This presentation is from Affiliate Summit East 2014 (August 10-12, 2014 New York City).
Session Description: Like it or not, you’re in the ‘big data’ industry. I will discuss best practices, privacy concerns, and avoiding legal liability while maximizing opportunities when handling this precious commodity.
2. TOPICS
»Big Data
- What is PII?
»Reports on data brokers
»Federal Trade Commission initiatives
»Other state / federal / international initiatives
»Data in Behavioral Advertising
»Data in Social Media
Data – The Lifeblood of the Affiliate Industry2
5. DEFINITIONS – WIKIPEDIA
»Big data is a blanket term for any collection of data
sets so large and complex that it becomes difficult
to process using on-hand database management
tools or traditional data processing applications
»An information broker (independent information
professional, information consultant) collects and
sells information. Uses include targeted ads, market
research, consumer scoring, patent searches, and
election campaigns. The industry has been
criticized for being unregulated and opaque
Data – The Lifeblood of the Affiliate Industry5
6. WHAT IS PERSONAL INFORMATION?
»U.S. definition – ?
- COPPA
- HIPAA – “protected health information”
- GLB – “nonpublic personal information”
- State security breach notification laws
»E.U. definition – Any information relating to an identified or
identifiable natural person (data subject); an identifiable
person is one who can be identified, directly or indirectly, in
particular by reference to an identification number or to one
or more factors specific to his physical, physiological,
mental, economic, cultural or social identity
(E.U. Data Protection Directive 95/46/EC)
Data – The Lifeblood of the Affiliate Industry6
7. »In re: Hulu Privacy Litigation, Case No: 11-03764
(N.D. Cal. 2012)
- Video Privacy Protection Act
• “Personally identifiable information” includes
information which identifies a person as having
requested or obtained specific video materials or
services from a video tape service provider
- Data transmitted by clicking the Facebook ‘LIKE’
button could be deemed to be “Personally Identifiable
Information,” which means such information identifies
a person as having requested or obtained specific
video materials from a Video Tape Service Provider
Data – The Lifeblood of the Affiliate Industry7
EXPANDING SCOPE OF
PERSONAL INFORMATION
9. FTC (MARCH 2012)
9
»Protecting Consumer Privacy in an Era of
Rapid Change: Recommendations For
Businesses and Policymakers
- “[t]he Commission recommends that Congress
consider enacting targeted legislation to provide
greater transparency for, and control over, the
practices of information brokers.”
Data – The Lifeblood of the Affiliate Industry
10. »Rep. Ed Markey (D-Mass.) and Rep. Joe Barton
(R-TX) sent letters July 2012 to nine data companies
asking detailed questions about their practices
“The business of data brokerage, namely the collecting,
assembling, maintaining, and selling to third-parties of
consumers’ personal information, has grown into a
multiple billion dollar industry. By combining data from
numerous offline and online sources, data brokers have
developed hidden dossiers on almost every U.S.
consumer. This large scale aggregation of the personal
information of hundreds of millions of American citizens
raises a number of serious privacy concerns.”
Data – The Lifeblood of the Affiliate Industry10
11. »Rep. Ed Markey (D-Mass.) and Rep. Joe Barton
(R-TX) sent letters July 2012 to nine data companies
asking detailed questions about their practices
11 Data – The Lifeblood of the Affiliate Industry
- Methods of collection
- Use of social media
- Use of mobile services
- Products and services
(both online and offline)
- FCRA compliance
- Consumer data access
- Consumer data opt-out
- Consumer data updates
- Consumer data deletion
12. CHAIRWOMAN RAMIREZ
(AUGUST 2013)
12
»Chairwoman Ramirez listed perceived risks of “big data:”
- Indiscriminate collection of data
- Need to ensure meaningful consumer choice
- Data breach (risk of improper disclosure of sensitive
information)
- Behind-the-scenes profiling
- “Data determinism” (use of data to “make
determinations about individuals, not based on
concrete facts, but on inferences or correlations”)
Data – The Lifeblood of the Affiliate Industry
13. CHAIRWOMAN RAMIREZ
(AUGUST 2013)
»“To me, the FTC is like the lifeguard on a beach.
Like a vigilant lifeguard, the FTC’s job is not to
spoil anyone’s fun but to make sure that no one
gets hurt. With big data, the FTC’s job is to get out
of the way of innovation while making sure that
consumer privacy is respected”
13 Data – The Lifeblood of the Affiliate Industry
14. FTC STATEMENT TO CONGRESS
(DECEMBER 2013)
14
»FTC Prepared Statement – “What information do
data brokers have on consumers, and how do
they use it”
- Lack of transparency
- No reasonable access to data
- FCRA
Data – The Lifeblood of the Affiliate Industry
15. FTC COMMISSIONER BRILL
»‘Reclaim your name’ initiative
»Don’t focus solely on data usage
- Robust and meaningful notice
- Choice
- Collection minimization
Data – The Lifeblood of the Affiliate Industry15
16. »New breach notification law
»Consumer Bill of Rights
»Amend ECPA
»Discriminatory outcomes of big data analytics – ‘digital
redlining’
»“The big data revolution presents incredible
opportunities in virtually every sector of the economy
and every corner of society”
16 Data – The Lifeblood of the Affiliate Industry
17. FTC – DATA BROKERS:
A CALL FOR TRANSPARENCY AND
ACCOUNTABILITY (MAY 2014)
»Data Brokers = Companies that collect consumers’
personal information and resell or share that information
with others
»They operate with a “fundamental lack of transparency”
»Consumers are “largely unaware that data brokers are
collecting and using this information”
»It is “virtually impossible” for a consumer to determine how
a data broker obtained his or her data
»Consumer choices are “invisible” and “incomplete”
»Call for legislation
»Access; opt-outs; disclosures of sources
17 Data – The Lifeblood of the Affiliate Industry
19. CalOPPA - CALIFORNIA AB 370
(SEPTEMBER 2013)
»Amendment to California Online Privacy
Protection Act (CalOPPA)
»Three new privacy policy disclosure requirements
(Seven total)
»Disclose how a publisher responds to a “DNT”
signal or similar mechanism if that publisher
engages in online behavioral advertising
»Cure period
»Effective January 1, 2014
Data – The Lifeblood of the Affiliate Industry19
20. CA ATTORNEY GENERAL –
“MAKING YOUR PRIVACY PRACTICES
PUBLIC” (MAY 2014)
»AG – the practice of online tracking is “invisible” to
consumers because consumers whose browsers
send a DNT signal cannot easily determine how a
site or service responds to the signal
Data – The Lifeblood of the Affiliate Industry20
21. CA ATTORNEY GENERAL –
“MAKING YOUR PRIVACY PRACTICES
PUBLIC” (MAY 2014)
»Operators should:
- Clearly identifying the sections of the privacy policy
in which their policy regarding online tracking or
how it responds to consumers’ DNT signals is
described
- Describe the response to browser DNT signals or
to such other mechanisms in the privacy policy
- Privacy policy link to a program or protocol that
offers consumers a choice about online tracking
- Disclosing the presence of other parties that collect
personally identifiable information on the website or
service, if any are present
Data – The Lifeblood of the Affiliate Industry21
22. CALIFORNIA SB 568
»Right of erasure for CA minors for online services
»Notify minors of these rights and provide clear
instructions
»Doesn’t extend to third party usage
»Effective January 1, 2015
Data – The Lifeblood of the Affiliate Industry22
26. FEDERAL TRADE COMMISSION ACT §5
»“Unfair methods of competition in or affecting
commerce, and unfair or deceptive acts or practices in
or affecting commerce, are hereby declared unlawful”
- Deception = Misrepresentations or omissions likely to
mislead consumers acting reasonably under the
circumstances
- Unfairness = causes or is likely to cause substantial
consumer injury, not reasonably avoided by the
consumer, and not outweighed by countervailing
benefits to consumers or competition
26 Data – The Lifeblood of the Affiliate Industry
27. Data – The Lifeblood of the Affiliate Industry27
PRIVACY POLICIES
»FTC Fair Information Practice Principles
http://www.ftc.gov/reports/privacy3/fairinfo.Shtm
- Notice
- Choice
- Access
- Security
- Enforcement
»It’s all about transparency and consumer
expectations
28. FTC PROPOSED PRIVACY
“FRAMEWORK” DECEMBER 2010
»“Privacy by design”
»Simplified consumer choice
- Commonly accepted practices
- Do not track
»Increased transparency
- Disclosures
- PII v. Non-PII
»Data brokers
28 Data – The Lifeblood of the Affiliate Industry
29. FTC V. SNAPCHAT
(MAY 2014)
»FTC asserted Snapchat deceived consumers
over:
I. Disappearing messages
II. Amount of data collected
III. Type of data collected
IV. Security measures
»Commissioner Ramirez: “Any company that
makes misrepresentations to consumers about its
privacy and security practices risks FTC action”
»20 year consent order
Data – The Lifeblood of the Affiliate Industry29
30. FTC V. GMR TRANSCRIPTION
SERVICES (JANUARY 2014)
»50th data security consent order
»Independent medical transcription contractors
»Independent contractors transmitted medical files
in clear readable text
»“The lawsuit also alleges that GMR didn’t monitor
what [its subcontractor] was doing to protect the
highly sensitive information in its possession.
Taken together, the FTC says that GMR’s course
of conduct violated Section 5”
»Vendor liability
30 Data – The Lifeblood of the Affiliate Industry
32. SEN. JAY ROCKEFELLER (D-WV)
»Do Not Track Online Act of 2013
»Orders FTC to implement regulations that
“establish standards for the implementation of a
mechanism” for consumers to simply and easily
indicate a preference to have PIE collected by
service providers
»Exceptions for collection that are necessary to
provide a service requested by a user
»Not yet enacted
32 Data – The Lifeblood of the Affiliate Industry
33. SEN. JAY ROCKEFELLER (D-WV)
»Data Broker Accountability and Transparency Act
of 2014 (DATA Act)
»Introduced February 2014
»Prohibits deception
»Requires data access to correct or opt-out
»Not yet enacted
33 Data – The Lifeblood of the Affiliate Industry
34. CALIFORNIA SB 1348 (FEBRUARY 2014)
»Introduced February 21, 2014
»Requires online data brokers to notify consumers
when the broker transfers their personal information
to a third party and to provide a description of the
content of the information and the identity of the
purchaser
»Still in committee
Data – The Lifeblood of the Affiliate Industry34
36. Hot Topics in: Advertising, Social Media and Consumer Privacy Law36
ACXIOM – ABOUT THE DATA
37. CONSUMER CHOICE –
THE E.U. MODEL
»Mario Costar Gonzalez
»“The right to be forgotten”
»Google – E.U. Court of Justice
»Search engines are “data
controllers” (even non-E.U.)
»Right already exists without
the proposed data protection
regulations
»Newspaper can keep it up
37 Data – The Lifeblood of the Affiliate Industry
38.
39. WHAT DOES CONSUMER CONTROL
LOOK LIKE?
»Notice and choice
»Transparency
»Access
»Modification / correction
»Deletion / opt-out
»Uses
* Don’t forget contractually required disclosures in a
privacy policy
Data – The Lifeblood of the Affiliate Industry39
42. Hot Topics in: Advertising, Social Media and Consumer Privacy Law42 Hot Topics In Consumer Privacy42
43. Data – The Lifeblood of the Affiliate Industry43
BEHAVIORAL ADVERTISING
»Federal Trade Commission – December 20, 2007
Online Behavioral Advertising – Moving the Discussion
Forward to Possible Self-Regulatory Principles
- Transparency and consumer control
- Reasonable security, and limited data retention,
for consumer data
- Affirmative express consent for material changes
to existing privacy promises
- Affirmative express consent to (or prohibition
against) using sensitive data for behavioral
advertising
44. Data – The Lifeblood of the Affiliate Industry44
BEHAVIORAL ADVERTISING
AAAA/ANA/DMA/IAB – July 2009
»7 principles: Education; Transparency; Consumer
Control; Data Security; Material Changes;
Sensitive Data; Accountability
45. Data – The Lifeblood of the Affiliate Industry45
DIGITAL ADVERTISING ALLIANCE (DAA)
WWW.ABOUTADS.INFO
»Self-Regulatory Principles for Online Behavioral
Advertising
»License Icon
»Implementation
- Evidon
- Truste
46.
47. WORLD WIDE WEB CONSORTIUM
(W3C) DO NOT TRACK
»DNT refers to interactive companies honoring a
user’s browser preference settings to stop online
tracking through the use of cookies and other
technologies by all sites through that user’s browser
(rather than opting out of tracking site by site)
»W3C is working with browser vendors and industry
groups for the “complete implementation of an easy-
to-use, persistent, and effective Do Not Track
system”
»Participants in the W3C include representatives of
Apple, AT&T, eBay, Google, Microsoft, Yahoo!
among others
Data – The Lifeblood of the Affiliate Industry47
48. WORLD WIDE WEB CONSORTIUM
(W3C) DO NOT TRACK
»Many open issues remain regarding
implementation, exceptions and response to
receiving a DNT signal
»1st Parties vs. 3rd Parties
»1st Party must not pass data to a non-service
provider 3rd Party
»Financial logging permitted
»Affiliate/attribution tracking ?
Data – The Lifeblood of the Affiliate Industry48
49. THE BROWSERS
Microsoft IE
announced that
Internet Explorer 10
will have DNT turned
“on” by default
Mozilla Firefox
includes DNT option
Data – The Lifeblood of the Affiliate Industry49
Apple Safari
Blocks third
party cookies
Google Chrome
Functionality
built in
50. WHAT’S NEXT AFTER THE COOKIE?
»Cookies
»Device fingerprinting
»Canvas fingerprinting
»Other persistent identifiers (UNDID)
»Location-based services
»Cross-device tracking
»Pixel tags / web beacons
»De-identified data segments
»Need new technological solutions vs. standard
“notice and choice” constructData – The Lifeblood of the Affiliate Industry50
52. FTC STAFF REPORT –
MOBILE PRIVACY DISCLOSURES
(FEBRUARY 2013)
»Provide “just in time” disclosures to obtain
affirmative express consent
»Develop one-stop “dashboards”
»Develop icons to depict transmission of data
»Require App developers to meet these standards
»Platforms should disclose to consumers the extent
of the testing and review
»Implement Do Not Track
»Better coordination between platforms –
advertising networks – App developers
52 Data – The Lifeblood of the Affiliate Industry
53. Hot Topics in: Advertising, Social Media and Consumer Privacy Law53 Hot Topics in Social Media and Mobile Marketing Law53 Social Media and Privacy53
54. Data – The Lifeblood of the Affiliate Industry54
CHILDRENS ONLINE PRIVACY PROTECTION
ACT – 13 U.S.C.§1301 et seq.
»All website operators who intend to reach children
under the age of 13 or have actual knowledge
(regardless of the age group targeted by their
website) that children under the age of 13 visit
their website must
- Post a privacy policy
- Obtain “verifiable parental consent”
- Advise parent/legal guardian that they can
review the child’s personal information
- Establish and maintain reasonable security
procedures
55. EXPANDING SCOPE OF
PERSONAL INFORMATION
»FTC Consent orders – “Persistent identifiers”
»COPPA Amendments 2013 – Definition of personal
information expanded to include any “persistent
identifier that can be used to recognize a user over
time and across different websites or online services”
- Carve out for “support for internal operations”
Certain internal activities would not be considered
a collection of PI, as long as the information
collected is not used or disclosed to contact a
specific individual(e.g., site maintenance and
analysis)
Data – The Lifeblood of the Affiliate Industry55
58. Data – The Lifeblood of the Affiliate Industry58
ENDORSEMENTS/TESTIMONIALS
»Endorsement/Testimonial = Any advertising message
which message consumers are likely to believe reflects
the opinions, beliefs, findings, or experience of a party
other than the sponsoring advertiser”
»Must be honest and not deceptive
»Disclosure of material connections:
“When there exists a connection between the endorser
and the seller of the advertised product which might
materially affect the weight or credibility of the
endorsement (i.e., the connection is not reasonably
expected by the audience), such connection must be
fully disclosed”
59. Data – The Lifeblood of the Affiliate Industry59
FTC’S REVISED ENDORSEMENT GUIDES
»A blogger/word-of-mouth marketer has a duty to
disclose any “material connections” with an advertiser
(e.g., payments or free products that the consumer
would not expect)
»Celebrities have a duty to disclose their relationships
with advertisers when making endorsements outside
the context of traditional ads, such as on talk shows,
blogs or in social media
»Employees who promote their employer’s products or
services in social media should clearly and
conspicuously disclose their employment relationship
60. FTC VS. COLE HAAN
(MARCH 2014)
»#Wanderingsole
»Contest - $1,000
»FTC – “We believe that participants' pins featuring
Cole Haan products were endorsements of the
Cole Haan products, and the fact that the pins
were incentivized by the opportunity to win a
$1000 shopping spree would not reasonably be
expected by consumers who saw the pins”
Data – The Lifeblood of the Affiliate Industry60
64. 64 From Arenas to Zooey: Recent Attempts to Expand Right
of Publicity Claims
64 The Basics of Advertising & Marketing Law64
QUESTIONS?
Gary Kibel
Partner, Digital Media, Technology & Privacy
Davis & Gilbert LLP
gkibel@dglaw.com
212.468.4918
@GaryKibel_law