Archive for the ‘Mobile’ Category

In-Store Monitoring: How to Enjoy the Benefits of Tracking While Minimizing Potential Privacy Issues

Monday, May 18th, 2015

In the latest example of the conflict between technological innovation and privacy concerns, the Federal Trade Commission (FTC) reached a settlement agreement last month with Nomi Technologies, Inc.

Nomi is a startup whose technology allows retail merchants to analyze aggregate data about consumer traffic in the merchants’ stores. Although different companies track this data in different ways, it is generally done by monitoring signals emitted from a mobile phone to see where a device moves over time. Nomi’s technology can tell a retailer where a customer walks in a store, or whether she is a repeat customer; it is not able to identify her personally.

Notwithstanding heavy criticism from the public and privacy advocates for invading customers’ privacy by tracking their movement without their consent, the FTC’s action was not brought pursuant to any privacy law or privacy-based right. Instead, the FTC’s action amounted to a run-of-the-mill consumer deception claim. The FTC alleged that Nomi misled consumers by falsely promising to provide mechanisms for consumers to opt-out of tracking and be notified when their information is being tracked. The proposed settlement prohibits the startup from misrepresenting people’s options for controlling whether information about them or their devices is collected, used, disclosed or shared. Notably, it did not impose notice and consent requirements for retail trackers or offer more specific guidance for retailers who track their customers.

The FTC’s decision, which was split 3-2, highlights the tension between allowing emerging retail technologies to grow and innovate, and the potential privacy risks that come with allowing companies to track consumers. The dissenters argued that the FTC should have refrained from bringing this action, given the immateriality of the representation, the lack of evidence of consumer harm and the potential chilling effect to other innovative startups.

Lack of Formal Guidance for Retailers

Even though thousands of retailers currently use some type of in-store tracking technology, the FTC has not yet issued formal standards for how retailers should use this technology without violating customers’ right to privacy.

Still, the FTC has made its interest in this area clear. Over the last several years, the FTC has published several guidance documents related to mobile phone tracking more generally, which touched on retailers’ tracking of their customers. Last spring, the FTC hosted a seminar dedicated to the in-store tracking technology, including the different kinds of technology available and the privacy concerns with each. The Nomi action was just the latest reflection of the FTC’s increasing concern with this issue.

Days after the Nomi settlement, Ashkan Soltani, chief technologist at the FTC, blogged about the policy trade-offs in retail tracking. Soltain emphasized a point that was also clear in the FTC’s majority opinion in Nomi: “Retail tracking has many benefits for retailers and consumers alike. Stores are able to better understand the behaviors and preferences of their shoppers, and individuals in turn receive better service.” For example, by knowing where customers walk in a store, retailers are able to improve store layouts and reduce customer wait times.

Retailers looking to protect customer privacy should look to both Soltani’s blog and the FTC’s cell phone tracking reports for advice. Each reiterates that to best strike the balance between information and privacy, companies should disclose what information they are taking and how they plan on using it, and should ask for customers’ consent. Below are several considerations that apply specifically to the retail context:

1. Individual Identification

Currently, the predominant use for tracking information is to track customers in the aggregate. Although this is done by using unique identifiers to track each individual phone over time and across locations, each phone’s owner remains anonymous in this process.

However, the technology is available to track customers on a more individual basis. When a customer signs into a commercial hotspot, her MAC address can give a retailer access to her name and other WiFi networks she has used, and can “link” the customer’s online and in-store shopping behavior. Although it is unclear whether any companies collect or use this information, accessing this more personal information would clearly elevate privacy concerns related to in-store tracking. Notably, both dissenters in the Nomi case emphasized that Nomi’s technology did not provide the company with information about individual consumers, which suggests that they may have applied different analyses had Nomi been tracking individual customers.

Several efforts are currently being made to randomize phones’ wireless identifiers, so that retailers are not able to track individuals across multiple trips to multiple stores. For example, some smartphone manufacturers have attempted to build in features that limit retail tracking by randomizing the phone’s wireless identifier; according to Soltani, however, the effectiveness of these technologies is somewhat limited. The Internet Engineering Task Force (an Internet standards body) is currently working to achieve the same goal.

2. Consent

Although the FTC has not yet required that retailers obtain customers’ consent before tracking their locations, its recent publications in this area suggest that receiving consent is an effective way to minimize privacy risks.

Notably, it is much easier to receive customer consent for some kinds of tracking technology than others. Soltani distinguished active monitoring, which “is typically performed by the service the device is communicating with, such as by the cellular provider or by the WiFi hotspot the device is connected to,” and passive monitoring, which intercepts signals from the device as it communicates or searches for other devices and networks. Typically, customers are required to agree to terms and conditions before the retailer can use active monitoring; for example, by signing a cellular service contract or by connecting to a WiFi hotspot.

By creating a loyalty program application or offering free in-store WiFi, stores can offer benefits to their customers while also receiving their consent to data tracking. Another option, which is currently used by Apple, Macy’s, Coca-Cola, and Procter & Gamble, is known as proximity marketing. This is an opt-in system that allows retailers to send promotions to customers who are in the proximity of their stores.

Several smartphone location technology companies also allow customers to opt out of data tracking through an opt-out website, This website is one aspect of The Mobile Location Analytics Code of Conduct, which was created by analytics companies in October 2013 to assuage customers’ privacy concerns. Additionally, the Code also calls for companies to obtain consent before collecting customers’ personal information. Although the FTC praised the Code for “[recognizing] consumer concerns about invisible tracking in retail spaces and [taking] a positive step forward in developing a self-regulatory code of conduct,” this code is not legally enforceable. Following the Nomi decision, however, analytics companies could be liable for deceiving consumers by claiming to comply with the Code but then failing to actually do so.

3. Notice

Notice is closely intertwined with consent. By not imposing a notice requirement on Nomi, the FTC — at least for the meantime — seems to have signaled that retailers are not required to notify their customers that they are being tracked through their cell phones. However, both Soltani’s blog post and the FTC’s recent cell phone guidance publications treat notice as a best practice.

As with consent, customers normally receive notice before signing up for a cell phone contract, opening a retailers’ phone app or joining a wireless hotspot. Unlike with these forms of active monitoring, however, customers are generally not notified before being tracked through passive monitoring.

Notice may prove difficult for retailers who use passive monitoring. Although retailers can notify many of its customers by posting signs within their stores, this would not notify every person being tracked because the tracking technology also pulls cell phone signals from people passing by the storefront. To solve this problem, Soltani suggests that passive retail analytics technology devices begin to automatically notify users to the existence of mobile retail tracking and allow them to temporarily join in order to opt-out.

4. Other Ideas from Nomi

Until the FTC issues more concrete guidance in this area, retailers should at least make sure to follow the FTC’s guidance in Nomi by fulfilling any promises they make regarding privacy. Although Nomi provides rather than uses tracking services, the same legal principles apply to retailers. Retailers should act in accordance with every part of their privacy policies by respecting customers’ opt-out options and heeding any statements about what kind of information they collect or how they use that information.

Given that the law in this area is rapidly evolving, retailers should consult with legal counsel before implementing data tracking technology in their stores.

California Enacts Smartphone Kill Switch Law to Promote Data Security

Friday, August 29th, 2014

This week California enacted into law Senate Bill 962, which requires a “kill switch” on all smartphones that would render the device inoperable. The law applies to all smartphones manufactured after July 1, 2015 and sold in the state, but exempts other mobile devices such as tablets and smartwatches.

While Minnesota passed a similar law in June, its statute (as well as comparable legislation pending in New York, Illinois and Rhode Island) does not require that a kill switch is enabled as the default setting as mandated under S.B. 962. California has been a leader in privacy and data security legislation and has the nation’s largest economy and population of smartphone users. As a result, the law will have a sweeping impact since it is unlikely that cell phone manufacturers will limit the kill switch feature to those phones sold in California and Minnesota. The feature has enough supporters that similar federal legislation, “The Smartphone Prevention Act,” was introduced to the U.S. Senate in February.

Apple iPhones with the iOS 7 operating system already include an “Activation Lock” feature that is largely compliant with S.B. 962 except for the fact that it is not a default setting. Google and Microsoft are expected to add kill switches in future versions of their operating systems.

California’s law and the growing popularity of kill switches are in response to the surge in smartphone thefts over the last year. A Consumer Reports survey indicated that approximately 3.1 million Americans were victims of smartphone thefts in 2013, up from 1.6 million in 2012. Smartphone thefts are particularly prevalent in the tech-centric Bay Area where a large percent of the population carry mobile devices. Smartphones pose a huge liability for data security since consumers store everything from credit card numbers to passwords to accounts and websites, and even Social Security numbers.

The law is not without its detractors. CTIA, the trade association for the telecommunications industry, initially opposed the law out of concern that a patchwork of state-specific laws would increase costs without providing a comprehensive solution, while inhibiting competition and innovation. Opponents have pointed to the availability of other technological solutions such as remote wipe functionality. The Electronic Frontier Foundation (“EFF”) remains opposed due to concerns related to potential civil rights abuses and the possibility of criminal exploitation. EFF representatives have expressed concerns that a kill switch could be used by perpetrators of domestic violence and stalker crimes to prevent the victims from reporting the abuse, and would create a means for law enforcement to disable smartphones of protestors, akin to when cell phone access on BART subways was shut down in 2011 in response to a planned protest by commuters. Another worry is that hackers could potentially access the kill switch.

Retailers could incur a civil penalty ranging from $500 to $2,500 per smartphone sold in violation of the law.

Denial of Hulu’s Motion for Summary Judgment Paves Way for More Lawsuits Under the Video Privacy Protection Act

Monday, May 5th, 2014

A lawsuit filed in 2011 against Hulu, an on-line video content provider, claims the company violated the Video Privacy Protection Act (“VPPA”) by wrongfully disclosing users’ video viewing selections and personally identifiable information (PII) to third parties, comScore and Facebook.  On April 24, 2014, a federal court in the Northern District of California ruled that Hulu may have violated the VPPA by sharing user identifiers with Facebook.  Facebook could combine those user identifiers from Hulu with other information provided by cookies from a Facebook “like” button on Hulu’s web page that could reveal a user’s Facebook identity, as well as a user’s viewed video content on Hulu.  The court’s decision paves the way for privacy plaintiffs to bring suit against businesses who derive information from users’ viewing histories, with costly consequences given statutory damages of up to $2,500 per violation.

The VPPA prohibits a video service provider from knowingly disclosing PII of a consumer of the provider to third parties.  Under the VPPA, PII includes information that identifies a person as having requested or obtained specific video materials or services from a provider.  The VPPA prohibits disclosures that tie specific people to the videos they view.  The court found that disclosure of PII is not limited to a person’s actual name, but also consists of information that can identify a specific person and a specific transaction. The court affirmed that a unique, anonymized ID alone is not PII, but “context could render it not anonymous and the equivalent of the identification of specific person.”

Hulu’s Facebook disclosures included sufficient facts to potentially link the disclosure of a video name to an identified Facebook user to result in a violation of the VPPA.  A Facebook “like” button on Hulu’s web page sent Facebook the title of the video watched by the user, the IP address of the registered user’s computer, and cookies which could contain the Facebook user’s ID.  Hulu did not send Facebook the Hulu user’s ID or name when the user’s browser executed code to load the Facebook “like” button.  Nevertheless, the information provided to Facebook revealed information about what the Hulu user watched and the Hulu user’s name on Facebook.

In contrast with Hulu’s Facebook disclosures, Hulu’s disclosures to comScore did not potentially violate the VPPA because comScore could only have “hypothetically” linked to a user’s name or user’s viewing history.  Hulu provided comScore with users’ unique Hulu user ID, an alphanumeric string to differentiate between web browsers that Hulu assigned at random to a browser, a Hulu Ad ID identifying an advertisement, and the name of the video content program and any season or episode number.  Because comScore had the Hulu user ID, it possessed the “key” to locating user’s names, but there was no evidence it did so.

This ruling is significant because it further opens the door for class actions alleging violations of the VPPA because “anonymous” data may be considered PII under the statute when viewed in the context of other data points.  Privacy plaintiffs will undoubtedly seek to apply this more narrow interpretation of what constitutes “anonymous” data in other lawsuits implicating different state and federal privacy laws.

 See Order here.


Sunday, April 13th, 2014

On April 7, the Digital Advertising Alliance (DAA) announced the release of its Ad Marker Implementation Guidelines for Mobile (Ad Marker Guidelines) at the Interactive Advertising Bureau’s (IAB) Mobile Marketplace conference. The DAA is a consortium of national advertising and marketing trade groups that acts as an industry self-regulatory body. While the DAA traditionally focused on online advertising, the surge in mobile advertising in the last few years has caused it to increasingly address issues unique to the mobile ad space. The Ad Marker Guidelines follow on the heels of the DAA’s publication last summer of a policy guidance document on mobile advertising titled, “Application of Self-Regulatory Principles to the Mobile Environment.”

The DAA’s AdChoices (Ad Marker) icon is the blue triangular image that is the centerpiece of the organization’s ad choices program and is often delivered in or alongside interest-based ads in the online and mobile environments. Approved text accompanying the icon includes any of the following:

  • Why did I get this ad?
  • Interest Based Ads
  • AdChoices

When a consumer clicks on the Ad Marker, they receive information about the targeted nature of the advertisement and guidance on how to opt-out of behaviorally targeting advertising. The Ad Marker Guidelines “address use cases in which consumers interact with the screen without using a cursor, as is the case when they use mobile devices such as smart phones and tablets.”

The Ad Marker Guidelines cover both in-ad implementation (i.e., size, touchpad area, in-ad placement and in-ad user experience) and app developer and publisher implementation (i.e., ad marker placement and flow for developers and publishers). Below are some of the key takeaways.

In-Ad Implementation

Size: The smaller screen size and ad creative sizes associated with mobile devices justify implementation of the Ad Marker through the icon itself, provided it is at least 12 pixels by 12 pixels in size.

Touchpad Area: The Ad Marker should include an invisible touch pad area between 20×20 and 40×40 pixels and mobile devices should include enough area to allow the user to easily interact with the Ad Marker.

In-Ad Placement: For an in-ad placement, the entity serving the notice may position the Ad Marker in any one of the four corners of the ad, although placement in the upper right hand corner is discouraged because that is where the close button for ads is normally located. When the icon is used concurrently with approved text, the Ad Marker Guidelines recommend placing the icon in the immediate corner of the ad with the approved text adjacent to the icon.

In-Ad User Experience: Tapping on the Ad Marker results in any one of the following four experiences:

  • Link directly to a notice that contains a mechanism that allows users to exercise their interest based preferences or to instructions for device-specific advertising preferences.
  • An interstitial opens up that provides the user a choice to access a preference mechanism, access a privacy policy, go back to the ad, or close the interstitial.
  • Tapping on the icon the first time expands the notice to show the approved text and a second tap brings the user to the preference mechanism or to instruction for device-specific controls.
  • When the user taps the Ad Marker in a rich media ad that is in a collapsed state, the Ad Marker icon expands to provide the user with the option to: (i) close the in-ad interstitial to view the ad; (ii) access the privacy policy or; (iii) access a preference mechanism or instruction for device-specific controls.

App Developer and Publisher Implementation

The Ad Marker Guidelines advise that “[w]hen implementing the DAA Ad Marker, application developers and mobile Web publishers need to consider both the placement of the Ad Marker and user access to the notice and choice it provides.”

Mobile publisher notices should use any of the three approved texts and when the icon accompanies an approved text, it should be at least 12 pixels by 12 pixels in size.

The in-app notice is accessible from the app’s Settings menu. The best placement of the notice is in the mobile page footer.

The Ad Marker Guidelines provide practical, easy to understand directions that will allow those serving ads in the mobile environment, including those on the creative size, to consistently utilize the Ad Marker icon. Use of the Ad Marker helps facilitate compliance with the enhanced notice requirements set forth in the DAA’s Application of Self-Regulatory Principles to the Mobile Environment.

New TCPA Rules Require Prior Express Written Consent for Mobile Marketing

Saturday, October 26th, 2013

As of October 16, 2013, the new rules under the Telephone Consumer Protection Act (TCPA) of 1991 went into effect.  The newly adopted rules derive from a report and order issued by the Federal Communications Commission (FCC) on February 15, 2012 intended to “maximize consistency” with the Federal Trade Commission’s (“FTC”) Telemarketing Sales Rule which established the “do-not-call registry.”

The rule changes are significant for retailers, marketers and any company with a mobile marketing program as the TCPA encompasses marketing messages via SMS, in addition to autodialed or prerecorded telemarketing calls.  The explosive growth of consumers using smartphones to search for and purchase goods and services cannot be ignored. 

Prior Express Written Consent.  Under the new rules “prior express written consent” must be obtained via a written agreement signed by the person receiving the marketing message who clearly authorizes the delivery to that person via autodialed or prerecorded telemarketing calls and text messages.  The sender of the marketing message must include a “clear and conspicuous” disclosure that:

 (1)   By giving consent, the consumer authorizes the seller to deliver autodialed or prerecorded telemarketing calls and text messages to the specific phone number designated by the consumer;

(2)   The consumer is not required to give his or her consent as a condition to purchasing any goods or services, and;

(3)   The consent encompasses all future autodialed or prerecorded telemarketing calls and text messages from that particular sender.

Electronic Signatures.  The signature affirming the written consent can be electronic and may be obtained in compliance with the E-SIGN Act.  Acceptable forms of electronic signature include e-mail, website forms, text messages, telephone keypad functions or voice recordings.  An electronic signature should involve an affirmative act, such as typing in a phone number and clicking “submit” for an online form.  In contrast, the use of a pre-checked box would not be acceptable since it would essentially require the consumer to opt-out.

Removal of Established Business Relationship Exception.  The rule changes also eliminate the “established business relationship” exception for prerecorded telemarketing calls to land lines whereby telemarketers could circumvent TCPA liability if they had an established business relationship with the consumer arising from the sale of goods or services within the last eighteen months or had fielded an inquiry or application from the customer within the prior three.  The established business relationship exemption did not apply to wireless phones so this change does not impact mobile marketing. 

Best Practices for Compliance. 

Review Your Current Mobile Marketing Database. Companies need to carefully review their mobile databases to determine whether they are in compliance with the new rules. Most likely they are not.  Express consents that are not written can no longer be used. Moreover, even if the database contains express written consents, they probably do not include the disclosure that consent to get texts is not a required condition of purchase. While it is unclear whether such a disclosure is required with respect to written consents obtained prior to the rule change, the potential for statutory penalties and class action lawsuits weigh against taking such a risk.  Most companies will need to get their customers to re-opt-in to receiving marketing texts.

Obtaining Consents Going Forward.  Written consent can be achieved via various means including online agreements, lead generation forms and emails prompting consumers to reply. Clarity is key.  If using an unchecked box or other online agreement, the above-described disclosure should be next to or immediately preceding the opt-in mechanism and should explicitly state the terms to which the consumer is consenting.  To that end, avoid broad language that refers to affiliates, partners, or brands as the consent must name the specific seller and does not encompass one’s affiliates unless they are explicitly identified.  

Include Standard Text Notices. Businesses must continue to provide standard disclosures and notices, such as that message and data rates may apply to the texts being sent.  All texts must have a clear unsubscribe option.

Maintain Consent Records. The burden of proof for consent lies with the seller.  Companies should have a record-keeping system and implement procedures to store and access the new written consents.

Written Consent Still Not Required for Transactional Messages.  Companies sending purely transactional or informational texts (e.g., airline flight updates, confirmations of purchases or sweepstakes entries, etc.) still only need prior express consent, which does not need to be in writing. So, pre-October 16 mobile databases can continue to be used to send transactional texts.

Increased Litigation.

Retailers that do not already have a mobile marketing program, will soon.  eMarketer expects the overall mobile ad market to grow 89% in 2013 to $16.65 billion.  If that doesn’t grab your attention, here are some other noteworthy statistics:

  • 9 out of 10 mobile searches lead to action, over half leading to a purchase. (Search Engine Land, 2012)
  • Mobile coupons are redeemed at 10 times the rate of traditional coupons. (Mobile Marketer, 2012)
  • 52% of all mobile ads result in a phone call. (xAd, 2012)
  • 70% of all mobile searches result in action within 1 hour, compared to70% of online searches resulting in action in one month. (Mobile Marketer, 2012)
  • 50% of smartphone owners have scanned a QR code, and of those, 18% made a subsequent purchase. (Mashable)

Fines can run as high as $1,500 per unsolicited message and TCPA class actions are on the rise since it is a strict liability statute with no cap on the number of violations that can be included in a single lawsuit.  With these changes, companies need to rethink their mobile marketing programs with respect to how they obtain and maintain consent to avoid becoming a class action target.

AB 370 Amends CalOPPA To Require Transparency Regarding Consumers’ “Do Not Track” Requests to Websites, Online Services And Mobile Applications

Tuesday, October 8th, 2013

The California legislature has been considering a raft of privacy bills this year, only a couple of which have made it through to the governor for signature.  California Bill AB 370 has garnered the most attention.  It was signed into law by Governor Brown on September 27, 2013 and is set to become effective on January 1, 2014.  Though it is a state bill, it is nationwide in scope.

AB 370 amends Section 22575 of the California Business & Professions Code, the California Online Privacy Protection Act (CalOPPA) by requiring operators of websites and online services to:

  • disclose how the operator responds to a consumer’s do not track signals or other similar mechanisms if the operator collects Personally Identifiable Information (PII) about individual consumer’s online activities across time and websites or online services (Cal. Bus. & Prof. Code § 22575(b)(5));
  • disclose whether other parties may collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or online service (§ 22575(b)(6)); and
  • provide a “clear and conspicuous hyperlink” in the operator’s privacy policy to an online location describing any program or protocol the operator follows that offers a consumer the ability to exercise choice regarding collection of his/her PII if the operator collects individual consumer’s PII across time and websites or online services (§ 22575(b)(7)).

AB 370 is intended to provide consumers the information necessary to determine which websites and online services actually honor a consumer’s do not track signal, so that they can make informed decisions about which sites and services they use.  Current websites and online service operators are not legally compelled to comply with consumers’ do not track requests, so AB 370’s disclosure requirements provide online transparency with respect to such requests.

The amendments will have a far reaching impact since CalOPPA applies to any website or online service that collects information from California residents.  And the new privacy policy requirements will also apply to operators of mobile applications in the eyes of California’s Attorney General.[1] Additionally, AB 370’s disclosure requirements do not apply exclusively to online behavioral tracking for marketing purposes, but appear to apply to an operator’s collection of PII for its own internal product development or research purposes.  Though collecting data about consumers “over time and across third-party websites” typically refers to online behavioral tracking to deliver targeted advertising, nothing in AB 370 limits its application to online behavioral tracking.  Rather, an operator must disclose its response to do not track signals if it collects individual consumer’s PII regarding online activities over time and across third party websites or online services, for any reason.

To prepare for the coming changes to CalOPPA, operators of websites and online services, including mobile applications, should determine whether they collect, either directly or by allowing third parties to collect, PII about the online activities of California residents over time and across different websites or online services.  If so, then operators should review their privacy policies prior to January 1, 2014 and consider doing the following:

  • Ensure the privacy policy describes how the operator responds to do not track signals or other similar mechanisms.  If an operator does not collect PII about consumer’s online activities over time and across different websites or online services, then no description of how the operator responds to do not track signals or other similar mechanisms is required.
  • State whether third parties may collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or online service.
  • Provide a conspicuous hyperlink in the privacy policy to an online location describing any program or protocol the operator follows that offers consumers the ability to exercise choice regarding collection of a consumer’s PII over time and across third party websites or online services.

Finally, if an operator’s privacy policy does not conform to AB 370’s new disclosure requirements, the operator should amend its privacy policy in light of AB 370’s new requirements prior to January 1, 2014 to avoid statutory penalties.

Another privacy bill, SB 568, was signed into law by the Governor a few days before AB 370 on September 23, 2013 and goes into effect on January 1, 2014.  SB 568 will prohibit a website operator from directly, or through a third party, knowingly use, disclose or compile a minor’s PII for the purpose of marketing or advertising specified types of products or services.  Other Internet privacy bills have been introduced in the California legislature but foundered, including: AB 1291, seeking to create a Right to Know Act of 2013; AB 242, attempting to limit privacy policies to 100 words; SB 501, regulating minors’ information on social networking websites; and AB 319, requiring sites collecting personal information about minors to inform their parents and to bar minors from using the site in the future if requested by the parents.

Attorney General Kamala Harris’ recent interest in privacy protections leaves little doubt that we will see some enforcement actions arising from AB 370 and SB 568 in the not too distant future.

[1] The California Attorney General sent a Notice of Non-Compliance to providers of mobile applications in October 2012 that stated an operator of mobile applications that use the internet to collect PII is an “online service” within the meaning of CalOPPA.


Industry Steps Up to Establish Guidelines for Mobile Web Environment

Saturday, September 21st, 2013

Industry members and privacy groups have been on the clock to work out a voluntary standard for notifying users on how their data is collected and used on mobile devices, following prodding by the White House and the Federal Trade Commission. Recently, the Digital Advertising Alliance (“DAA”) followed the Network Advertizing Initiative (“NAI”) in unveiling guidelines for advertisers, media and technology companies to use to enable consumers to control the collection and use of data in mobile technology across websites and mobile device applications (“apps”). Together, the DAA and NAI represent many of the nation’s largest media, marketing and advertising companies and thus hold significant sway in the mobile marketing industry. Their guidelines follow closely on the heels of the Mobile Marketing Association’s January 2012 publication of its Privacy Policy Guidelines for Mobile Apps.

The DAA’s Application of Self Regulatory Principles to the Mobile Environment focuses on four sets of data:
1) multi-site data, i.e., data that has been viewed over time and across websites;
2) cross-app data, i.e., data collected across mobile apps;
3) precise location data, i.e., data regarding the physical location of the device (and consumer); and
4) personal directory data, i.e., personal data stored on a device such as phone numbers, logs, addresses and video/photos.

Similarly, the Network Advertizing Initiative (“NAI”) Mobile Application Code focuses on cross app data, precise location data and personal directory data, but only provides guidelines for data collection by individual websites rather than multi-site data from across websites. However, the NAI refers companies to its Code of Conduct for guidelines on notice and choice requirements for multisite data.

Under both the DAA and NAI guidelines websites and apps that collect data on mobile devices are required to provide consumers with notice of their data collection practices and the choice to have their data collected or not.

While these guidelines do not have the force and effect of law, they do reflect recommendations made by the Federal Trade Commission, the National Telecommunications and Information Administration, and the California attorney general, and are a response to the federal government’s demand that the mobile technology industry develop a self-regulatory scheme. Accordingly, advertisers and media companies should become familiar with these principles and work to comply with the notice and choice provisions of these guidelines for the mobile Web. The real question is whether these industry self-regulatory measures, along with FTC guidelines, will offer adequate solutions and direction necessary to stave of direct government regulation.

California AG Sues Delta for Failure to Post a Mobile App Privacy Policy

Wednesday, December 12th, 2012

December 12, 2012 by Matthew Fischer

On December 6, California Attorney General Kamala Harris initiated the first enforcement action under California’s Online Privacy Protection Act (CalOPPA) in San Francisco Superior Court. The complaint filed against Delta Air Lines Inc. asserts that the airline’s operation of its mobile app called “Fly Delta” violates both CalOPPA and California’s unfair competition law (UCL).

CalOPPA requires an operator of a commercial website or online service that collects personally identifiable information (PII) through the Internet about consumers residing in California who use or visits its website to “conspicuously post” a privacy policy. The Act defines PII as: a first and last name; a home or other physical address; an email address; a telephone number; a social security number; any other identifier that permits the physical or online contacting of an individual or; information concerning a user that a website or online service collects from the user and maintains in personally identifiable form in combination with any of the aforementioned identifiers.

Under the Act, an operator must post a privacy policy within 30 days after notification of non-compliance. However, enforcement against a company that fails to comply with a posted privacy policy (either knowingly or negligently and materially) does not require a 30 day notification. On October 26, the AG’s office issued warning letters to over 100 popular mobile app developers that did not have compliant privacy policies, giving them the statutory 30 days to comply or explain why their apps are not covered by CalOPPA. Delta acknowledged receipt of the letter on October 30 and stated that it would “provide the requested information” but, for whatever reason, did not do so within the 30 day window. Delta did publish a privacy policy for the Fly Delta app shortly after the lawsuit was filed.

The complaint alleges that, while Delta maintains a privacy policy on its website, the policy “does not mention the Fly Delta app, and is not reasonably accessible to consumers of the Fly Delta app.” The Fly Delta app collects such PII as a user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs and geo-location, yet, according to the complaint, a privacy policy does not exist “in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.” To that end, the complaint avers that “the Delta website privacy policy does not indicate that it collects geo-location data or photographs.”

CalOPPA was enacted in 2004, before the smartphone revolution, so it does not specifically target smartphones or mobile applications. While the Act does not expressly apply to mobile apps, the California AG takes the position that it does and cites to the fact that mobile applications are deemed “online services” under the federal Children’s Online Privacy Protection Act (COPPA) in support of its position.

Companies can expect more enforcement actions from California’s AG, as well as from other state AGs and federal agencies such as the Federal Trade Commission (FTC). In fact, the FTC just released a report that says a large number of mobile apps that target children collect and share PII with third parties without parental disclosure and the agency plans to launch an investigation into potential COPPA violations. California has been leading the charge with respect to privacy enforcement and Kamala Harris has clearly staked out the privacy arena as a critical part of her administration’s enforcement agenda. In February, she struck an agreement to improve privacy protections with six of the largest mobile and social app companies: Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, and Facebook joined the settlement in June. Over the summer, Harris formed a new Privacy Enforcement and Protection Unit charged with regulating privacy issues and enforcing California’s various privacy laws.

So what does this all mean for businesses? There are a number of takeaways for companies with an online and/or mobile presence:

• Do not ignore your privacy obligations because enforcement actions will only continue to increase in the coming months. The consequences of non-compliance can be severe. The AG seeks penalties against Delta in the amount of $250,000 for each violation, which it asserts occurs each time the app has been downloaded since its launch in 2010. This could easily result in billions of dollars in fines. Delta may also find itself the target of civil class actions under California’s UCL, although class members would still have to overcome the Article III standing hurdle by showing a resulting harm.

• While the first CalOPPA enforcement action happened to be against an app developer, the statute was crafted with websites in mind and any company that maintains a website that collects PII of a California resident must have a privacy policy “conspicuously posted” on its website that complies with the Act.

• Having a CalOPPA-compliant privacy policy is only the first step, however, and a policy can actually create liability for a company if it is not followed. Under CalOPPA’s provisions, the AG’s office is not obliged to issue a 30 day warning if it determines that a company is willfully, or negligently and materially, failing to comply with its posted policy. Policies should be crafted with the involvement of technology personnel and reviewed and updated annually to ensure they mirror the company’s practices involving the collection and sharing of PII.

• If a business has a mobile app that collects PII (and most do) then, at a minimum, the privacy policy on the website should cover the mobile app. Yet, California’s AG seems to have an expectation that the privacy policy should be posted within the app itself, which raises a number of complexities. The limited space on the screen of a smartphone makes it difficult to post a policy “conspicuously,” especially when the prime screen space is understandably devoted to the main purpose of the app: to promote the service and/or product and drive sales. The policy should be written in plain (i.e., non-technical) language and should not be stuck at the end of lengthy text that takes forever to scroll through, nor should it be buried several pages into the app.

The tension between online behavioral advertising and the many user benefits generated through the personalization of an individual’s online experience versus mounting state and federal agency privacy concerns will only continue to grow. Companies doing business on the Internet and the mobile space should regularly assess and modify their privacy practices to avoid being the target of a future enforcement action.

Non-Lawyers’ Guide to TCPA Compliance

Tuesday, December 4th, 2012

A number of lawsuits have been filed (wild understatement – truly hundreds) in recent years under the Telephone Consumer Protection Act (TCPA), a federal law that regulates certain forms of direct marketing.  While the law was originally passed in the early nineties (well before the advent of cell phones), many lawsuits have been filed in recent years asserting that companies’ mobile marketing campaigns are illegal.  For instance, by now most marketers have heard about the TCPA lawsuit pending against Papa John’s in Seattle; in that case, the judge just certified the case as a class action meaning that the plaintiff can represent a class of other persons who received similar unsolicited texts from PJ’s franchisees.  Based on the ruling, all persons in the United States of America who were sent, to their cellular telephone numbers, at least one unsolicited text message that marketed a Papa John’s branded product, good, or service through OnTime4U, a text marketing vendor, could be awarded $500 or more in damages per text, a total of up to $250 million, if the lawsuit is successful.  It is important to note that PJ’s (the franchisor) contends that it had no involvement in the mobile campaign at issue.  An individual franchisee’s decision to send unsolicited texts can subject many entities to potential liability.  It can be very difficult (and expensive) for a franchisor to prove a negative – that is, that it had no involvement in a mobile campaign that was not compliant with the TCPA.

Marketers should also keep in mind that merely because consumers provide their contact information (including mobile number) that does not mean that they have consented to receive unsolicited marketing messages on their mobile devices.  For instance, in the PJ’s case, the franchisees provided their marketing company – OnTime4U – with lists of telephone numbers of individuals who had purchased pizza from them, generated out of a proprietary Papa John’s “point of sale data entry system” that tracks customer and order information.  The marketing services provider allegedly told PJ’s franchisees that it was legal to send texts without express customer consent because there was an existing business relationship as a result of the provision of the numbers in the context of ordering pizzas for delivery. 

That is not the widely accepted view of consent under the law.  However, as we will detail in a soon-to-be-published post, at least one federal judge has recently ruled that the provision of a mobile user’s number – without more – was sufficient to evidence prior express consent to receive text messages because “distributing one’s cell number is an invitation to be called.”  That case, Pinkard v. Wal-Mart, expressly put the burden on plaintiff (the subscriber) to limit the scope of consent provided by provision of her cell number.

If the PJ’s lawsuit is successful, it would result in the largest verdict to date under the TCPA.  However, high recoveries are not uncommon.  For example, in August, Jiffy Lube’s largest U.S. franchisee agreed to pay $47 million to settle a similar text messaging class action and the International Academy of Design and Technology settled a text messaging class action for $20 million.  Sallie Mae recently settled a case for $20+M as well.

Based on these lawsuits, there are a few considerations to keep in mind:

1.     Text messages are calls under the law.

2.     Unsolicited text messages ARE illegal.

3.     Express prior consent is required to send text messages – buying a pizza (or other similar business transaction) does not establish consent to receive text messages. 

4.     Express consent requires clear and conspicuous disclosure by the company, providing a short code by which a consumer can opt-in, and providing an opt-out mechanism in each and every text sent.

5.     Be cognizant of potential application of the TCPA (as well as other privacy considerations) in every proposed mobile marketing campaigns.  For example, whether an invitation to forward a text to a friend implicates the TCPA?  The friend who receives the text may complain that he or she did not consent to the text (even though coming from their friend and not the company) and thus sue under the TCPA.  Or, whether an invitation to a customer to text a particular short code to receive an immediate coupon constitutes sufficient disclosure of terms and conditions of mobile program such that the subscriber’s consent was sufficiently informed?

6.     Franchisors may be liable even if they had no involvement in the challenged text messaging campaigns – franchisees should be informed of the risks of text messaging campaigns.

7.     Consult with legal counsel before going live with any marketing campaign or providing consumer data to any third-party, including marketing services providers. 

8.     Maintain any and all information regarding a proposed mobile campaign.  Specifically, do NOT instruct vendor or franchisees to destroy lists previously used or to delete information – this only causes more problems if and when litigation ensues

For additional information regarding TCPA lawsuits, please see:

Mobile Device Privacy Act Introduced

Tuesday, December 4th, 2012

We wanted to take a minute amidst all of the recent flurry of TCPA activity (don’t worry, we will return to it in the next post) to mention yet another privacy bill introduced in Congress recently.  Below is a post from Meg Daday, an associate in our Chicago office, regarding the Mobile Device Privacy Act.

* * * * *  

Hailing a taxi, depositing a check, losing weight – you name it, there’s an app for it.  However, according to Rep. Ed Markey (D – Mass.) these apps “very commonly access our sensitive information – our location, our photos, Web browsing, history” and “do this without prior notice and even when the app isn’t currently being used.”

 On September 12, 2012, Markey, the co-chair of the Bi-Partisan Congressional Privacy Caucus, introduced the Mobile Device Privacy Act, H.R. 6377, which requires the Federal Trade Commission, in consultation with the Federal Communications Commission, to require that mobile phone manufacturers, service providers, operating systems, and application developers make disclosures in a “clear and conspicuous manner” at the point of sale or download about any “monitoring software” the entity installs on a mobile device.  “Monitoring software” is defined as software that “has the capability to monitor the usage” of the mobile device or the location of its user, and to transmit that information to another device or system.  The bill requires device sellers and app developers to obtain the user’s “express consent” before monitoring or transmitting any information collected.  Consumers must be allowed to terminate the collection and transmission of data at any time.

The legislation requires first and third parties that collect personal information to have policies in place to secure the data and a process for disposing of or permanently deleting such information.  It further requires all third-party agreements for the transmission of information to be filed with the FTC and/or FCC and allows the FTC, FCC, and state attorneys general to take actions against mobile companies that violate the regulations.  Notably, it also allows consumers to file private rights of action against mobile companies to obtain injunctive relief, actual monetary loss from the violation and/or up to $1000 in damages for each violation, treble damages for “wilful and knowing” violations, costs and attorney’s fees.

 The bill is a result of controversy last year over Carrier IQ, software that wireless operators installed on smartphones in order to help track network congestion and end-user quality problems.  Although the software was intended to improve service, Android developer Trevor Eckhart posted a video showing how the software logged text messages, web searches and other activities without the user’s knowledge or permission.  Wireless carriers have stated that they have disabled Carrier IQ so that diagnostic information and data are no longer being collected.

About Us
Sedgwick provides trial, appellate, litigation management, counseling, risk management and transactional legal services to the world’s leading companies. With more than 350 attorneys in offices throughout North America and Europe, Sedgwick's collective experience spans the globe and virtually every industry. more >

Subscribe via RSS Feed
Receive blog updates via email: