Privacy Alert: White House Privacy Report and App Actions May Change Privacy Landscape
White House Privacy Report and App Actions May Change Privacy Landscape
We witnessed major developments in the U.S. privacy legal landscape this month. Most significantly, on February 23, 2012, the White House released its long-awaited report on consumer data privacy. A week earlier, on February 16, 2012, the Federal Trade Commission ("FTC") released a staff report on privacy issues relating to mobile apps, and just days later, the California Attorney General entered into an agreement with the six primary app platform providers to increase consumer awareness of their privacy policies.
These developments came on the heels of the sweeping proposed revision to the privacy and data protection regime within the European Economic Area, and we are still awaiting the release of the FTC's final staff privacy report and final revised Children's Online Privacy Protection Act ("COPPA") rule. All of these developments will have a significant impact on companies' advertising and marketing practices and raise complex legal issues. Agency enforcement and private litigation relating to consumer privacy are on the rise, and we expect that trend to continue as the landscape continues to evolve.
Below is a brief summary of these developments and some of their business implications.
White House Consumer Data Privacy Report
The White House framework, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, builds on the U.S. Department of Commerce ("DOC") December 2010 Green Paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework (available here). The core of the framework is a Consumer Privacy Bill of Rights, which the report describes as a "blueprint for privacy in the information age." The Administration advocates a multistakeholder approach to implement enforceable codes of conduct, as well as FTC enforcement of violations as unfair and deceptive trade practices under Section 5 of the FTC Act. The Administration also urges Congress to pass legislation that applies the Consumer Privacy Bill of Rights to sectors not subject to existing federal privacy laws and calls for a national security breach notification standard. Given the current state of political gridlock, Congressional action on federal privacy legislation in 2012 remains uncertain.
The Consumer Privacy Bill of Rights is comprised of the following principles, which are based on the globally recognized Fair Information Practice Principles ("FIPPs") that were also espoused by the DOC Green Paper:
- Individual Control over what personal data companies collect and how they use it.
- Transparency with regard to privacy and security practices.
- Respect for Context and purposes for which consumers provide data when collecting, using, and disclosing personal data.
- Security of personal data.
- Access and Accuracy in a manner appropriate to the sensitivity of the data and the risks to consumers if data is inaccurate.
- Focused Collection and limits on the personal data that companies collect and retain.
- Accountability and adherence to the Consumer Privacy Bill of Rights when handling consumers' personal data.
The Administration, led by the DOC National Telecommunications and Information Administration, plans to conduct forums for stakeholders to reach agreement on legally enforceable codes of conduct based on the Consumer Privacy Bill of Rights. It would be up to each company to decide whether to adopt a code, and the Administration seeks Congressional authority under the Administration Procedure Act for the FTC to issue rules for reviewing and approving codes of conduct. The Administration also recommends giving the FTC authority to grant a "safe harbor" to companies that follow an FTC-approved code of conduct, and subjecting companies that do not adopt a code of conduct to general obligations of the legislatively adopted Consumer Privacy Bill of Rights. COPPA includes a "safe harbor" provision, but in its proposed revisions to COPPA, the FTC proposed some new, and potentially onerous, changes to the safe harbor program, including a provision requiring that reports be provided to the FTC regarding "any" action taken against a website. That creates significant concerns if this becomes a model.
The notion of enforceable codes developed by a multistakeholder process raises other important legal issues from an administrative procedures standpoint. A proposal to adopt a government-sponsored "voluntary code" for food marketing to children and teens through the Interagency Working Group drew both sharp rebukes from many members of Congress as well as intense criticism from industry members. It also creates questions about whether the success achieved through many self-regulatory initiatives addressing advertising and privacy issues will be hampered by this sort of precedent.
The development of enforceable codes of conduct and a privacy "bill of rights" may also spur more private litigation, in particular class action lawsuits, alleging violations of privacy rights. Implications for employers must also be considered. We have seen an increase in private litigation in the last few years over a range of privacy issues, such as the use of cookies and other technologies to track users online and the failure to adequately disclose such uses to consumers, companies' violations of their privacy and data security commitments, and companies' failures to adequately protect and security personal information. No doubt litigation will increase as consumers' rights are expanded through codes of conduct.
FTC Mobile Apps Report
In its staff report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing (available here), the FTC concluded that app stores and developers are failing to provide parents with the information they need to determine what data is collected from their children, how the data is shared, and who will have access to the data. According to the report, FTC staff was, in most instances, unable to determine from the app store page or the developer's landing page whether an app collected any data, the type of data collected, the purpose for collection, and who collected or accessed the data. The report recommends standardizing disclosures and icons for data security practices to identify issues such as whether the app will connect to social media and whether in-app advertisements are offered. The FTC plans to hold a workshop this year as part of its effort to update its DotCom Disclosures guidance where these ideas may be discussed.
The FTC has asserted that kid-directed apps are an online service covered by the COPPA rule, and has already initiated enforcement action under COPPA for violations of the COPPA rule by an app provider (click here to view the FTC press release). The next stage of its initiative on apps will include an assessment as to whether enforcement action is warranted as to any of the apps reviewed in its report.
California AG Agreement
Just days after the FTC released its mobile apps report, the California Attorney General announced that an agreement was reached with the six primary app platform providers- Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion (the AG announcement is available here). Importantly, the agreement confirms that privacy policies are required for apps under the California Online Privacy Protection Act. That law requires websites and online services that collect personal information to offer privacy policies, and is consistent with the FTC's view that privacy policies are required under COPPA where apps are directed to children.
The agreement also includes the following "principles":
(1) Apps that collect personal data from a user must conspicuously post a privacy policy;
(2) app developers will need to either provide a link to the app's privacy policy or include the text of the app's privacy policy when uploading it to an app marketplace;
(3) app users must be able to notify app marketplaces when an app does not comply with its terms of service and/or laws;
(4) app marketplaces must implement a process to respond to reported instances of non-compliance; and
(5) the California AG and app platform providers will continue to work together to develop best practices for mobile privacy and a model mobile privacy policy.
The agreement may be a vehicle for additional discussions about simple disclosure options, such as use of icons, and incorporating "do not track" options. The press release also affirms that a failure to adhere to stated privacy policies is actionable under California's unfair competition/false advertising law.
For more information on privacy and data security issues, please contact Sheila Millar (+1 202.434.4143, millar@khlaw.com) or
Tracy Marshall (+1 202.434.4234, marshall@khlaw.com).