Privacy And Data Protection: 2012 Year In Review

DEVELOPMENTS AT THE FEDERAL TRADE COMMISSION

Heather Egan Sussman, Carla A. R. Hine and Evan D. Panich

In March 2012, the Federal Trade Commission (FTC) issued its final report "Protecting Consumer Privacy in an Era of Rapid Change", which describes its framework for protecting consumer privacy. The framework serves as a best practices guide for companies and as a roadmap for the U.S. Congress as it considers privacy legislation, and focuses on the following three elements:

"Privacy by Design: Build in privacy at every stage of product development;

Simplified Choice for Businesses and Consumers: Give consumers the ability to make decisions about their data at a relevant time and context, including through a Do Not Track mechanism, while reducing the burden on businesses of providing unnecessary choices; and

Greater Transparency: Make information collection and use practices transparent."

The report recommends that Congress enact legislation related to general privacy, data security and breach notification, and data brokers. While legislation is under consideration, the FTC has focused on five primary action items to implement its privacy framework:

Implement "Do-Not-Track" mechanisms Improve privacy protections and disclosures for mobile services, which the agency explored further during its May 2012 workshop and in its guidance for mobile application developers (both of which are discussed below) Improve transparency into data brokers' practices Explore heightened privacy concerns related to large platform providers (that may comprehensively track consumers' online activity across the internet) by hosting a public workshop in December 2012 Develop self-regulatory codes of conduct with the U.S. Department of Commerce, industry and other stakeholders The FTC explicitly does not intend for the report to serve as a template for enforcement actions (at least to the extent the framework exceeds existing legal requirements). In the meantime, the FTC continues to enforce Section 5 of the FTC Act, which prohibits "unfair or deceptive" trade practices. The FTC's cases in this area center around (1) companies' misrepresentations in their privacy policies about how they collect, use or maintain consumers' personal data; (2) companies' failures to reasonably maintain the security of consumers' data, resulting in data breaches and harm to consumers; and (3) deceptive, and in some cases unfair, gathering of consumer data without consumers' knowledge.

These cases, as well as the FTC's workshops and public guidance, suggest that the agency is focused on new vulnerabilities (e.g., data brokers, social networking and large platform providers) and developing technologies (e.g., peer-to-peer networks, Flash cookies and mobile applications). The FTC's actions also indicate a willingness to use all the tools in its box to bring a single action under multiple regulations, including the Gramm-Leach-Bliley Act (GLB Act), the Children's Online Privacy Protection Act (COPPA) and the Fair Credit Reporting Act (FCRA). Throughout 2013, observers can expect the FTC to continue in this same fashion, and further guidance will likely follow December 2012's large platform workshop.

FTC Enforcement Actions Based On Privacy Policy Content

Several FTC enforcement actions focus on companies' allegedly deceptive actions by failing to live up to their privacy policies. The FTC followed its first behavioral advertising case in 2011 against Chitika with its first Flash cookies case. ScanScout, Inc., an online advertiser that used both HTTP and Flash cookies to track users' online activity, settled allegations that its privacy policy misled consumers by stating they could block the company's use of all cookies, although Flash cookies cannot be blocked through internet browser settings. The FTC finalized its settlement with ScanScout in late 2011, requiring the company to provide consumers with an opportunity to opt out of targeted advertising, and requiring that the consumer's choice last at least five years (unless the consumer changes it). The settlement also required disclosures as to how the company uses consumer information, and reports regarding ScanScout's compliance with the order.

The FTC announced a settlement with Facebook in November 2011 regarding changes in Facebook's privacy policies that applied to current users. The changes resulted in users automatically sharing information and pictures, even if they had previously programmed their privacy settings to hide the content. As part of the settlement, which was finalized in August 2012, Facebook must obtain users' consent before implementing changes that would override existing privacy preferences, prevent anyone from accessing a user's data more than 30 days after the user deleted their account, establish and maintain a comprehensive privacy program, and obtain independent third-party audits of its privacy program every two years for the next 20 years.

Also in the social networking space, the FTC filed a complaint in March 2012 against social networking website MySpace alleging that the company's privacy policy misrepresented how it would use consumers' personally identifiable information. MySpace's policy stated that it would not share users' information or use the information in a way that was inconsistent with the purpose for which the consumer provided it without first informing the user and receiving his or her consent. However, without obtaining consent, MySpace provided users' personally identifiable information to advertisers. The company settled the FTC's complaint by agreeing to not misrepresent its privacy practices, establishing a comprehensive privacy program and submitting its privacy program for review by third-party auditors every two years.

The FTC is not simply entering into consent orders with companies, but is actively monitoring and enforcing these consent orders.

Enforcement Actions Related To Data Breaches

Although state attorneys general have initiated many data breach enforcement actions, the FTC also has jurisdiction to pursue claims related to data breaches through the FTC Act and the GLB Act.

In June 2012, the FTC filed a complaint against Wyndham Hotels and Resorts over alleged data security failures that the FTC claims led to three data breaches. The FTC's complaint alleges that Wyndham's failure to protect its customers' data was unfair and deceptive in violation of Section 5 of the FTC Act. In August, Wyndham filed a motion to dismiss challenging the FTC's authority to bring certain claims pursuant to Section 5 of the FTC Act. The case is significant in that it could define the scope of the FTC's enforcement authority going forward in the realm of privacy and data security.

In the same month as filing the Wyndham complaint, the FTC announced separate settlements with debt collector EPN, Inc., and auto dealer Franklin's Budget Car Sales, Inc. In both cases, the FTC alleged that the companies failed to implement reasonable security measures to protect personal information. In both instances, each company allowed peer-to-peer file-sharing software to be installed on their networks, exposing sensitive data to any computer connected to the peer-to-peer network, including Social Security numbers, health insurance numbers, medical diagnosis codes of hospital patients and sensitive financial information. Under both settlements, the companies must implement comprehensive security programs and undergo independent third-party audits for the next 20 years. Further, Franklin's sells and leases cars and provides financing for its customers, and is a "financial institution" under the GLB Act. Franklin's failure to protect consumers' financial information also violated the Safeguards Rule under the GLB Act, which requires financial institutions to ensure the security and confidentiality of personal information such as names, addresses and phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers.

Deceptive Gathering Of Data On Consumers

Two of the FTC's cases in 2012 addressed allegations of deceptive, and in some cases unfair, gathering of data about consumers without their knowledge. In September 2012, in what is referred to as the DesignerWare cases, the FTC settled complaints against DesignerWare, LLC, and seven rent-toown companies, that they unfairly and deceptively spied on consumers using computers that consumers rented from them by capturing screenshots of confidential and personal information, logging consumers' computer keystrokes and taking webcam pictures of people in their homes, without notice to, or consent from, the consumers. DesignerWare licensed software to rent-to-own stores that could disable a computer if it were stolen or if the consumer did not make timely payments. There was an additional program known as "Detective Mode" that purportedly helped to locate the computer and collect late payments. However, when activated, Detective Mode logged keystrokes, which captured information such as user names and passwords for e-mail accounts, social media websites and banks; Social Security numbers; medical records; bank and credit card statements; and webcam pictures of children and private activities. The consent orders will ban DesignerWare and the rent-to-own stores from using monitoring software and deceptively gathering information from consumers. Further, the rent-to-own stores will be prohibited from using the information improperly gathered in connection with debt collection.

In December 2012, the FTC announced a settlement with Epic Marketplace Inc., an online advertising company, after investigating claims that it used "history sniffing" to secretly gather data from consumers about their interest in sensitive medical and financial topics. Epic's privacy policy stated that it would collect information only about users' visits to sites within its network. However, it allegedly...