While privacy legislation in Congress seems to be stalled, the Federal Trade Commission (the "FTC") continues to increase its data privacy enforcement activity due to the slow reaction of companies to self-regulate and failure to provide adequate and meaningful protection.1 In light of its vow to take action against companies that violate consumer privacy2, the FTC recently targeted the online behavioral advertiser, Chitika Inc. ("Chitika"). Chitika acts as an intermediary between website publishers and advertisers by tracking the searches a consumer has conducted, the websites visited and the content viewed in order to serve advertising targeted to the individual consumer's interests. When a consumer visits a website within Chitika's network of website publishers, Chitika sets a small text file (or "cookie") in the consumer's browser. This "tracking cookie" contains a unique identification number that allows Chitika to recognize the particular consumer or computer and correlate it to their online activity.3
In March, the FTC and Chitika agreed to the terms of a Consent Agreement (the "Agreement") that prohibits Chitika from misrepresenting the extent of its consumer data collection and the extent to which consumers are able to control the collection, use or sharing of their data.5 The Agreement between the FTC and Chitika can be divided into three sections: (i) transparency, (ii) restriction on data usage, and (ii) compliance. First, to improve the transparency of its data collection practices, Chitika must place a prominent notice with a hyperlink on the homepage of its website that states: "We collect information about your activities on certain websites to send you targeted advertisements. To opt out of Chitika's targeted ads, click here." This opt-out provision must remain in effect for a minimum of five years. Within close proximity to this hyperlink, Chitika must disclose that: (1) Chitika collects information about consumers' activities on certain websites to deliver targeted ads; (2) by opting out, Chitika will not collect this information to deliver such ads; (3) consumers' current choice status (i.e., whether opted in or opted out of tracking); and (4) consumers' choice is specific to the browser they are using (i.e., if they switch browsers or devices, they will have to opt out again). Next to the hyperlink, Chitika must also include a notice for a period of one year that warns consumers that any opt-out prior to March 1, 2010 has expired and the consumer must opt-out again.
To facilitate restrictions on the utilization of consumer data, the Agreement prevents Chitika from using, selling or transferring any information that can be associated with a Chitika user or a Chitika user's computer or device that the company obtained prior to March 1, 2010. Information stored in users' cookies and any information retained in Chitika's files that would allow the information to be associated with a particular consumer or the consumer's computer or device must be deleted. Finally, Chitika is required to retain documents relating to its compliance with the Agreement and submit a report to the FTC detailing its compliance.
These heightened requirements reflect the regulatory framework proposed in December 2010 by the FTC to increase data privacy and protection.6 Consumers are faced with cumbersome and lengthy privacy policies that cause mass-confusion and force the average consumer to bear too much of the burden in protecting their privacy.7 To combat consumer confusion, the FTC proposed the "privacy by design" approach that requires businesses to build privacy protections into their everyday business practice. This type of protection would include reasonable procedures to promote data accuracy and protection and implementing procedurally- sound privacy practices such as: assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services.
The FTC also wants consumers to be presented with a clear, succinct notice regarding the collection and sharing of their data upon entering a website as opposed to a hidden, lengthy and complicated disclosure located somewhere on the website. One method of simplified choice is a "Do Not Track Mechanism" – a persistent setting on consumers' browsers that provides a simple way for the consumer to opt out of having their online activities tracked and analyzed by online advertisers. The FTC also recommends other measures to improve the transparency of information practices, including standardized notices that allow the public to compare the collection practices of competing companies and allowing consumers "reasonable access" to the data that companies maintain about them.
The FTC is not waiting for additional legislative measures to be passed and has remained focused on privacy issues. On June 15th, the FTC testified in front of the Senate in support of legislation that will require companies to employ reasonable security practices and notify consumers when there is a data security breach. In its testimony, the FTC presented its three-pronged approach to preserve consumers' privacy: (i) law enforcement actions, (ii) consumer and business education efforts, and (iii) policy initiatives. It noted that the agency has brought more than 300 privacy-related actions in the last 15 years and distributed millions of copies of consumer and business education materials that address basic privacy issues and security and privacy threats.8
As part of its ongoing efforts to increase online privacy protection, the FTC also recently announced that it will update its "Dot Com Disclosure" regulations.9 "Dot Com Disclosure" rules advise businesses on how federal advertising law applies to advertising and sales on the internet. The FTC sought public comment until July 11, 2011 on how these procedures should be modified to reflect technological advances in online advertising since the regulations were originally published in 2000; such advances include: mobile device applications, "pop up blockers", and online social networking. Intel Corporation submitted a public comment commending the FTC on its initiative to clarify how businesses can best apply FTC advertising law to online activities and included several suggestions relating to character and text limitations, social media and outdated procedures. Intel suggested that the FTC address the space constraints created by new technology by permitting other technological means, such as jump-linking or mouseovers or hyperlinks, to satisfy the disclosure requirement. Other suggestions included disclosure requirements for social media tools, like Twitter, and removing certain procedures that were either impractical (detailed monitoring programs for small or medium-sized businesses) or under-utilized by consumers due to advances in mobile technology (required printing options).10
The FTC is also currently focused on privacy in the mobile environment and expects to pursue increased enforcement actions involving mobile technology. Nearly 700 million people in the United States own smartphones and each smartphone has the capability to collect highly sensitive personal information, track consumers' whereabouts, and provide mobile payment systems and thousands of mobile applications. The FTC has already been warned that mobile applications have been exhibiting a lack of transparency by not providing effective notice and choice before passing on consumers' personal information and location data to other companies. The agency aims to aggressively pursue simplified privacy policies to accommodate smaller screen space and to educate consumers about mobile privacy practices.11
Companies should take a proactive approach to comply with privacy and information security laws, regulations and guidelines. The FTC expects businesses to collect, disclose, use and process personal information in a transparent way, and to accurately represent their privacy and security practices to consumers.12 The FTC has posted the "Fair Information Practice Principles" on its website that lists the best practices to comply with data privacy regulations and concerns. These rules explain in greater detail the five core principles of privacy protection: (1) Notice/Awareness, (2) Choice/Consent, (3) Access/Participation, (4) Integrity/Security, and (5) Enforcement/Redress. More information on these guidelines can be found at: http://www.ftc.gov/reports/privacy3/fairinfo.shtm. As there is still legislation pending before Congress, companies should take notice of the principles stated by the FTC and the terms in the Chitika case, so as to alter their privacy practices in advance of any new legislation or regulation.