California Attorney General Offers Online and Mobile 'Do Not Track' Privacy Policy Recommendations

 By Jonathan D. Jaffe and Jeremy M. McLaughlin

California Attorney General Kamala Harris recently issued guidance to help companies provide more “meaningful” privacy policies. Entitled “Making Your Privacy Practices Public,” the recommendations consolidate previously issued guidance and provide new information regarding online tracking and Do Not Track signals. As the guidance document indicates, the recommendations “are not regulations, mandates or legal opinions” and offer greater protections than those required under existing law. Clearly, though, they reflect the attorney general’s preferences and what she believes are privacy best practices.

The recommendations were prompted by amendments to the California Online Privacy Protection Act of 2003. CalOPPA requires any company that collects personally identifiable information from California consumers through a commercial website or a mobile application to post a conspicuous privacy policy. The policy must include: (1) the categories of PII collected and the categories of third parties with whom such information is shared; (2) information on how, if possible, a consumer can review and request changes to the PII being collected; (3) information on how consumers will be notified of material changes to the policy; and (4) the policy’s effective date.

CalOPPA does not prohibit online tracking or prescribe the manner in which an operator should respond to a DNT signal. Rather, it requires two additional disclosures to be in a company’s privacy policy. First, if a company collects PII about a consumer’s online activities over time and across third-party websites, the privacy policy must either (a) provide information on how the website operator responds to a browser’s DNT signal or (b) provide a conspicuous link to a protocol that offers consumers a choice about online tracking and a description of the protocol’s effects. Second, an operator must disclose in its privacy policy whether third parties may collect PII when a consumer uses the operator’s site.

Among other things, the recommendations provide guidance on complying with the DNT provisions of CalOPPA. For example, the Attorney General prefers that an operator opts for choice (a) rather than (b) ─ that is, explain in the privacy policy (rather than a link to a protocol) how the operator responds to a DNT signal. In that description, the company should state whether it treats consumers who use DNT mechanisms differently than those who do not, and how the treatment is different. In addition, the operator should inform consumers whether it continues to collect PII after a DNT signal is received and, if so, how it uses that information. The recommendations also touch on other ways to improve privacy policy transparency for consumers, including the use of certain labels and improved readability.

The California Attorney General’s office has been at the forefront of enforcing privacy laws, including filing suit against Delta Airlines for alleged CalOPPA violations. Moreover, the White House and the FTC have indicated interest in this area. Because enforcement of privacy laws ─ including Do Not Track laws ─ is a sure bet, businesses should consider adopting these best practices, if for no other reason than to divert regulatory scrutiny.

TMT Round-up: Developments on Unlocked Phones; FTC Backs Do Not Track Standard Despite Ad Industry Objections; German Team Sets Wi-Fi Data Transmission World Record

 By Jenny Paul, Nickolas Milonas and Marc Martin

NTIA petitions FCC for rule requiring unlocked phones

The National Telecommunications and Information Administration is seeking new regulations that would require wireless carriers to unlock mobile phones, tablets and other devices upon the customer’s request.

 The NTIA filed a petition with the Federal Communications Commission in September, asking the FCC to immediately initiate a rulemaking that would shift the burden of unlocking mobile devices from consumers to wireless carriers.  Unlocking a device allows the device to be used on the networks of other carriers, not just the network of the carrier from which it was purchased.  Removing a lock on a mobile device would not affect the terms of the contract or the related penalties for termination between the consumer and the wireless carrier, according to an NTIA release.

FTC backs Do Not Track standard despite advertisers’ withdrawal from talks

Federal Trade Commission Chairwoman Edith Ramirez remains hopeful that the industry can create a Do Not Track standard, despite news that advertisers withdrew from online tracking talks at the World Wide Web Consortium.

A Do Not Track standard could allow consumers to opt out of online tracking or exercise more control over how their online activities are recorded.  The Digital Advertising Alliance withdrew from the W3C talks in September, saying it “no longer believes that the [W3C working group] is capable of fostering the development of a workable ‘do not track’ . . . solution.”

The DAA said it would work separately to consider options for enhancing consumer privacy, “rather than continuing to work in a forum that has failed.”

“[W]e intend to commit our resources and time in participating in efforts that can achieve results while enhancing the consumer digital experience,” DAA managing director Lou Mastria said in a letter to the W3C.  “The DAA will immediately convene a process to evaluate how browser-based signals can be used to meaningfully address consumer privacy. . . . This DAA-led process will be a more practical use of our resources than to continue to participate at the W3C.

Although Ramirez said she was disappointed by the DAA’s departure, she noted that a Do Not Track standard still could be reached.  “[M]y end goal on Do Not Track remains for consumers to have meaningful choices not to be tracked, whether that option emerges from within or outside the W3C,” Ramirez said in a statement.

German Team Sets Wi-Fi Data Transmission World Record

A team of scientists from the Fraunhofer Institute for Applied Solid State Physics (IAF) and the Karlsruhe Institute of Technology (KIT) recently set the world record for wireless data transmission at 100 Gigabits per second.  The team’s Wi-Fi network transmitted data at a frequency of 237.5 GHz over a 20-meter distance in controlled laboratory conditions. 

While such high-frequency signals allow for intensive data transfers, the propagation characteristics of these signals do not allow for long-distance travel and are easily disrupted by obstacles (e.g., buildings, walls, etc.).  At a rate of 100 Gbps, for example, you can transfer the contents of an entire Blu-ray disc in two seconds.  The team of scientists at IAF and KIT set the previous Wi-Fi data transmission record at 40 Gbps, and that technology was tested by sending data signals between the peaks of skyscrapers.  The team hopes that its new technology can be used in rural areas as “an inexpensive and flexible alternative to optical fiber networks, whose extension can often not be justified from an economic point of view.”  The same technology could also be used to patch holes in existing fiber lines.  One of the scientists also noted the use of multiplexing techniques (transmitting multiple streams) and multiple antennas could facilitate data rates of 1 terabit per second.

California Ups Privacy Ante With Passage of Digital Eraser, Do Not Track Laws

By Jenny Paul and Marc Martin


The state of California passed two laws in recent weeks aimed at bolstering the privacy protections offered by websites and mobile apps.  The first, SB 568, gives minors a digital eraser of sorts by requiring the operators of minor-focused websites and mobile apps to provide a mechanism for removing content posted by minors who are registered users.  A website or mobile app can comply with the law by permitting minors to make content removal requests or by giving clear instructions on how a minor user can remove his or her own postings.   

 In addition, affected websites and apps must also provide minor users with notice that deletion will not ensure complete or comprehensive removal of the content in question.  The law, which was signed by Gov. Jerry Brown Sept. 23, also prohibits operators of minor-targeted websites and mobile apps from marketing or advertising to a minor specified types of products or services, including alcoholic beverages, firearms, tobacco and permanent tattoos.  The law takes effect Jan. 1, 2015.

The second privacy-oriented law, AB 370, requires all websites that collect personally identifiable information to disclose how they respond to web browser “do not track” signals or similar mechanisms that allow browser users to make a choice about the collection of information that reveals an individual’s online activities over time and across third-party websites or online services.  A website operator may comply with the law by providing a link in its privacy policy to a description of any protocol the operator follows that offers users the choice to opt out of Internet tracking.  Gov. Brown signed the law Sept. 27, and it takes effect Jan. 1, 2014.  Given California’s prior application of its online privacy requirements to mobile applications, the new tracking law’s requirements likely will apply to mobile applications, although the law does not specifically address that issue.

Consumer Privacy Report Released By FTC

By J. Bradford Currier and Lauren B. Pryor

The Federal Trade Commission recently released its long-awaited Final Report on protecting consumer privacy, in which it stated that consumers should have more choice and control over how their personal information is collected and used. The FTC’s Final Report offers non-binding recommendations for companies “that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.” The Final Report comes more than a year after the FTC first issued its proposed framework for regulating consumer privacy and just a month after the White House released a proposed Consumer Privacy Bill of Rights

Recognizing the potential burden of the Final Report’s recommendations on small businesses, the FTC stated that its conclusions did not apply to companies that merely collect and do not transfer non-sensitive data on fewer than 5,000 consumers a year. Similarly, a company’s data collection practices may fall outside the scope of the Final Report if:  (1) a given data set has been reasonably stripped of personally identifiable information; (2) the company publicly commits not to re-identify such information, and (3) the company requires any secondary users of the data to keep it in de-identified form. While the majority of the Final Report discusses protecting consumer privacy online, the FTC noted that its recommendations would also apply to companies collecting personal information offline, such as financial institutions and healthcare industries. With these qualifications, the Final Report provides three best practices for companies collecting personal information from consumers:

(1)        Privacy By Design

The Final Report recommends that companies build in consumer privacy protections at every stage of the development of their products and services. Specifically, companies should incorporate reasonable procedures for collecting, securing, and retaining customer data. The Final Report commends a number of leading online service companies that have adopted stringent encryption systems in the face of increasing cyberattacks. Companies should limit data collection to activities which are “consistent with the context of a particular transaction,” and provide prominent notices to consumers regarding the collection of data unrelated to the requested service. Companies should also destroy consumer data when the company no longer needs this information to provide the requested service. On this point, the FTC expressed support for offering consumers an “eraser button” on social media websites to allow the deletion of personal information at the user’s discretion. Additionally, companies should ensure that data collected remains accurate and offer customers an opportunity to correct erroneous information. By adopting these policies, most online services’ default privacy settings would be strong.

(2)        Simplified Consumer Choice

The FTC also advised companies to provide easy-to-use mechanisms allowing customers to determine how their data is collected and used. The application of the simplified consumer choice policy will vary depending on the context of the interaction between the company and the consumer. For example, a car dealership may send a coupon to a customer based upon personal information obtained during prior purchases at the dealership without providing the customer with a choice. By contrast, if the car dealership intends to sell that customer’s personal information to a third-party data broker for use in unrelated marketing activities, the car dealership must provide the consumer with the ability to prevent the sale of his or her information. 

For most online services, the FTC suggested that companies allow users to choose data sharing preferences during the registration process or at least before any personal information is collected. The FTC identified company practices requiring consumers to disclose personal data in order to obtain important services on a “take it or leave it basis” as especially problematic and inconsistent with the public interest. 

The Final Report generally concludes that companies should provide consumers with the ability to opt out of being tracked across third parties’ websites. However, the FTC stopped short of recommending that Congress pass “do not track” legislation and stated that the FTC would work closely with stakeholders to develop an industry-led solution. The FTC reaffirmed its commitment expressed in recent enforcement actions to requiring companies to give prominent disclosures and to obtain express affirmative consent for material retroactive changes to privacy policies and before collecting especially sensitive information such as health, financial, and precise geolocation data. The Final Report indicates that the FTC will host a workshop on the concerns raised by the data collection practices of large ISPs, search engines, and social networking platforms later this year.

(3)        Information Collection Transparency

In accordance with industry guidance on mobile applications released earlier this month, the Final Report calls for “clearer, shorter, and more standardized” privacy policies. This recommendation can result in a Catch-22: if brevity comes at the expense of accuracy, there is increased risk that a privacy policy will be deemed misleading, deceptive, or insufficient. The FTC noted that screen size limitations on mobile phones further compound the difficulties with providing sufficient privacy disclosures and stated that it will host a workshop in May 2012 regarding how mobile privacy disclosures can be short, effective, and understandable on small screens.

The Final Report also encourages transparency by recommending that companies allow consumers more options to access their personal data. Specifically, the FTC indicated its support for recent legislation which would give access rights to consumers for information held by data brokers. The Final Report also suggests that the data broker industry should explore the idea of creating a centralized website where data brokers identify themselves to consumers, describe how they collect consumer data, and disclose the types of companies to which they sell information. At a minimum, the Final Report asks all companies collecting personal data to improve their consumer outreach and education efforts relating to data privacy practices.

House Committee Launches Data Security and Electronic Privacy Review

In the wake of recent high-profile data breaches suffered by major companies that exposed over 100 million customer records to identity theft, the House Energy and Commerce Committee announced plans to conduct a sweeping review of the data security and privacy issues affecting American consumers and businesses. The Committee will divide the review into two phases by first surveying current security measures used to protect personal information online before turning to bolstering privacy protections for Internet users. Committee Chairman Rep. Fred Upton (R-MI) noted that the recent rise in cyber attacks seeking access to personal data necessitates a reassessment of the security standards used by companies that collect customer information. Communications and Technology Subcommittee Chairman Rep. Greg Walden (R-OR) echoed Sen. Upton’s concerns and stated that the review aims to produce policies which will strike a balance between protecting consumer information and maintaining innovation.

The Committee’s review will likely serve as a launching point to evaluate existing cybersecurity proposals and develop new data protection legislation. In April, Sen. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act” to establish federal consumer privacy protections that would apply across industry sectors and level stiff civil penalties against companies that mishandle or lose customer information. To protect the privacy of young social media users, Rep. Joe Barton (R-TX) and Ed Markey (D-MA) proposed the “Do Not Track Kids Act,” which would establish a “Digital Marketing Bill of Rights for Teens,” require companies to erase personal information upon request, and prohibit the storage of user geolocation data. The storage of geolocation data garnered recent media attention following reports that Apple’s iPod and iPad operating systems tracked user movements through a software “bug” which the company later removed. States such as California have also attempted to force social media providers to afford customers more control over their online privacy settings, facing staunch opposition from many major Internet companies.

Despite some industry opposition, federal agencies, lawmakers, privacy advocates, and other online companies generally agree that some form of comprehensive data security legislation is necessary as more Americans disclose personal information online. The Committee has already heard testimony from companies damaged by cyber attacks that government support will be crucial to securing customer data.   More than 45 states and U.S. territories currently possess some form of data breach notification or protection laws, creating a confusing and occasionally contradictory patchwork of regulations for customers and businesses to navigate. With the announcement of its data security and privacy review, the Committee hopes to soon place these diverging policies under one legislative roof.

Senators McCain and Kerry Introduce Privacy Bill of Rights

On April 12, 2011, Senator John Kerry (D-MA) and Senator John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act of 2011” to establish the first federal statutory baseline of consumer privacy protection that would apply across industry sectors. The bill would govern how customer information is used, stored, and distributed online. We will provide more analysis soon, but for now, here are the highlights:

Information covered. The bill applies to broad categories of information, including names, addresses, phone numbers, e-mail addresses, other unique identifiers, and biometric data when any of those categories are combined with a date of birth, place of birth, birth certificate number, location data, unique identifier information (that does not, alone, identify an individual), information about an individual’s use of voice services, or any other information that could be used to identify the individual.

Right to security and accountability. Information-collecting entities would be required to implement security measures to protect user information and would be prohibited from collecting more individual information than is necessary “to enforce a transaction or deliver a service requested by that individual,” subject to certain exceptions.

Privacy by design. Entities would be required to implement privacy by design concepts, which would require entities to incorporate privacy protection into each stage of product or service development in a manner that is much more comprehensive than previously required anywhere in the United States.

Privacy policies. Entities would be required to have privacy policies or disclosures that clearly, concisely, and timely notify individuals of the entities’ practices “regarding the collection, use, transfer, and storage” of individual information, and entities would also be required to notify individuals when their practices undergo “material changes.”

Right to notice, consent, access and correction of information. The bill would offer individuals the option to opt-out of most information collection activities and require that individuals affirmatively consent to sharing certain information with third parties, and for an entity's collection of especially sensitive personal information. Entities would also have the right to access and correct information that entities maintain about them.

Service providers. The bill would require entities that contract with any service provider that has access to individual information to require the service provider to comply with the requirements of the bill, and to comply with the entity’s information policies and practices.

Third parties and data transfers. The bill would restrict the ability to transfer or share individual information with third parties, and would obligate the transferring entity to contract with any such third party for the protection of the individual information before transferring it.

Enforcement. The bill would empower state attorneys general and the Federal Trade Commission (“FTC”) to enforce the new restrictions. It would allow the FTC to develop safe harbor programs for authorized information collection.

Scope. The new rules would apply to non-profit organizations (a potential expansion of FTC authority), telecommunications common carriers (an expansion of FTC authority), and other entities which collect personal information on more than 5,000 individuals in a given year. The bill’s restrictions would not extend to federal and state governments or law enforcement agencies.

The privacy protections follow the decision by many popular Internet browsers to allow users to select a “do-not-track” feature for their searches. Leading Internet merchants and privacy watchdog groups praised the bipartisan bill, calling it “an important step” toward the development of a comprehensive national privacy law, while critics maintain that it does not go far enough to protect consumer privacy rights.