FTC Patrolling for Non-OBA User Data Collection


ADOTAS – It appears the FTC may, at long last, be realizing that curbing perceived targeted marketing abuses would likely lead to undesired and potentially disruptive consequences, including undermining the implicit bargain that drives the Internet — an exchange of value between consumers and content providers. The Commissioner for the FTC went on record last week, stating that the FTC understands “all this cyber-wonder does not come for free” and that “the role of advertising in paying for content and services is understandable.”

However, the commissioner also went on record to express the commission’s concerns over the collection and use of personal data of online users involve privacy issues that “go well beyond behavioral advertising.” The good news is that the FTC has made it clear that it would not be as concerned if targeted advertisements were the only issue. Focus now appears to be on the “widespread harvesting and tracking of online information that goes largely undetected by consumers, with potential privacy impacts across a wide spectrum,”  according to the commissioner.

Some real-world examples of online information that has the FTC’s attention, include: (1) Creating lists of elderly patients with Alzheimer’s disease to be used as “perfect prospects” for alternative therapy products marketing; (2) Utilizing social media chats for background checks by employers; and (3) Searching online for credit and debt information before providing bank loans.

In December of 2010, the FTC released its privacy protection preliminary staff report, which sought to focus on a broad range of potential misuses of online information and broad principles, such as privacy by design and clearer privacy notices. The Commission is currently assessing public comments in an efforts to formulate what it hopes to be meaningful recommendations in a final report.

Privacy and data security experts believe that the United States is at a competitive disadvantage with other countries by the lack of a national privacy framework. Currently, the United States and Turkey are the only countries of the 34 member countries of the Organization for Economic Cooperation and Development that do not have privacy framework laws in place.  Negative consumer reaction and the loss of consumer confidence in domestic privacy protection is a natural consequence of such things as mobile device providers using geo-location tracking technologies without having first obtained express consent.

Do-Not-Track Under Review, But What Will the Feds Do?

One of the most widely talked about suggestions in the aforementioned staff report is creating a “Do-Not-Track-Mechanism” which would, presumably, make it simpler for individual consumers to opt-out of having their online activities followed (or “tracked”) by advertisers and other third-parties. It appears that the FTC is currently chewing on how to define what exactly “tracking” involves and what the details of a privacy framework bill should include.

The FTC commissioner states that “although allowing self-regulatory schemes to control tracking through commonly accepted best practices could be an acceptable solution, the various industry players are not necessarily speaking the same language when it comes to what should be considered tracking or what kinds of data should get special attention.” The Commission clearly believes that that are “commonly accepted practices” in the online business sector that would not be accepted by consumers if they had effective notice.

While the foregoing may, in fact, be the case, it is beginning to appear that Congress has, at least temporarily, backed-off privacy protection legislation. There has be a lot of talk this year regarding the Obama administration’s call for a “Privacy Bill of Rights” law. However, the passage of a national data breach notification bill appears more likely, given the inconsistent patchwork of breach notification laws in more than 40 states.

In fact, on Sept. 22 the Senate Judiciary Committee passed a series of amended data breach and identity theft bills. The proposed legislation would require, for example, businesses to develop comprehensive data security programs that satisfy rules mandated by the FTC, and to establish procedures for minimizing the amount of personally identifiable information that they may retain – only as “reasonably needed.”

In the event of a security breach, notification to affected consumers would be required, unless it is determined that there is “no significant risk” that a security breach has resulted in, or will result in, identity theft, economic loss or harm, or physical harm to the individuals whose sensitive personally identifiable information was subject to the security breach.  In addition, individuals who intentionally conceal the fact that a data breach has occurred could face criminal penalties.

While applauding the goals of the proposed legislation, opponents such as the U.S. Chamber of Commerce have raised a number of concerns. These include increased and excessive costs for businesses due to perceived overly burdensome compliance regulations.

Of note, California recently amended its data breach notification law.  As of January 1, 2012, California businesses are required to provide notice to individuals of a breach involving their personal data, and must also notify the state Office of the Attorney General if the breach requires notification of more than 500 California residents.  For the first time, California will also require that notices to individuals include certain information, such as the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.

An experienced Internet attorney will be able to assist you to minimize exposure and protect against anticipated vulnerabilities to the privacy, security, or integrity of sensitive personally identifiable information, as well as any unauthorized access that could create a significant risk of harm or fraud to any individual.  The starting point should always be to design and implement reasonable written privacy and security policies, identify risks, inventory what you have and train employees on data security matters, and keep only what is reasonably necessary and secure it.

The Federal Trade Commission’s ‘Alleged’ Person of the Week

The most recent FTC action seeks to preclude deceptive “Fed Sites” that purport to guide consumers to financial services. On Sept. 14, the commission requested that the U.S. District Court for the District of Columbia stop a “lead generator” from impersonating federal consumer assistance agencies or pretending to be affiliated with them. In particular, the complaint (PDF) names Christopher Mallett, d/b/a Department of Consumer Services Protection Commission, U.S. Debt Care, World Law Debt, U.S. Mortgage Relief Counsel, govusdebtreform.net, usdebtcare.net, Worldlawdebt.org, and fha-homeloan.info.

According to the complaint, the defendants violated FTC Act §5, the FTC’s Telemarketing Sales Rule, and Mortgage Assistance Relief Services Rule by soliciting indebted consumers and referring them to companies selling mortgage, tax and debt relief services with promises that their debts would be substantially reduced or eliminated.

During the referral process, Mallett allegedly:

  1. Misrepresented his affiliations with the U.S. government or any federal, state, or local government agency, unit, or department;
  2. Misrepresented that the services advertised on his websites were government-approved; and
  3. Made deceptive debt relief claims that consumers who use the services promoted on his websites will have their debts substantially reduced, including by the specific percentages.

The FTC seeks a preliminary injunction and has acknowledged working with the Texas and Tennessee Attorneys’ offices.



Please enter your comment!
Please enter your name here