The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Yesterday at FTC, President Obama Announced Plans for new data privacy and security laws: Comprehensive Data Privacy Law, Consumer Privacy Bill of Rights, and Student Digital Privacy Act

Yesterday afternoon, President Barak Obama gave a quip-filled speech at the Federal Trade Commission where he praised the FTC’s efforts in protecting American consumers over the past 100 years and unveiled his plans to implement legislation to protect American consumers from identity theft and to protect school children’s personal information from being used by marketers.   These plans build upon past legislative efforts and the Administration’s focus on cybersecurity, Big Data, and Consumer Protection.  Specifically, On February 23, 2012, the White House released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” (the “Privacy Blueprint”) and in January 2014, President Obama asked his Counselor, John Podesta, to lead a working group to examine Big Data’s impact on government, citizens, businesses, and consumers.  The working group produced Big Data: Seizing Opportunities, Preserving Values on May 1, 2014.

In his speech, the President highlighted the need for increased privacy and security protections as more people go online to conduct their personal business—shop, manage bank accounts, pay bills, handle medical records, manage their “smart” homes, etc.—stating that “we shouldn’t have to forfeit our basic privacy when we go online to do our business”.  The President referenced his “Buy Secure” initiative that would combat credit card fraud through a “chip-and-pin” system for credit cards and credit-card readers issued by the United States government.  In that system, a microchip would be imbedded in a credit card and would replace a magnetic strip since microchips are harder than magnetic strips for thieves to clone.   A pin number would also need to be entered by the consumer into the credit card reader just as with an ATM or debit card.  The President praised those credit card issuers, banks, and lenders that allowed consumers to view their credit scores for free.   He also lauded the FTC’s efforts in the efforts to help identity theft victims by working with credit bureaus and by providing guidance to consumers on its website, identitytheft.gov.

The first piece of legislation the President discussed briefly was a comprehensive breach notification law that would require companies to notify consumers of a breach within 30 days and that would allow identity thieves to be prosecuted even when the criminal activity was done overseas. Currently, there is no federal breach notification law and many states have laws requiring companies to notify affected consumers and/or regulators depending on the type of information compromised and the jurisdiction in which the organization operates.  The state laws also require that breach notification letters to consumers should include certain information, such as information on the risks posed to the individual as a result of the breach along with steps to mitigate the harm.   This “patchwork of laws,” President Obama noted, is confusing to customers and costly for companies to comply with.  The plan to introduce a comprehensive breach notification law adopts the policy recommendation from the Big Data Report that Congress pass legislation that provides for a single national data breach standard along the lines of the Administration’s May 2011 Cybersecurity legislative proposal.  Such legislation should impose reasonable time periods for notification, minimize interference with law enforcement investigations, and potentially prioritize notification about large, damaging incidents over less significant incidents.

The President next discussed the second piece of legislation he would propose, the Consumer Privacy Bill of Rights.  This initiative is not new.  Electronic Privacy Bills of Rights of 1998 and 1999 have been introduced.  In 2011, Senators John Kerry, John McCain, and Amy Klobucher introduced S.799 – Commercial Privacy Bill of Rights Act of 2011.   The Administration’s  Privacy Blueprint of February 23, 2012 set forth the Consumer Privacy Bill of Rights and, along with the Big Data Report, directed The Department of Commerce’s The National Telecommunications and Information Administration (NTIA) to seek comments from stakeholders in order to develop legally-enforceable codes of conduct that would apply the Consumer Privacy Bill of Rights to specific business contexts.

The Big Data Report of May 1, 2014 recommended that The Department of Commerce seek stakeholder and public comment on big data developments and how they impact the Consumer Privacy Bill of Rights draft and consider legislative text for the President to submit to Congress.  On May 21, 2014, Senator Robert Menendez introduced S.2378 – Commercial Privacy Bill of Rights Act of 2014.  The Consumer Privacy Bill of Rights set forth seven basic principles:

1) Individual control – Consumers have the right to exercise control over what information data companies collect about them and how it is used.

2) Transparency – Consumers have the right to easily understandable and accessible privacy and security practices.

3) Respect for context – Consumers expect that data companies will collect, use, and disclose the information they provided in ways consistent with the context it was provided.

4) Security – consumers have the right to secure and responsible handling of personal data.

5) Access and accuracy – Consumers have the right to access and correct their personal data in usable formats in a manner that is appropriate to the data’s sensitivity and the risk of adverse consequences if the data is not accurate.

6) Focused Collection – Consumers have the right to reasonable limits on the personal data that companies collect and retain.

7) Accountability – Consumers have the right to have companies that collect and use their data to have the appropriate methods in place to assure that they comply with the consumer bill of rights.

The President next discussed the third piece of legislation he would propose, the Student Digital Privacy Act.  The President noted how new educational technologies including tailored websites, apps, tablets, digital tutors and textbooks transform how children learn and help parents and teachers track students’ progress.  With these technologies, however, companies can mine student data for non-educational, commercial purposes such as targeted marketing.  The Student Privacy Act adopts the Big Data Report’s policy recommendation of ensuring that students’ data, collected and gathered in an educational context, is used for educational purposes and that students are protected against having their data shared or used inappropriately.  The President noted that the Student Digital Privacy Act would not “reinvent the wheel” but mirror on a federal level state legislation, specifically the California law to take effect next year that bars education technology companies from selling student data or using that data to target students with ads.   The current federal law that protects student’s privacy is the Family Educational Rights and Privacy Act of 1974, which does not protect against companies’ data mining that reveals student’s habits and profiles for targeted advertising but rather protects against official educational records from being released by schools. The President highlighted current self-regulation, the Student Privacy Pledge, signed by 75 education technology companies committing voluntary not to sell student information or use education technologies to send students targeted ads.  It has been discussed whether self-regulation would work and whether the proposed Act would go far enough.  The President remarked that parents want to make sure that children are being smart and safe online, it is their responsibility as parents to do so but that structure is needed for parents to ensure that information is not being gathered about students without their parents or the kids knowing about it.  This hinted at a notification requirement and opt-out for student data mining that is missing from state legislation but is a requirement of the Children’s Online Privacy Protection Act of 1998.  Specifically, COPPA requires companies and commercial website operators that direct online services to children under 13, collect personal information from children under 13, or that know they are collecting personal information from children under to children under 13 to provide parents with notice about the site’s information-collection practices, obtain verifiable consent from parents before collecting personal information, give parents a choice as to whether the personal information is going to be disclosed to third parties, and give parents access and the opportunity to delete the children’s personal information, among other things.

President Obama noted that his speech marked the first time in 80 years—since FDR—that a President has come to the FTC.   His speech at the FTC on Monday was the first of a three-part tour leading up to his State of the Union address.  Next, the President also planned to speak at the Department of Homeland Security on how the government can collaborate with the private sector to ward off cyber security attacks.  His final speak will take place in Iowa, where he will discuss how to bring faster, cheaper broadband access to more Americans.

Advertisements


1 Comment

Less Than Satisfied with Self-Regulation? FTC Chair Renews Push for Do Not Track

Edith RamirezFTC Chair Edith Ramirez created some waves in her first speech to the advertising industry this week. Ramirez renewed the call for a universal Do Not Track mechanism—and impliedly ignored the progress of AdChoices, the Digital Advertising Alliance’s opt-out program.  The FTC’s critical stance, along with a renewed initiative in the Senate, signal that the government is unsatisfied with the industry’s progress toward enhanced consumer controls over privacy and may seek a public, rather than private, solution.

“Consumers await a functioning Do Not Track system, which is long overdue,” Ramirez said. “We advocated for a persistent Do Not Track mechanism that allows consumers to stop control of data across all sites, and not just for targeting ads.”

The comments, spoken before the American Advertising Federation at their annual advertising day on Capitol Hill, illustrated a rift between advertisers and regulators over the progress of self-regulatory programs and consumers’ perceptions of online behavioral advertising. Two years ago, the FTC called on advertisers to develop a program that would give consumers a choice to opt out of behaviorally targeted ads. Speaking to AdWeek, Stu Inglis, a partner at Venable who acts as the DAA’s attorney, said of Ramirez’s remarks:  “We have solved it. The DAA’s program covers 100 percent of the advertising ecosystem. We made our agreements.”

The DAA also recently released the results of a poll it commissioned, stating that nearly 70 per cent of consumers responding that they would like at least some ads tailored directly to their interests, and 75 per cent saying that they preferred an ad-supported internet model. (The poll comes with some caveats, described by an AdWeek piece today.)

However, in her speech Ramirez spoke of consumers’ “unease” with online tracking: “An online advertising system that breeds consumer discomfort is not a foundation for sustained growth. More likely, it is an invitation to Congress and other policymakers in the U.S. and abroad to intervene with legislation or regulation and for technical measures by browsers or others to limit tracking,” she said.

Ramirez also urged the advertising community to keep working within the multiparty process led by the W3C  (World Wide Web Consortium) to develop a browser-based Do Not Track program. However, there has been little concrete progress in the talks so far.

The online advertising industry may be running out of time. Senator Jay Rockefeller D-W.Va.), chair of the Senate Commerce Committee, announced that he would hold a hearing next week to discuss legislation that would mandate a Do Not Track standard.  The chairman, along with Sen. Richard Blumenthal (D-CT), introduced the Do Not Track Online Act in February.  The bill would direct the FTC to write regulations governing when internet firms must honor a consumer’s request that their information not be collected, and deputize the FTC and state attorneys general to enforce the rules.

“Industry made a public commitment to honor Do-Not-Track requests from consumers but has not yet followed through,” Rockefeller said of the hearing. “I plan to use this hearing to find out what is holding up the development of voluntary Do-Not-Track standards that should have been adopted at the end of last year.”

If Congress and the FTC agree that the advertising industry hasn’t honored its commitments, the chances for self-regulation without a government mandate may dwindle further.

Sources:

AdWeek:  FTC Chair Stuns Advertisers

The Hill: Sen. Rockefeller to Push for Do Not Track at Hearing


Leave a comment

In Step Towards Broader Self-Regulation, Facebook to Allow AdChoices Icon in Ads

Facebook has closed a major gap in the industry compliance puzzle by announcing that it will now adhere to a widespread notice-and-choice program for its advertising platform. The site will be adopting the Digital Advertising Alliance’s AdChoices program, meaning it will place the program’s blue-triangled icons onto ads served by its FBX ad exchange.  The move will provide more transparency and an opt-out function to ads on the world’s most popular social networking site.

Transparency and uniformity in behaviorally targeted ads are what the Digital Advertising Alliance had in mind with its self-regulatory program.  The program is intended in part to prove to the government that the advertising industry can be proactive about sharing the consumer information that online advertisers store and use to target ads, and allow them to opt out on their own. Users can click on the “AdChoices” icon and its ubiquitous blue triangle, which takes users directly to the ad partner’s site, where they can see what information is being used to target ads and opt out.

The AdChoices program has two main advantages: broad-based industry usage and consistency from ad to ad and site to site.  However, one industry publication described Facebook’s choice to go its own way as a “gaping hole” in the voluntary industry program. Facebook is the #2 most trafficked site on the web, and the No. 1 publisher of display ads in the U.S. Due to the data is possesses about its users, it has a unique ability to behaviorally target ads. Prior to adoption, Facebook’s interface took more steps than the DAA’s to get more information and an opt-out button, including several clicks before being referred to the ad server’s site.

It should be noted that the AdChoices icon will not be displayed universally or in the fashion seen on other sites. The option will only appear on behaviorally based ads served through Facebook’s FBX platform.  Clicking the “x” on other ads will lead to Facebook’s own information and opt-out screens. FBX partners who participate in the AdChoices program will be able to display the icon- but it will only show up once a user’s cursor hovers over the ad.

This announcement has several potential impacts for Facebook and voluntary industry privacy programs. Facebook’s adoption of the icon and program should increase the visibility of the icon and the program- even if it not displayed as prominently on Facebook ads.  It will also subject Facebook to increased accountability, in the form of compliance reviews and complaint resolution procedures by the Council of Better Business Bureaus and the Direct Marketing Association, which oversee the program. Finally, it should provide increased legitimacy to industry privacy programs by bringing one of the whales of online advertising in tune with the FTC’s privacy framework.  In its final privacy report, the FTC mentioned the DAA’s program as a creative and practical consumer choice mechanism and part of significant industry progress towards its goal of a Do-Not-Track mechanism.

Links:


Leave a comment

Article 29 Working Party Publishes Letter Criticizing the Proposed Online Behavioral Advertising Self-Regulatory Framework.

Earlier this week, the Article 29 Working Party published a letter it sent to the Interactive Advertising Bureau Europe (IAB Europe) and the European Advertising Standards Alliance (EASA) regarding their proposed self-regulatory framework for online behavioral advertising (OBA) to satisfy the EU’s ePrivacy Directive.   The letter referred to a meeting between the Working Party and the OBA industry scheduled for sometime in September and was sent in advance of the meeting to inform the OBA industry of the Working Party’s main concerns with the proposed framework.

Continue reading


Leave a comment

59th Antitrust Law Spring Meeting: Zeroing in on Behavioral Targeting

The ABA Antitrust Section spring meeting began March 30, 2011, and features a number of programs focusing on privacy and data security issues. In the “Zeroing in on Behavioral Targeting” program, panelists from the Federal Trade Commission (“FTC”), the Washington state attorney general’s office, and law firm privacy experts discussed current issues and legal actions involving online behavioral targeting.

Panelists included Becky Burr of WilmerHale; Tina Kondo, Deputy Attorney General with the Washington State Office of the Attorney General; Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection; and David Parisi with Parisi & Havens, LLP.

Continue reading


Leave a comment

Inside the Session: Chris Wolf on Behavioral Advertising at the 59th Antitrust Law Spring Meeting

Normal
0

false
false
false

MicrosoftInternetExplorer4

st1\:*{behavior:url(#ieooui) }

bw + bsl && x + aw – ah / 2 – cw >= bsl )
{ c.style.left = x + aw – ah / 2 – cw; }
else
{ c.style.left = x + ah / 2; }
if (y + ch + ah / 2 > bh + bst && y + ah / 2 – ch >= bst )
{ c.style.top = y + ah / 2 – ch; }
else
{ c.style.top = y + ah / 2; }
c.style.visibility = “visible”;
} } }
function msoCommentHide(com_id)
{
if(msoBrowserCheck())
{
c = document.all(com_id);
if (null != c && null == c.length)
{
c.style.visibility = “hidden”;
c.style.left = -1000;
c.style.top = -1000;
} }
}
function msoBrowserCheck()
{
ms = navigator.appVersion.indexOf(“MSIE”);
vers = navigator.appVersion.substring(ms + 5, ms + 6);
ie4 = (ms > 0) && (parseInt(vers) >= 4);
return ie4;
}
if (msoBrowserCheck())
{
document.styleSheets.dynCom.addRule(“.msocomanchor”,”background: infobackground”);
document.styleSheets.dynCom.addRule(“.msocomoff”,”display: none”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”visibility: hidden”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”position: absolute”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”top: -1000″);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”left: -1000″);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”width: 33%”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”background: infobackground”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”color: infotext”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”border-top: 1pt solid threedlightshadow”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”border-right: 2pt solid threedshadow”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”border-bottom: 2pt solid threedshadow”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”border-left: 1pt solid threedlightshadow”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”padding: 3pt 3pt 3pt 3pt”);
document.styleSheets.dynCom.addRule(“.msocomtxt”,”z-index: 100″);
}
// –>

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”;
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}

 

Editor’s Note:  “Inside the Session” is a sneak preview of the privacy and information security-related sessions that will take place at  the 59th Antitrust Law Spring Meeting.  For more information on the conference, visit the ABA’s page on the event.

 

It’s no secret that, over the past several years, companies have embraced behavioral targeting to deliver personalized online advertising.  Nor is it any secret that legislators and regulators have been paying close attention to this topic.  The Secure Times recently spoke with Christopher Wolf, who will serve as session moderator of a Spring Meeting session entitled “Zeroing in on Behavioral Targeting”  Chris is a partner in the Washington, D.C. office of Hogan Lovell who practices in the field of privacy and data security law.  He also is the founder and co-chair of the Future of Privacy Forum think tank, which is examining the behavioral advertising issues.  He gave us a sneak preview of what to expect from the session on Wednesday, March 30, from 3:45-5:15pm.

 

Continue reading


Leave a comment

Marketers Advance Self-Regulatory Privacy Principles

On February 27, 2011, the Interactive Advertising Bureau (“IAB”) Board of Directors voted to require its members to adopt industry self-regulatory privacy rules governing online behavioral advertising. Within six months, members must publicly affirm that they will follow self-regulatory principles, which were created in 2009 by the IAB, the American Association of Advertising Agencies, the Association of National Advertisers, and the Direct Marketing Association. Companies that do not comply with the new self-regulatory standards will face a minimum six-month suspension from the IAB.

The new rules: (1) require entities to provide consumers with clear and prominent notices in at least two places, including on the marketers’ websites and within or around the targeted advertisements or another place on the webpage where data is collected, before engaging in cookie-based behavioral targeting; and (2) require entities to obtain consumers’ consent before collecting sensitive personal data, such as financial account numbers, Social Security numbers, or medical information. More information regarding the IAB’s self-regulatory principles is available through the IAB’s website.

The IAB’s self-regulatory efforts follow recently introduced legislation designed to regulate marketers’ online tracking activities. The bills include the Do Not Track Me Online Act (H.R. 654) introduced by Representative Jackie Speier (D-CA)–which would allow consumers to opt out of online tracking by marketers–and the Best Practices Act (H.R. 611), an online privacy bill reintroduced by Representative Bobby Rush (D-IL) that would require marketers to obtain consumers’ consent before engaging in online tracking.