Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1
www.khlaw.comWashington, D.C. ● Brussels ● San Francisco ● Shanghai
Tracy P. MarshallPartner
Keller and Heckman LLP1001 G Street, N.W.
Washington, DC 20001202-434-4234
Building Privacy Into Advertising and Marketing:The Intersection of Advertising and Privacy
June 2, 2011
Sheila A. MillarPartner
Keller and Heckman LLP1001 G Street, N.W.
Washington, DC 20001202-434-4143
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20112
PresentersSheila A. Millar is a Partner at Keller and Heckman and counsels corporate and association clients on a range of consumer protection regulatory and public policy matters. Ms. Millar advises clients on privacy and security policies and programs, data breach responses, data transfers and cloud computing. She also counsels clients on privacy and regulatory compliance aspects of promotions, social media policies, website terms and online sales. Noted for her expertise on children's issues, Ms. Millar has participated in Federal Trade Commission (FTC) workshops on children's privacy and advertising literacy.
2
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20113
Presenters
Tracy P. Marshall is a Partner at Keller and Heckman LLP. She assists for-profit and non-profit clients with a range of business and regulatory matters. In the Internet, privacy, and advertising areas, Ms. Marshall provides counsel on e-commerce transactions and online promotions, privacy and data security policies and programs, and data breach management.
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20114
Preliminary Word
This presentation provides information about the law. Legal information is not the same as legal advice, which involves the application of law to an individual's specific circumstances. The interpretation and application of the law to an individual’s specific circumstance depend on many factors. This presentation is not intended to provide legal advice. The information provided in this presentation is drawn entirely from public information. The views expressed in this presentation are the authors’ alone and not those of the authors’clients.
3
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20115
The Issues
Balancing benefits of online advertising and social media against privacy implications of collection, use, and sharing of data Managing legal obligations stemming from global privacy laws and best practices
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20116
Agenda
Media-specific privacy lawsOnline behavioral advertising/ interest based advertisingAdvertising to childrenGeolocation dataSocial mediaCookies
4
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20117
Upcoming The Privacy Playbook: A Practical Guide For Businesses Webinars Series
June 16 -- Privacy Considerations in the Employment Context
June 30 -- Best Practices for Protecting Data and Managing Data Breaches
July 14 -- Practical Tips for Avoiding Privacy Enforcement and Lawsuits
July 28 – Towards Privacy by Design: Smart Grid and Other Technologies
All webinars will be held from 11:00 a.m. – 12:30 p.m. ET
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20118
How Companies Communicate
Company websites
E-mail messages
Text messages
Social networking sites
Blogs
Telephone solicitations
Faxes
5
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20119
Applicable Laws
Telephone ConsumerProtection Act of 1991 (TCPA) Telemarketing Sales Rule(TSR)
CAN-SPAM Act • Mobile Service Commercial
MessageTCPA • Short Message Service
CAN-SPAM Act
Digital Millennium Copyright ActFTC Endorsements and Testimonials GuidesFTC Green GuidesState lawsThird party terms and conditions/ guidelines
Telemarketing and Faxes:
Social Media/Online:
E-mail:
Text Messaging:
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201110
THE THE ““DO NOTDO NOT”” LAWSLAWS
6
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201111
DO NOT CALL!
Overview of Telemarketing Laws• Can’t abandon > 3% of calls answered by a person• Must transmit caller ID information when available• No autodialer or artificial or prerecorded voice calls to cell
phone, pager, etc. where party is charged • No prerecorded voice calls to residences without prior
express consent• No solicitations to residences before 8 a.m. or after 9
p.m.
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201112
Do-Not-Call Registry
National Do-Not-Call registry jointly established by FCC and FTCCovers residential and personal wireless phone numbers; registration valid for five yearsProhibits telephone solicitations to numbers on the Do-Not-Call list, except • With prior express permission• By or on behalf of a tax-exempt non-profit• With an established business relationship (EBR)
7
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201113
Enforcement of Telemarketing Laws
47 U.S.C. § 227FCC enforcesPrivate Right of Action –numerous class action lawsuitsUp to $16,000 per violation/ messageUp to $500 per violation/ message for civil action
16 CFR Part 310FTC enforces, maintains “Do Not Call” registryNo Private Right of ActionUp to $16,000 in fines perviolation/message
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201114
DO NOT FAX!
TCPA - No fax ads without prior written consentEBR exception (unless recipient opted out)Covers both business and consumer linesFax must include• ID & phone number of originator• ID of fax broadcaster (if applicable)• Legal name of originator• Date & time sent• Opt-out mechanism and honor
opt out requests within 30 days
8
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201115
DO NOT SPAM!
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act effective January 1, 2004 Basics:• If “primary purpose” of email is
commercial, it is subject to CAN-SPAM• FTC has clarified aspects of CAN-SPAM:
– Primary purpose– Multiple “senders”– Refer-a-friend emails
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201116
CAN-SPAM Act Requirements
Clear and conspicuous identification that the message is an advertisementAccurate and non-misleading header/subjectValid postal address for the “sender”• Who is a Sender? Any person who initiates a
commercial email message and whose product, service, or Internet web site is advertised or promoted by the message
Working online opt-out mechanism Honor opt-out requests within 10 business days
9
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201117
What is a Commercial Email Message?
Any email message the primary purpose of which is • The commercial advertisement or
promotion of –A commercial product or service–Content on a website operated for a
commercial purpose–Some non-profit communications
deemed “commercial”
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201118
What is Commercial Primary Purpose?
If recipient reasonably interpreting the subject line would conclude that the message contains an ad or promotion for a commercial product or service
If transactional or relationship content does not appear at the beginning of the message
10
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201119
Transactional/ Relationship Messages
Communicate with customers about ordersConduct market research surveysCommunicate with employees/ former employees/ retirees about benefits, accounts, employee discounts, etc.Send press releases, etc. to shareholders
• In all cases, whether an email qualifies as transactional/ relationship depends on satisfaction of “primary purpose” test
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201120
Multiple “Senders”
Multiple “senders” of a single e-mail can designate one “sender” if that person• Would be deemed a “sender” under the
Act• Is identified in the “from” line• Complies with the CAN-SPAM Act
11
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201121
“Refer-a-Friend” CampaignsRefer-a-friend emails sent with consideration or inducement are subject to CAN-SPAM Act• Consideration/ inducement includes money, coupons,
discounts, awards, additional sweepstakes entries
If email is sent by automatic technical process to an address provided by the forwarder, then it is a “routine conveyance” exempt from the Act
Cannot use child’s name as “sender” for refer-a-friend campaigns at kids sites
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201122
Civil penalties up to $16,000 for each e-mail in violation
Criminal penalties– including imprisonment –for: • Accessing someone else’s computer to send spam
without permission• Using false information to register for multiple e-mail
accounts or domain names• Relaying or retransmitting multiple spam messages
through a computer to mislead others about the origin of the message
CAN-SPAM Penalties
12
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201123
CAN-SPAM permits unsolicited communications as long as the basic requirements are followedElectronic Communications Privacy Directive (Directive 2002/58/EC) only permits electronic communications with the recipient’s consent• Consent can be obtained through website tick boxes,
but not pre-checked boxes• Established business relationship excepted• Affiliates treated like third parties• Opt-out mechanism required
CAN-SPAM vs Directive 2002/58/EC
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201124
Canada’s Spam Law
Fighting Internet and Wireless Spam Act (“FISA”) – Bill C-28• Passed on December 15, 2010• Prohibits sending unsolicited commercial
communications without consent (opt-in)• Covers all forms of commercial electronic messages,
including text messages• Must identify sender and (if different) person on
whose behalf the message is sent, contact information, and an unsubscribe mechanism
• Permits private right of action; fines up to $1M for individuals and $10M for business
13
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201125
Recent Cases
FTC v. Phillip A. Flora• FTC Complaint filed February 23,
2011• Sent 5.5 million spam text
messages, pitching loan modification assistance, debt relief, and other services
• Violated CAN SPAM Act by advertising services through multiple email messages with no opt-out mechanism
• Sold information collected from consumers to marketers as “debt settlement leads”
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201126
Facebook CAN-SPAM Litigation
Facebook, Inc. v. MaxBounty, Inc.(March 28, 2011)• Company used fake Facebook pages,
accounts, and applications to offer non-existent products/services
• Caused Facebook users to SPAM friends and/or use the data to sign-up for a host of subscription services
• Court found that messages sent by Facebook users to their friends’ walls, news feeds or home pages are “electronic mail messages” under the CAN-SPAM Act
14
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201127
CAN-SPAM Best Practices
What do you want to do?• Register consumers for updates, newsletters,
sweepstakes and other promotions• Share consumer registration information with
third parties for marketing• Use rented/ purchased e-mail lists• Confirm transaction and send marketing
message
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201128
DO NOT TEXT!
Prior written consent required to send text messagesMobile Service Commercial Message (MSCM)• Subject to CAN-SPAM Act
Short Message Service (SMS)• Subject to TCPA
Mobile Marketing Association (MMA)Guidelines
15
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201129
DO NOT TRACK!
Online Behavioral Advertising (OBA)/ Interest Based Advertising (IBA) • Collecting anonymous information (e.g., IP
addresses) from a particular computer or device across the Internet
– Via cookies, pixel tags• Using information about preferences to serve
ads
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201130
Self-Regulation
FTC Self-Regulatory Principles for Online Behavioral Advertising• Coalition of major ad organizations• 7 Principles:
– Consumer education– Transparency– Consumer choice– Data security/ limited data retention– Consent for material changes to OBA practices– Limited collection of sensitive data– Accountability (enforcement/compliance)
Internet Browsers
16
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201131
OBA/IBA Legal Landscape FTC, DOC Privacy Reports
Legislation Introduced in 112th Congress• “Commercial Privacy Bill of Rights Act of 2011” (S. 799)
– Senators John Kerry (D-MA) and John McCain (R-FL)• “Consumer Privacy Protection Act of 2011” (H.R. 1598)
– Rep. Cliff Stearns (R-FL)• “BEST PRACTICES Act” (H.R. 611)
– Rep. Bobby Rush (D-IL) reintroduced from 111th Congress• “Do Not Track Me Online Act” (H.R. 654)
– Rep. Jackie Speier (D-CA)• “Do Not Track Online Act of 2011” (S. 913)
– Sen. Jay Rockefeller (D-WV)• “Do Not Track Kids Act of 2011”
– Reps. Edward Markey (D-MA) and Joe Barton (R-TX)
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201132
First FTC OBA Case: Chitika, Inc.
Company misrepresented consumers’ability to opt-out of OBAAfter 10 days, company would place tracking cookies back on browsers and continue to serve targeted ads FTC alleged that opt-out mechanism was deceptive and violated FTC Act Section 5
17
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201133
CHILDREN’S PRIVACY
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201134
COPPA Basics
Children’s Online Privacy Protection Act of 1998 (COPPA); FTC COPPA RuleApplies to the online collection of personal information from children under 13
Verifiable Parental ConsentOperator may not require a child to disclose more information than is reasonably necessary to participatePreempts inconsistent state laws
COPPA Rule Review
18
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201135
Online Marketing to Kids
Can interface online directly with kids under some exceptions; permitted data collection very limited• One-time use – prompt deletion required• Multiple e-mails with notice to parents
Use care in refer-a-friend e-mailsVerifiable parental consent• Can use “e-mail plus” for internal marketing• No public postings
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201136
COPPA Enforcement
U.S. v. Playdom (sub of Disney) and Howard Marks• Largest-ever penalty for COPPA violation
($3 million)• Mandatory deletion of all kids’ records• Age-screening failure at sites appealing to
kids noted• Due diligence with acquisitions needed
19
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201137
MOBILE GEOLOCATION
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201138
Geolocation Data
Emerging issue for mobileRole of app developers, service providers, advertisers unclearLinked to OBA in some proposed legislation
20
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201139
Location Data Developments
FCC and FTC to hold a forum this month on the use of smartphone location data for targeted ads and other purposesU.S. Senate held hearings on consumer privacy and the treatment of location data, focusing on Apple, Google, and Facebook
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201140
Apple Lawsuits
Alleged violations of privacy of iPhone, iPad and iTouch users by transmitting the devices’ unique identifiers to application developersAlleged that application developers Pandora, The New York Times Co., WebMD, Yelp, and Groupon illegally transmitted users’ personal data, including application use, to third party advertisers without consent
21
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201141
ADVERTISING AND ADVERTISING AND SOCIAL MEDIA SOCIAL MEDIA
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201142
Social Media and Privacy
Social Media uses tools such as blogs, wikis, and social networking sites to connect people and build relationships with consumers “Getting to know” consumers has privacy implications
22
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201143
Advertising in Social Media
Forms of Advertising• Based on user’s network
of friends • Direct advertising placed
on social networking site • Through 'groups' or
'pages' Types of Online Ads• Banner ads• Keyword, contextual• OBA ads (tracking)• Pop-ups• Video ads
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201144
FTC Endorsement GuidesSubstantiate claimsEndorsement should reflect personal opinion, beliefs of endorserDisclose payments where necessaryDisclose “material connection” between advertiser and endorserDisclose expected results• “Results not typical” no longer
a safe harbor
23
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201145
More Litigation
In re Facebook Privacy Litigation• Claim that Facebook intentionally and
knowingly transmitted users’ personal information to third party advertisers without consent
• CA judge granted in part and denied in part Facebook’s motion to dismiss and allowed suit to proceed
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201146
MySpace Litigation
Linda Virtue and Lily Castro v. MySpace, No. 11-CV-1800 (E.D. NY, April 13, 2011)• Alleged that MySpace violated state law, Stored
Communications Act, and its own privacy policy by transmitting data used to identify MySpace members to advertising companies and data aggregators
• The data associated users’ names, ages and other information with their Internet browsing histories
• Lawsuit sought class action status
24
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201147
CA Social Networking Bill (SB 242)
Social networking site users must opt in before the site can display information other than user's name and city of residence Social networking sites must permit users to set privacy settings as part of registration process and explain options in plain languageSocial networking sites must remove a user’s personal identifying information upon request (or upon a parent’s request, for users under age 18)
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201148
ARE COOKIES EATING YOU?
25
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201149
New EU Cookies Law
Website operators must get informed consentbefore using cookies and other technologies to store and retrieve information on users’computers• Previously companies had to disclose how cookies
were used and provide opt-out• ICO suggests obtaining consent through browser
settings, pop ups, terms and conditions
Exception: If “strictly necessary”for a service requested by the user
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201150
Cookies Lawsuits
Class action suit Mortensen, et. al. v. Bresnan Communication, LLC (Montana, 2011)• Bresnan (ISP) allowed appliance to be installed by
Internet ad company, NebuAd• Appliance disabled users’ security features and
placed tracking cookies on computer for ad targeting• Court allowed claims under Computer Fraud and
Abuse Act and for trespass to chattel• Court denied claims under Electronic
Communications Privacy Act and for invasion of privacy
26
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201151
Cookies Lawsuits
Ringleader Digital settled lawsuit over Media Stamp® technology• Complaint alleged that the company
improperly tracked users by placing “cookies”on their phones
• Ringleader required to place a link where cookies are stored and allow consumers to opt-out of receiving targeted ads on mobile websites
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201152
Flash Cookies & History Sniffing
“Flash cookies,” or local shared objects, are ‘super cookies’ that never expire and are protected from deletion• Class action lawsuits in 2010 against Disney, Hulu,
Jib-Jab, and others“History sniffing” peeks into a user’s Internet visitation history to create a profile of the user• Several lawsuits in 2010 against Interclick,
McDonald’s, adult websites and others
27
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201153
What’s Next?
More focus on “hidden” tracking“Opt-in” v. “opt-out” debate continuesMore enforcementSignificant increase in litigation
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201154
Compliance Tools
Build privacy, security awareness• Train marketing staff, agencies, consultants• Address in corporate policies
Ask why is data being collected; how; whether it is personal/ non-personal; linkage to personal data; necessity of info• Checklists, audits
Contractually address privacy, security in agreements with agencies, service providers
28
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201155
A Final Word: Best Practices
Know what you do• Know what information is collected, through
what technologies, and how it is usedSay what you do• Review and update privacy polices
Do what you say• Periodic reviews essential to make sure that
new technologies, marketing initiatives do not involve data collection or practices that violate policies
www.khlaw.comWashington, D.C. ● Brussels ● San Francisco ● Shanghai
Questions?
29
│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 201157
Upcoming The Privacy Playbook: A Practical Guide For Businesses Webinars Series
June 16 -- Privacy Considerations in the Employment Context
June 30 -- Best Practices for Protecting Data and Managing Data Breaches
July 14 -- Practical Tips for Avoiding Privacy Enforcement and Lawsuits
July 28 – Towards Privacy by Design: Smart Grid and Other Technologies
All webinars will be held from 11:00 a.m. – 12:30 p.m. ET
www.khlaw.comWashington, D.C. ● Brussels ● San Francisco ● Shanghai
Thank you!Tracy P. Marshall
PartnerKeller and Heckman LLP
1001 G Street, N.W.Washington, DC 20001
Sheila A. MillarPartner
Keller and Heckman LLP1001 G Street, N.W.
Washington, DC 20001202-434-4143