industries, to be aware of the developing regulatory and legal landscape governing tracking of customer and other users’ behavior on line and via mobile devices.