January 29, 2022

Volume XII, Number 29

Advertisement
Advertisement

January 28, 2022

Subscribe to Latest Legal News and Analysis

January 27, 2022

Subscribe to Latest Legal News and Analysis

January 26, 2022

Subscribe to Latest Legal News and Analysis

Increasing Scrutiny of Consumer Data Collection

Recent FTC and California Attorney General actions highlight the need to reassess privacy policies.

The Federal Trade Commission (FTC) recently ordered the data brokerage industry to provide information on the collection and use of consumer data and tightened restrictions on the collection of user data by websites and mobile applications (apps) directed to children. Both the FTC and the state of California have become focused on disclosures about use of consumer data in mobile apps. These recent actions highlight the need to carefully consider privacy disclosures for full compliance, particularly in any mobile or social app or with respect to any information about children.

Compilation of Consumer Data by Data Brokers

On December 18, 2012, the FTC issued orders to nine data brokerage companies, requiring the companies to provide information on their collection and use policies for consumer data.

Data brokers collect personal information about consumers from a variety of public and nonpublic sources in order to compile and sell this information to other companies. Since data brokerage companies typically obtain their consumer information from public records and other data companies, rather than from direct interaction with consumers, many consumers are unaware of the existence and purpose of data brokers. The FTC's goal is to determine the nature and sources of the consumer information collected; the ways in which companies use, maintain, and disseminate this information; and the extent to which companies allow consumers to access and correct their information or to opt out of having their personal information sold. The nine responses will be used to prepare a study and make recommendations on whether, and how, the data brokerage industry can improve its privacy practices. The FTC notes that there are currently no laws requiring data brokers to maintain the privacy of consumer data, unless the data is used for credit, employment, insurance, housing, or other similar purposes.

An FTC report published earlier this year, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, laid out a voluntary framework of best practices for businesses based on the concepts of privacy by design, consumer control, and increased transparency for the collection and use of consumer data.

Children's Privacy – Children's Online Privacy Protection Act

On December 19, 2012, the FTC adopted final amendments promulgated pursuant to the Children's Online Privacy Protection Act (COPPA)(COPPA Rule) that will tighten restrictions on the collection of personal information by websites and mobile apps directed to children under 13 years of age. The final, updated COPPA Rule, scheduled to go into effect July 1, 2013, will broaden the definition of protected "personal information" to include "geolocation information, as well as photos, videos, and audio files that contain a child's image or voice" and "persistent identifiers," such as IP addresses, mobile device IDs, and cookies. Such information cannot be collected from children without parental notice and consent, with the exception of persistent identifiers to the extent they are used for the sole purpose of supporting a website or an online service's internal operations. The rule also modifies the current definitions of "operator" and "website or online services directed to children" under 13. These definitions will now also cover third-party plug-ins integrated on websites directed to children, advertising networks that collect personal information from such websites, and any other outside services that have "actual knowledge" that such information collection occurs. The FTC did clarify that third-party marketplace platforms will not be liable for the child privacy practices of the numerous apps sold on these platforms. According to the FTC, COPPA Rule violators will be subject to fines as high as $16,000 per incident.

The COPPA Rule updates come after a two-year public comment and proposed rule revision drafting process, during which the FTC withdrew several proposals that would have included websites intended for teenagers and young adults. The FTC also withdrew its proposal to impose COPPA responsibilities on third parties that "know or have reason to know" they are collecting personal information through their integration on a site that may have child users, in favor of a much higher "actual knowledge" requirement for such parties.

Mobile and Social Apps – FTC and California Online Privacy Protection Act

Through a December 10, 2012, staff report[1] detailing the FTC's concerns regarding child privacy and mobile apps, the FTC announced[2] its intentions to update COPPA further to address mobile apps. Concurrently, the FTC staff launched nonpublic investigations to determine whether entities in the mobile app marketplace are violating COPPA or engaging in unfair or deceptive practices in violation of the FTC Act.

Mobile apps also have been the focus of enforcement action in California. Under the California Online Privacy Protection Act (CalOPPA), Attorney General Kamala Harris has issued warning letters regarding the state's concern about mobile app privacy policies to scores of companies. Further enforcement of CalOPPA is expected, and the Attorney General has made clear that California intends to strictly apply CalOPPA to mobile and social apps. CalOPPA's impact may, in effect, be national. The California Attorney General's position is that CalOPPA reaches all "operators of a commercial web site or online service" that gather personal information about California residents. Under the act, an "operator" is any person or entity that owns a website located on the Internet or an online service, including mobile and social apps. Thus, for companies with mobile apps, the dispositive question likely is not where they are located geographically but what type of personal information—if any—the app collects from its California users.

If the statute applies, there are two steps for compliance: 1) crafting a compliant privacy policy and 2) posting it "conspicuously" in the manner required by the statute. Although the statute provides options for posting, the options described are geared more toward websites, leaving companies that have mobile apps with the challenge of how to apply them in that context. CalOPPA itself does not mention apps, but the recent enforcement activity underscores the state's position that there is a need for a compliant privacy policy accessible from the app itself and specifically tailored to that app and the personal information it collects—even if a privacy policy already exists on the online website. When an app's privacy policy should appear to a user is unclear in the statute, but the Attorney General's press releases and an agreement struck in February with large platform providers indicate the Attorney General's intent is that consumers should have the opportunity to review an app's privacy policy on the download screen in the platform store beforedownload.

Generally, violations of CalOPPA occur only if the operator fails to conspicuously post its compliant privacy policy within 30 days of being notified of noncompliance, unless failure to comply is "knowing and willful" or "negligent and material." Nevertheless, it is prudent for companies to be proactive in assessing their apps' compliance, as fines of up to $2,500 per download may be imposed.


[1]. View the report here.

[2]. View the press release announcing the report here.

Copyright © 2022 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume III, Number 4
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Rochelle Alpert, Morgan Lewis, Intellectual Property Lawyer
Partner

A frequent lecturer and writer on intellectual property issues, Rochelle D. Alpert helps clients protect their trademarks, copyrights, and rights of publicity. She also advises on and litigates unfair competition, defamation, and libel claims; advertising and contest issues; and Internet, social media and e-commerce protections and concerns. Working within the firm’s Trademark Copyright Advertising Group, Rochelle advises across diverse industries, including online and traditional retailing, clothing and accessories, computer hardware and software, social media,...

415-442-1326
W. Reece Hirsch, Morgan Lewis, Regulatory Attorney
Partner

W. Reece Hirsch counsels clients on healthcare regulatory and transactional matters and co-heads the firm’s privacy and cybersecurity practice. Representing healthcare organizations such as hospitals, health plans, insurers, physician organizations, healthcare information technology companies, and pharmaceutical and biotech companies, Reece advises clients on issues such as privacy, fraud and abuse, and self-referral issues. This includes healthcare-specific data privacy and security matters, such as compliance with the Health Insurance Portability and Accountability Act...

415-442-1422
Karen Butcher, Morgan Lewis, Intellectual Property Attorney
Partner

Recognized for her intellectual property (IP) work, Karen A. Butcher advises clients on maximizing the value of their IP and protecting their intellectual assets. She focuses on brands, creative works, technology, and related IP. Karen handles transactions and helps clients to structure the ownership and licensing of IP within their corporate group and to resolve complex disputes when they arise. A practice leader in the firm’s intellectual property practice, Karen brings an international perspective to strategic business matters in various sectors, including retail and...

202-739-5526
Carla Oakley, Morgan Lewis, Intellectual property attorney
Partner

Carla B. Oakley focuses on intellectual property (IP) and advertising, from inception and global protection through trial. Her experience includes litigation and counseling involving trademarks, trade secrets, copyrights, advertising, rights of publicity, privacy, social media, licenses, product design strategies, patents, and database protection. One of the partners heading up the IP and advertising practice in Northern California, Carla has first–chair jury trial, appellate, and arbitration experience. She helps clients maximize their IP, manage risks, and protect...

415-442-1301
Ron Dreben, intellectual property lawyer, Morgan Lewis
Partner

Ron N. Dreben advises clients on intellectual property and technology issues in business transactions. He provides advice in connection with mergers, acquisitions, and licensing arrangements, as well as trademark, copyright, trade secret, and related IP law. A Certified Information Privacy Professional (CIPP), Ron helps companies address privacy issues and respond to security breaches and advises US companies on the relevance of the EU Data Directive. Ron has experience negotiating with most of the leading technology product and service vendors.

202.739.5213
Advertisement
Advertisement
Advertisement