© 2015 LOEB & LOEB LLP

Targeted Advertising,

Retargeting and Privacy:

What Companies Need

to Know

Andrew Elman, Re:Sources USA, A Publicis

Groupe Company

Nathan Hole, Loeb & Loeb LLP

Brian Nixon, Loeb & Loeb LLP

May 24, 2016

Greater New York Chapter Association of Corporate Counsel

2 © 2015 LOEB & LOEB LLP 2 © 2016 LOEB & LOEB LLP

Targeted Advertising - Today’s Topics

• The Legal Landscape

• In Practice

• General Enforcement Trends

• Keys to Compliance & Best Practices

• What’s On the Horizon

3 © 2015 LOEB & LOEB LLP 3 © 2016 LOEB & LOEB LLP

[graphic that represents the intersection

of data and analytics]

More online/digital activity

+ More connected devices

= More data

4 © 2015 LOEB & LOEB LLP 4 © 2016 LOEB & LOEB LLP

5 © 2015 LOEB & LOEB LLP 5 © 2016 LOEB & LOEB LLP

Interest-Based Advertising

Web pages visited over time …

Based on user’s online

activities, relevant ads

are displayed on a

publisher website

6 © 2015 LOEB & LOEB LLP 6 © 2016 LOEB & LOEB LLP

Visit a website for online shopping…

An ad for an item previously viewed on a prior website then appears on a subsequent webpage visited later in time

Retargeting

7 © 2015 LOEB & LOEB LLP 7 © 2016 LOEB & LOEB LLP

Online and Mobile Targeted Advertising

Increasingly Use Programmatic Buying

Programmatic buying refers to a wide range of technologies that

automate the buying, placement and optimization of advertising, often

through ad exchanges.

• Real-time bidding for online display ads is just one type of

programmatic buying.

• Established ad exchanges already exist for online and mobile display

and video.

• It’s similar to buying stocks on the stock exchange.

8 © 2015 LOEB & LOEB LLP 8 © 2016 LOEB & LOEB LLP

The Players in Today’s Eco-System

Ad Agency Buys ad inventory

directly from publishers and from ad networks and ad

exchanges

Demand-Side Platform

A centralized interface for

managing digital advertising

Ad Exchange Provides

automated, real-time bidding on ad

inventory

Ad Network Buys and repackaged

ad inventory from many publishers

Data Aggregator

Collects data from multiple sources and

“cleans” it for downstream users

Publisher Controls the

websites where ads

are displayed

9 © 2015 LOEB & LOEB LLP 9 © 2016 LOEB & LOEB LLP

Advertiser #1: I offer $2 for this impression because the visitor

abandoned a shopping cart on my site 2 hours ago.

Advertiser #2: I offer $1.80 for this impression because the visitor is a 15- to 22-year-old male with an interest in sports.

Advertiser #3: I offer $1.60 for this impression because this is

an authoritative movie and gaming site.

2. Ad Exchange makes

available details of

visitor, Publisher site,

and ad unit to

participating

advertisers/agencies.

4. Visitor sees ad from

highest-paying

advertiser. Complete

process takes place

while web page loads.

3. Ad Exchange selects

the highest-paying

advertiser and sends

corresponding creative

to Publisher website.

1. Visitor enters Publisher

website URL. Publisher

sends request to Ad

Exchange for 1 ad of

particular spec (e.g., a

banner).

Online Ad Exchanges

© 2015 LOEB & LOEB LLP 10 © 2016 LOEB & LOEB LLP 10

1000 Main St. 1001 Main St.

Traditional TV

© 2015 LOEB & LOEB LLP 11 © 2016 LOEB & LOEB LLP 11

1000 Main St. 1001 Main St.

Female

26 years old

Interest in

beauty

care

Male

38 years old

Interest in

clothing

Addressable Television

© 2015 LOEB & LOEB LLP 12 © 2016 LOEB & LOEB LLP 12

13 © 2015 LOEB & LOEB LLP 13 © 2016 LOEB & LOEB LLP

14 © 2015 LOEB & LOEB LLP 14 © 2016 LOEB & LOEB LLP

15 © 2015 LOEB & LOEB LLP 15 © 2016 LOEB & LOEB LLP

Methods of Targeting or Tracking

Mobile device

location

Audio fingerprinting

Bluetooth low-energy /

beacons

16 © 2015 LOEB & LOEB LLP 16 © 2016 LOEB & LOEB LLP

FTC Warns 12 App Developers re: SilverPush

• SilverPush enables mobile

device to hear audio beacons

embedded in TV programming

and create a log of what users

have watched

• March 2016: FTC sent warning

letters to 12 app developers

whose apps included

SilverPush

17 © 2015 LOEB & LOEB LLP 17 © 2016 LOEB & LOEB LLP

Methods of Targeting or Tracking

Device identifiers (web or mobile)

Vehicles Linking purchases to

digital activity

18 © 2015 LOEB & LOEB LLP 18 © 2016 LOEB & LOEB LLP

Card-Linked Measurement / Targeting

Ad measurement / targeting Connecting digital ad impressions to offline purchase activity

Consumer consent Sensitive financial

information

© 2015 LOEB & LOEB LLP 19 © 2016 LOEB & LOEB LLP 19

Social Media + Digital On-Demand

Services

© 2015 LOEB & LOEB LLP

The Legal

Landscape

21 © 2015 LOEB & LOEB LLP 21 © 2016 LOEB & LOEB LLP

U.S. Approach to Data Collection and Privacy

Virtually every piece of data has strings attached – rules about how it can be

used, shared, protected, stored and destroyed.

• There is no single comprehensive privacy law in the U.S.

• Data collection and optimization is governed by:

Patchwork system of state and federal laws

Self-regulatory frameworks and industry guidelines

Platform Terms of Use and Privacy Policies

Contracts with vendors and partners

Your own privacy policies

22 © 2015 LOEB & LOEB LLP 22 © 2016 LOEB & LOEB LLP

Selected Federal Laws That Regulate the Collection and

Use of Consumer Data

• FTC Act

• requires companies to comply with their own privacy policies

• Gramm-Leach-Bliley Act (GLB)

• limits how consumers’ financial information may be used

• Health Insurance Portability and Accountability Act (HIPAA)

• limits how covered entities may use health information

• Children’s Online Privacy Protection Act (COPPA)

• limits the collection of children’s personal information and requires parental notice and consent

• New U.S.–E.U. Privacy Shield Program (replaces the U.S.-E.U. Safe Harbor Framework)

• Places limits on data transferred between the U.S. and E.U.

23 © 2015 LOEB & LOEB LLP 23 © 2016 LOEB & LOEB LLP

California Continues To Lead on Privacy Issues

• Dozens of privacy laws - typically

provide more protection to the

consumer than federal laws

• Recently enacted a “do not track”

law and a law limiting the use of

recordings made by a voice-

activated connected TV

• California laws = minimum

requirements for online companies

24 © 2015 LOEB & LOEB LLP 24 © 2016 LOEB & LOEB LLP

Spokeo, Inc. v. Robins, No. 13-1339 (2016)

For standing to challenge a statutory

violation plaintiff’s must suffer

particularized and concrete injury

- Personal and individualized

- Real, not abstract

• Bare procedural violation is

insufficient.

• Intangible injuries can be concrete

25 © 2015 LOEB & LOEB LLP 25 © 2016 LOEB & LOEB LLP

The FTC has initiated many enforcement actions against online and offline companies for violating the FTC Act by:

• Not complying with a posted privacy policy

• Changing a privacy policy (perhaps to reflect new technology or new partners/vendors) and not giving consumers notice or the opportunity to opt out of the new policy

• Failing to adequately safeguard data

• Claiming to provide adequate security for data and then failing to do so

• Failing to adequately disclose what data is collected and for what purpose

• Failing to honor opt-out promises

26 © 2015 LOEB & LOEB LLP 26 © 2016 LOEB & LOEB LLP

Selected Privacy Guidelines • FTC

• Online Behavioral Advertising

• Mobile Apps

• Internet of Things

• California AG

• Mobile Apps

• Privacy Policies and Do Not Track Disclosures

• Digital Advertising Alliance (DAA)

• Online and Mobile Interest-Based Advertising

• Cross Device Tracking

• Mobile Marketing Association

• Text Message Marketing

• Alliance of Automobile Manufacturers

• Internet-connected cars

27 © 2015 LOEB & LOEB LLP 27 © 2016 LOEB & LOEB LLP

Self-Regulatory Compliance Actions

Compliance Actions have focused on:

• Failure to provide notice on every page where data is collected or used for interest-based advertising

• Opt-out links that did not work

• Privacy policies that did not accurately describe a company’s data collection and use policies

• Failing to honor an opt-out request for five years

28 © 2015 LOEB & LOEB LLP 28 © 2016 LOEB & LOEB LLP

One more thing to keep in mind…

Platforms and app stores have Terms of Use,

Privacy Policies and other guidelines which may limit

how you can use data.

These policies change frequently.

© 2015 LOEB & LOEB LLP

Targeted

Advertising &

Retargeting – In

Practice

30 © 2015 LOEB & LOEB LLP 30 © 2016 LOEB & LOEB LLP

Advertisers reach Facebook users taking own first-

party data (e.g., email address, phone number,

customer name) to create target audience and can

layer Facebook audience segments over this to

refine targeting and deliver a targeted ad.

Facebook ‘Custom Audiences’ works by applying hashes

to the customer data of an advertiser to remove any

personal information, and then mapping that hashed

data to its users with the same or substantially similar

sequence of characters from Facebook’s database.

Additional targeting parameters may be added such as

age, interests, etc. to reach a specific audience.

31 © 2015 LOEB & LOEB LLP 31 © 2016 LOEB & LOEB LLP

• Advertisers can show ads to customers based on data about those customers (e.g., email addresses) that the advertiser shares with Google.

• Currently available on Google’s Search Network, YouTube, and Gmail.

• Option to target similar audiences on YouTube and Gmail based on the advertiser’s created Customer Match audience.

Google AdWords Customer Match works by advertiser uploading a customer data file using AdWords or the AdWords API, either hashed or without hashing the data. Google compares each hashed string (or email address, if the advertiser didn’t hash) with that of Google accounts. For matches, the corresponding Google account is added to the advertiser’s Customer Match audience.

32 © 2015 LOEB & LOEB LLP 32 © 2016 LOEB & LOEB LLP

Twitter TV Targeting

Twitter TV Ad Targeting is a dashboard for marketers that allows them to send a

promoted tweet to someone who tweeted during a television program in which the marketer’s commercial was broadcast.

33 © 2015 LOEB & LOEB LLP 33 © 2016 LOEB & LOEB LLP

DAA 1st Mobile Enforcement Action (May 2016)

• Spinrilla allowed third parties to collect user data for IBA, without providing required notice and enhanced notice.

• Data collected included cross-app data, IFA data (a unique, persistent device identifier) and precise location data

• DAA’s Mobile Guidance requires:

• First party enhanced notice and consumer control for cross-app data collection

• First party notice, enhanced notice and consumer control for precise location data

34 © 2015 LOEB & LOEB LLP 34 © 2016 LOEB & LOEB LLP

Cross Device Tracking

35 © 2015 LOEB & LOEB LLP 35 © 2016 LOEB & LOEB LLP

Buy, sell or transfer tickets. Pay for parking.

Pre-order and pick-up food before event. Order & track delivery to seats.

Access to in-venue mobile video content; multi-angle playback during live event.

Find shortest lines for restrooms, food, & merchandise.

Earn, track and redeem loyalty rewards.

Option to purchase seat upgrades after arriving at venue.

36 © 2015 LOEB & LOEB LLP 36 © 2016 LOEB & LOEB LLP

Cross Device Tracking Issues

DAA issued Application of the DAA Principles of Transparency and Control to Data Used Across Devices (Nov. 2015), requiring • Notice that data collected from a particular

browser or device may be used with another linked computer or device, or may be transferred to a non-affiliate

• Clear, meaningful, and prominent link to a

disclosure linking to industry developed website or choice mechanism, or individually listing the Third Parties engaged in the collection

• Consumer choice (i.e., an opt-out mechanism)

37 © 2015 LOEB & LOEB LLP 37 © 2016 LOEB & LOEB LLP

Michael v. Verizon et al.

• Verizon tagged customers with a unique code (or “header”) so that it could follow customers as they navigated around the web and their mobile apps. Customers could opt-out of this tracking, but a blogger

revealed that ad companies could use this persistent identifier (called a “supercookie”) to track customers even after they had tried to opt-out.

• Less than two weeks after the New York Times article about Verizon’s supercookies was published, a class action complaint was filed in federal district court against Verizon and Turn asserting claims under the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act.

38 © 2015 LOEB & LOEB LLP 38 © 2016 LOEB & LOEB LLP

Location Technology - Tracking

39 © 2015 LOEB & LOEB LLP 39 © 2016 LOEB & LOEB LLP

FTC Enforcement: Location Tracking

FTC Settlement with Nomi

Technologies (2015)

Nomi Technologies, a company

whose technology allows retailers to

track consumers’ movements

through their stores, agreed to settle

Federal Trade Commission charges

that it misled consumers with

promises that it would provide an in-

store mechanism for consumers to

opt out of tracking and that

consumers would be informed when

locations were using Nomi’s tracking

services.

40 © 2015 LOEB & LOEB LLP 40 © 2016 LOEB & LOEB LLP

Internet of Things (IoT) / Connected Devices

It involves “things” — whether cars, appliances, machines, consumer goods

or personal devices — embedded with sensors and transmission technology so

they can “talk” to other devices and to the Internet.

41 © 2015 LOEB & LOEB LLP 41 © 2016 LOEB & LOEB LLP

Connected Home

Connected Cars

42 © 2015 LOEB & LOEB LLP 42 © 2016 LOEB & LOEB LLP

43 © 2015 LOEB & LOEB LLP 43 © 2016 LOEB & LOEB LLP

Connected

Self

© 2015 LOEB & LOEB LLP

General

Enforcement

Trends

45 © 2015 LOEB & LOEB LLP 45 © 2016 LOEB & LOEB LLP

Recent FTC Enforcement and Other Actions

Silverpush (March 2016) Must disclose audio beacon functionality of app

In the Matter of General Workings Inc., also doing business as Vulcun (May 2016) • Companies must disclose

• Collection, use and sharing of consumers’ information • Consumers’ level of control over their data • Steps to maintain privacy or security • Types of information a product or service will access and

how it will be used

• Express affirmative consent required before the installation or material change

46 © 2015 LOEB & LOEB LLP 46 © 2016 LOEB & LOEB LLP

BBB Compliance Action – 23andMe

BBB’s Accountability Program determined that 23andMe was

engaging in retargeting, but failed to provide enhanced

notice on 23andMe’s web site and in or around the ad

displayed on nonaffiliated web sites

© 2015 LOEB & LOEB LLP

Keys to Compliance

& Best Practices

48 © 2015 LOEB & LOEB LLP 48 © 2016 LOEB & LOEB LLP

Keys to Compliance

Short Form Privacy Policy

Participate in Self-

Regulatory Programs

Coordinate with Ad

Networks & Analytics

Companies

Just in Time Notification

49 © 2015 LOEB & LOEB LLP 49 © 2016 LOEB & LOEB LLP

Applying Privacy By Design in the Real World

KNOW THE PRODUCT

• From what product is the data collected?

• Is it a mobile app, a website, a physical product or

something else?

• What technology does it use?

• How does it connect to other devices and to the

Internet?

UNDERSTAND THE DATA & USE CASES

• What types of data are collected?

• Is sensitive data collected?

• How is the data used and shared?

• What security features protect the data?

KNOW THE TERRITORIAL CASES

• In which countries is the data collected?

• Where will the product using this data be

marketed and sold?

• Where will data processing occur?

• Where will data be store

50 © 2015 LOEB & LOEB LLP 50 © 2016 LOEB & LOEB LLP

What’s on the horizon