The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Cell phone marketing and privacy

Another good privacy article in the papers today, this one addressing the huge potential market for cell phone ads, and the privacy and consumer issues that will make it more difficult to tap.

Carriers currently allow only limited targeting based on subscriber zip codes, age or other demographic information. But some consider it only a matter of time before they begin targeting ads based on geolocation data (which the FCC required carriers to collect in its 1996 E911 proceedings, or which can be obtained when subscribers manually input it to use location-based services). Of course, the personal nature of this data raises privacy red flags and could be more annoying than usual to consumers.

CTIA and the Mobile Marketing Association are working on guidelines for notice, consent and periodic tracking reminders, and some carriers are exploring ways to take advantage of profiles without sharing identifiable data. In the meantime, industry participants are moving cautiously to avoid the backlash greeting so many new advertising programs recently.

The article mentions that US subscribers may be becoming more open to this kind of advertising because they’re more frequently embracing data services like their European counterparts (and it notes that Yahoo is working with UK-based Vodaphone to demographically target). But it doesn’t mention the EU ePrivacy directive, which puts strict data protection standards around the use of traffic and location data derived from public communications services and networks.

Leave a comment

UK moves toward legal response to breaches

In the wake of the UK’s proliferating security breaches, they’ve taken the first steps towards increased regulations. The Times Online reports that MPs are considering a proposal (after Information Commissioner Thomas’s proposal) that would make company executives responsible for the data they hold, including certification requirements that security protections are in place (a la Sarbanes Oxley). (Credit to the always useful Canadian Privacy Law Blog.)

Leave a comment

California Office of Privacy Protection to merge with Information Security Office

Another interesting thing I learned from that profile of Joanne McNabb . . . beginning January 1, the California Office of Privacy Protection will merge with the State Information Security Office, to create a new Office of Information Security and Privacy Protection.

Leave a comment

Privacy is focus of SF Chronicle’s business section

It’s apparently privacy day at the San Francisciso Chronice, with two profiles of privacy industry movers and shakers in the business section, one of which might provide some insight into developments in California privacy law.

The first is on Eric Fleischer, Google’s global privacy counsel, who notes that his job has made him cautious about providing information online (but apparently not too cautious to publish a diatribe against the suit and tie). The article provides a rundown of some of the privacy challenges Google has faced, as well as an interesting few paragraphs about the elements of proper notice and consent.

The second profiles Joanne McNabb, chief of the California Office of Privacy Protection, the first of its kind in the United States. It describes how she provides practical advice to businesses and consumers based on California’s privacy laws (which are groundbreaking but give few real-world guidelines for when issues arise under them), often within strict budget limits.

McNabb’s profile discusses what she sees as the most worrisome development for privacy on the web – the lack of control consumers have over the information that’s posted about them:

"People are unhappy and confused about places like MySpace," she said. "They’ve got your information – your kid’s pictures are online. … When we start explaining about public records, they don’t want to hear it. They want their information off the Web."

She’s decided that California needs better privacy laws, prompted by Daniel Solove’s The Future of Reputation: Gossip, Rumor, and Privacy on the Internet. It’s got her thinking of ways to improve privacy without burdening the court system, for example by placing obligations on employers who run background checks.

Leave a comment

Secure Times Newsletter, Fall/Winter 2007 issue

The Privacy and Information Security Committee has just released the Fall/Winter 2007 issue of its Secure Times Newsletter. The newsletter covers privacy and information security issues with articles from a variety of perspectives, such as experts from legal, corporate, government and academic sources.  This latest issue contains:

  • an interview with the FTC’s first Chief Privacy Officer, Marc Groman
  • a description of recent cases that may make companies operating only online subject to the requirements of federal and state disability access laws
  • a review from the Texas AG’s office of their latest privacy enforcement activities, in areas like identity theft and spyware
  • an update on litigation that may apply FACTA’s prohibitions against full credit card number or expiration dates on receipts to invoices shown only online

The newsletter is a resource available to ABA Antitrust Section members, and can be found on the Committee’s website. For more information about membership, visit the ABA’s website.

Leave a comment

FTC proposes self-regulatory principles for behavioral targeting

The FTC’s been busy today. In addition to clearing Google’s acquisition of DoubleClick, they’ve proposed a set of principals to guide self-regulation in behavioral advertising. Broadly, their proposals are:

  • Every website where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.
  • Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
  • Companies should obtain affirmative express consent from affected consumers before using data in a manner materially different from promises the company made when it collected the data.
  • Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising.
  • The FTC seeks comment on what constitutes “sensitive data”  (proposed already has been health information and information from minors) and whether the use of sensitive data should be prohibited, rather than subject to consumer choice.

Although many of the proposals are in line with the NAI Principles, so far the industry self-regulatory standard for cookie-based ad networks, some are pretty revolutionary in the privacy arena — for example, the application of standards to single-site tracking and personalization, an affirmative standard to retain data for no longer than necessary (similar to the EU’s data retention requirements), and a requirement to obtain affirmative consent to major changes to a privacy policy (rather than the notice and opt-out regime currently practiced by most companies here and in other countries).

Comments on the proposals are due February 22, 2008.

Update: The NAI comments on the proposal.

Leave a comment

Alberta says Ticketmaster not allowed to mandate consent for secondary purposes

The Canadian Privacy Law Blog has the text of an announcement from the Alberta Office of the Information and Privacy Commissioner that Ticketmaster violated PIPA by requiring customers to consent to share information with concert promoters for marketing purposes.

OIPC found that Ticketmaster’s privacy policy was "complex and ambiguous" and its opt-out process "did not allow customers to make an informed decision about consent nor did it offer customers a reasonable opportunity to decline or object to the use of their personal information for event providers’ marketing purposes." Customers cannot continue with a ticket purchase unless they agree to Ticketmaster’s "Use of Personal Information" privacy statement, which authorizes Ticketmaster to share the email address with concert promoters for marketing purposes. 

Ticketmaster has agreed to a number of changes to bring it into compliance, including an online and telephone opt-in for sharing customer information with promoters and a revision to its privacy policy (including a navigable, hyperlinked table of contents).

A copy of the full investigation report is available at the OIPC website.