Companies should examine their data privacy and security policies and practices before the start of the New Year to make sure that they are compliant with new changes in federal and state laws, regulatory guidance, self-regulatory programs and evolving enforcement priorities affecting consumer data protection and behavioral advertising. In addition, your practices may have changed over the last year or so and your policies may no longer be complete and accurate, and thus may need to be updated to avoid misrepresentation and deceptive omission claims.

California Laws

California recently passed the first law in the United States that requires web site and online services to make certain disclosures in a privacy policy regarding online tracking and targeted advertising and will become effective on January 1, 2014. The law amends the California Online Privacy Protection Act (“CalOPPA”). CalOPPA requires a commercial website and online service operator that collects certain data from California consumers (regardless of where the operator is located), to disclose in a posted privacy policy that meets certain notice requirements, the following information: (1) categories of personal information gathered; (2) parties with whom such information is shared; (3) if the operator maintains a process for consumers to review and change such information; (4) a description of the process by which the operator notifies users of changes to its privacy policy; and (5) the effective date of the policy.

In addition, beginning on January 1, 2014, CalOPPA will now also require the operator to disclose: (6) how the operator responds to “Do Not Track” signals or other mechanisms giving consumers the ability to exercise choice over the collection of personal information over time and across third-party websites or online services, if the operator engages in the collection of such information; and (7) whether other parties may collect such information over time and across different web sites when a consumer uses the operator’s site or service.

Please see our previous client advisory for more information and discussion regarding the potential impact and implications of this and several other new California data protection laws (including an expansion of its data security breach notification law). Also, don’t forget that if you share certain personal information (broadly defined) of California consumers (collected on or offline) to third parties for their direct marketing purposes, you must comply with the choice or information request obligations of California’s Shine the Light Act. Several class action lawsuits were filed in 2013 for failure to comply with the law.

Interest-Based Ads

In November 2013, the Council of Better Business Bureaus (“CBBB”) issued a compliance warning letter announcing that, beginning on January 1, 2014, the CBBB will commence enforcement actions against website publishers, operators, and other “first parties” (i.e., any entity that is the owner of a website or has control over a website) that fail to provide transparency with respect to data collected from visitors to their site and used by third parties for purposes of serving online behavioral ads. This includes both serving interest-based ads on your own site, and retargeting your site visitors with ads when they go to third party sites (“OBA”). The CBBB operates an accountability program for enforcing the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Principles (the “Principles”) governing the collection and use of web viewing data.
Accordingly, publishers should:

  1. Provide a disclosure in its privacy policy explaining OBA activity on the site (both serving OBA ads on the site and tagging site users for retargeted ads off the site).
  2. Include a link from the disclosure to the DAA’s opt-out page or to every applicable third parties’ respective opt-out mechanisms. 
  3. Ensure that an enhanced notice link (e.g., “About Ads”, “Interest-based Ads” or the DAA icon) is present on every page of its site where data collection or use for OBA occurs, and ensure that the link directs visitors to the website’s OBA disclosure and opt-out link. This can be done on the ad itself, but beware of data collection occurring on pages that may not have ads posted and where data is still being collected for OBA purposes. The link needs to be included on these site pages as well.
  4. State their adherence to the Principles on the site (typically in the privacy policy).

In an effort to encourage compliance, the CBBB delayed enforcement against site operators that fail to provide the required on-page, enhanced notice beginning until January 1, 2014 so companies should act now in order to avoid the risk of enforcement.

Text Marketing

In October 2013, changes to the rules for text marketing and telemarketing under the Federal Telephone Consumer Privacy Act (“TCPA”) went into effect, including requiring prior, express, written consent. For a detailed explanation, click here. The ability to bring a private right of action combined with the ability to obtain statutory damages has led to hundreds of TCPA class action lawsuits for text marketing errors, with settlements in the tens of millions of dollars not uncommon.

Children’s Privacy

In the summer of 2013, the federal COPPA Rule, regulating data privacy and protection of children under 13 years of age, materially changed in many ways. Many sites and apps are not yet in compliance and the FTC is expected to start enforcing the new rules in 2014. For a detailed explanation of the new requirements, click here.

Transparency

Just posting a privacy policy that is not inaccurate is no longer alone sufficient for compliance purposes. Companies need to ensure that they are accurately disclosing all material data collection, use and sharing practices, and doing so in a clear and conspicuous manner. Regulators such as the California Attorney General and the Federal Trade Commission have issued guidance documents calling for enhanced, short-form and “just in time” notice and greater transparency regarding collection and use of consumer data, particularly in connection with mobile devices and mobile applications. The FTC also revised its guidance on how to make effective disclosures in mobile and online environments where space is limited. In July 2013, the National Telecommunications & Information Administration (NTIA) issued a draft code of conduct recommending standards for short form disclosures of material privacy and data use practices for mobile devices and applications, which are quickly becoming industry standards. On December 5, 2013, the FTC announced a settlement with a mobile application developer on charges that included an allegation that failure to clearly disclose to users that their device identifier and location would be shared with advertisers was a deceptive omission of material information. Accordingly, be sure you are disclosing all material data practices and doing so in an effective and understandable manner.