The proliferation of companies engaged in the buying and selling of user information gave rise to calls in 2011 for increased regulation of what are often characterized as deceptive practices. In March 2012, the Federal Trade Commission (FTC), the government’s chief consumer protection agency, released a framework for addressing consumer privacy concerns that mandates adoption of “do-not-track” features. The framework was developed in the wake of several FTC charges that Facebook and Google made use of their customers’ personal information through their introduction of new services without full disclosure. Settlements of these disputes forced the companies to increase the transparency of personal information sharing and ensure that users are given opportunities for informed consent. Nevertheless, legislators and consumer groups continue to push for greater user control of personal information, alleging failure by these companies to comply with settlements, to implement effective privacy policies, and to gather user information only with consent.
FTC Issues Consumer Privacy Guidelines Following White House “Privacy Bill of Rights”
On March 26, 2012, the FTC issued a report enumerating best practices for businesses to protect American consumers’ privacy while simplifying and increasing the level of control consumers have over collection and use of personal data. Titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” the Commission’s report stated that industry self-regulation has been insufficient, and called on Congress to pass “baseline privacy legislation.” The Commission’s report listed five focus areas: the implementation of a do-not-track system, improved privacy protections on mobile services, data broker transparency, privacy concerns surrounding large platform providers like Internet Service Providers, and promoting enforceable self-regulatory codes. The report also focused heavily on mobile cell phone data, citing a need for limits on mobile data collection, use and disposal because of the “rapid growth of the mobile marketplace.”
Limiting jurisdiction to online companies collecting data from more than 5,000 consumers a year, the report’s privacy protection recommendations focus on simplifying consumers’ ability to opt out of having their online activities tracked. The Commission further called for increased transparency surrounding collection practices and use of consumers’ data. Attention was also given to implementation of “privacy by design,” a process that requires consideration of consumer privacy at every stage in product development, rather than inclusion of privacy mechanisms as an afterthought. In summarizing the current state of such consumer protections, the FTC wrote in its March 26, 2011 report that “[a]lthough some companies have excellent privacy and data securities practices, industry as a whole must do better.” The FTC’s report is available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.
One target of the framework is so-called “data brokers”—entities that buy, compile, and sell profitable information about consumers to marketers. In an effort to increase the transparency of these entities’ practices, the report calls for legislation providing consumers access to data broker databases and suggests the creation of a centralized website where consumers may learn about the practice and how to control data use.
Addressing an issue that has been at the forefront of the online consumer privacy debate, the Commission warned that if companies did not voluntarily provide an adequate do-not-track mechanism, it would support additional laws mandating one. Speaking to The New York Times in a March 26, 2012 article, FTC Chairman Jon Leibowitz explained that such an option entails a means for consumers to opt out of data collection, and said that “[i]f a real Do Not Track option doesn’t come to fruition by the end of the year, there will be, I don’t want to say a tsunami of support for Do Not Track legislation next Congress, but certainly a lot of support.” The Commission hopes to avoid the need for legislation through working with web companies and advertisers to implement an industry-designed do-not-track technology.
A do-not-track option conflicts with the desire of online companies to collect, use, and share information about consumers who utilize their services. Speaking to the Times for its March 26 story, Michael Zaneis, senior vice president and general counsel for the industry trade group Interactive Advertising Bureau, stressed that such legislation should not be so broad in scope that it would include “virtually every publisher site, advertiser, ad network, or analytics firm.” He said that the sharing provided by these entities “makes the digital economy work” and cautioned against legislation “that would harm the most fundamental operations of the Internet.”
Privacy advocates concerned about consumer control over the amount of data being collected and its uses regard the FTC’s statements as representing substantial progress on data privacy. Speaking to the San Francisco Chronicle on March 27, 2012, John Simpson, director of Consumer Watchdog’s Privacy Project, called the report “a net positive,” and said that “the takeaway is, we at least seem to be moving forward.”
As an enforcement agency and not a rule-making body, the FTC relies on authority from Congress to create new compliance codes, and under the Federal Trade Commission Act may intervene only in cases of “unfair or deceptive acts or practices in or affecting commerce.” Federal Trade Commission (FTC) Act, 15 U.S.C. § 45. Some analysts favor a mandatory set of rules to be enforced by the FTC, believing that industry self-regulation is insufficient to safeguard consumer data. In a February 23 interview with The Washington Post following the White House’s release of privacy guidelines that did not mandate a do-not-track feature, Professor T. Barton Carter of Boston University’s College of Communication said that
“[t]hese companies’ track records on privacy do not instill confidence that they are the appropriate guardians of consumers’ privacy.”
The Obama administration unveiled its “Consumer Privacy Bill of Rights” framework nearly one month before the FTC issued its best practices report. Jeffrey Chester, executive director of the consumer protection group Center for Digital Democracy (CDD) said in the Chronicle’s March 27 story that the Commission’s report “is putting flesh on those privacy bones” and “putting companies on notice.”
The White House’s “Consumer Privacy Bill of Rights” was issued on Feb. 23, 2012 as part of “Consumer Data Privacy in a Networked World,” a report providing a framework for privacy protection. The report was the result of a year of negotiations, and its privacy guidelines require curbing some tracking activities but stop short of mandating “do-not-track” technology. In the report’s executive summary, the Obama administration said it intends for the report to provide a baseline of clear data privacy protection for consumers and greater certainty for companies, acting as a starting point for drafting federal data privacy legislation.
Among the major tenets of the administration’s privacy bill of rights are transparency in privacy and security practices, security, right to consumer access to personal data, reasonable limits on personal data collected by companies, and accountability. It also calls upon data brokers to “prominently and explicitly” tell consumers they collect and sell personal data and “provide consumers with meaningful opportunities to prevent these disclosures.” The White House has directed the Department of Commerce’s National Telecommunications and Information Administration (NITA) to develop enforceable codes of conduct based around these goals and values. These codes of conduct would then be enforced by the FTC. The administration’s privacy bill of rights proposal can be found at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.
“American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” said President Obama in a statement accompanying the privacy bill of rights framework. “By following this blueprint, companies, consumer advocates and policy makers can help protect consumers and ensure the Internet remains a platform for innovation and economic growth.”
Consumer privacy groups remain cautiously optimistic, with Simpson telling the Times for a Feb. 23, 2012 story that “The real question is how much influence companies like Google, Microsoft, Yahoo, and Facebook will have in their inevitable attempt to water down rules that are implemented and render them essentially meaningless.” However, a number of charges brought against these companies over the past year by the FTC show that the Commission is willing to take these companies to task for violating their own stated privacy policies.
Facebook Settles FTC “Unfair and Deceptive Practices” Charges
On Nov. 29, 2011, the FTC announced the settlement of charges it brought against the social networking website Facebook in 2010. At the center of the dispute were changes Facebook made to its privacy practices in December 2009 that made users’ names, city, gender, and friend list public by default. The Commission asserted these changes repeatedly made information that users had chosen to classify as private on their Facebook accounts publicly accessible, behavior that constituted “unfair and deceptive” practices. Among the eight counts enumerated in the its complaint, the FTC accused Facebook of sharing user information with advertisers, making false representations that it had verified the security of certain “verified apps,” and continuing to provide third parties with access to a user’s profile information even following account deletion.
Facebook will need to improve transparency in its privacy practices under the settlement, refraining from deceptive privacy practices and obtaining its users’ approval before changing the ways it uses their data, according to the FTC’s Nov. 29, 2011 press release. In particular, the settlement requires “affirmative express consent” from Facebook’s users before the company can enact changes affecting their privacy preferences. Facebook is also required to prevent access to a user’s data after his account has been deleted for 30 days. Further, the company is required to develop and maintain a privacy program that meets the requirements of the FTC’s order, and subject the program to third-party compliance audits every two years.
“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said FTC Chairman Jon Leibowitz in the Commission’s press release. “Facebook’s innovation does not have to come at the expense of consumer privacy.”
Discussing the settlement in a post on Facebook’s blog, company CEO Mark Zuckerberg admitted to making “a bunch of mistakes,” but asserted the company’s commitment to privacy. He wrote that “Facebook has always been committed to being transparent about the information you have stored with us — and we have led the internet in building tools to give people the ability to see and control what they share. “
Though no fines were levied against the company for its past behavior, it faces a penalty of $16,000 per day for each count of the settlement violated in the future. The preventive character of the settlement is further underscored by its 20-year duration, a length that the Commission hoped would remove the need to tailor future relief to changes in technology.
“The order is designed to protect people’s privacy, anticipating that Facebook is likely to change products and services it offers,” said David Vladeck, director of the FTC’s bureau of consumer protections. However, the onus remains on users to remain vigilant about what they post on Facebook and agree to share with other users and third parties.
The coalition of consumer groups, including public interest research group Electronic Privacy Information Center (EPIC), was pleased with the outcome, but many regarded the individual settlement as a temporary solution to the problem facing online consumer privacy. Further, The Wall Street Journal said in a Nov. 11, 2011 report that the settlement does not dictate how Facebook should obtain user consent for new features.
Marc Rotenberg, executive director of EPIC, told The New York Times for a Nov. 29, 2011 story that because “we do not have in the United States a comprehensive privacy framework,” there exists the risk that “other companies will come along and create new problems.”
Regardless, the settlement indicates that the Commission intends to take a hardline against abuses of privacy by stepping up enforcement of privacy laws. In a Dec. 2, 2011 entry on its Business Center blog titled “Lessons from the Facebook settlement (even if you’re not Facebook)” encouraging the adoption of clear, accessible privacy policies, the FTC wrote that “companies that want to stay off the law enforcement radar don’t need a weatherman to know which way the wind blows.”
In a Jan. 24, 2012 post on Google’s official blog about the updates, Google’s Privacy Director Alma Whitten wrote that the new policy “makes clear that, if you’re signed in, we may combine information you’ve provided from one service with information from other services,” allowing the company to “treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience.”
Consumer advocates, however, anticipate that the policy will upset users unaware that their information would be shared across all of Google’s websites. In a Jan. 24, 2012 story in The Washington Post, James Steyer, chief executive for “responsible media” advocacy group Common Sense Media said that “[e]ven if the company believes that tracking users across all platforms improves their services, consumers should still have the option to opt out — especially the kids and teens who are avid users of YouTube, Gmail and Google Search.”
Google implemented its new policies on March 1, 2012, after notifying its users of the change through an email message and postings on its websites. However, the company’s level of candor in establishing the new policies failed to please privacy advocates, who, according to a Feb. 8, 2012 Post entry on its Post Tech technology blog, saw parallels to the “oversharing” of user data engendered by 2010 launch of the company’s failed Buzz social network. Google settled an FTC complaint prompted by the Buzz service in March 2010, facing allegations that it violated privacy laws by exposing users’ personal information without consent. Similar to the Commission’s 2011 settlement with Facebook, the new agreement requires Google to be transparent in its use of users’ information and build privacy protections into its products.
Jeffrey Chester, executive director of the CDD, told the Post for its January 24 story that “there is no way anyone expected this,” and “[t]here is no way a user can comprehend the implication of Google collecting across platforms for information about your health, political opinions and financial concerns.”
In a Feb. 8, 2012 Associated Press (AP) story, EPIC’s Executive Director Marc Rotenberg said that Google’s users should have the right to say no to the change in terms of service. “This has to be the user’s choice, not Google’s choice. And the FTC must enforce its consent order to protect the rights of users to make these choices,” Rotenberg said.
The U.S. District Court for the District of Columbia agreed to EPIC’s request to speed up review of the lawsuit on Feb. 9, 2012, and required the FTC to respond to EPIC’s complaint by February 17. The court heard the expedited case on Feb. 24, 2012, ultimately ruling that courts lack jurisdiction over agency enforcement actions and could not compel FTC enforcement of the consent order. Nevertheless, the court acknowledged “serious concerns” with Google’s changes. The court’s opinion can be found at http://epic.org/privacy/ftc/google/EPICvFTC-CtMemo.pdf.
Google and Privacy Advocates React to Fallout from Completed FCC Investigation
Google also continues to face challenges related to its Street View project, as federal regulators and privacy watchdogs seek to hold the company accountable for allegedly illegally collecting WiFi data as part of its endeavor to photograph and map streets worldwide. Among the information collected by Google’s photo cars were emails, text messages, passwords, and other potentially sensitive personal information. After publicly acknowledging the data collection in May 2010, Google has maintained that it was accidental, an assertion now brought into question by some consumer protection groups in light of the company’s persistent refusal to cooperate with investigators. Further, the company initially maintained that only fragments of online communications were collected, though it later admitted to having stored entire emails, passwords, and text messages. An FTC investigation of Street View ended in October 2010 after the company promised to improve privacy safeguards.
In an April 13, 2012 filing, the Federal Communications Commission (FCC) cleared Google of illegally collecting WiFi data after fruitlessly investigating the case since October 2010, according to an April 15, 2012 New York Times report. The FCC dropped the charges despite initially writing in a June 11, 2010 blog entry that collection of millions of users’ personal information “clearly infringes on consumer privacy.” Nevertheless, the FCC fined the company $25,000 for obstructing the investigation into the Street View project. As a part of the inquiry, the FCC requested employee emails which Google refused to provide because it said it would “be time-consuming and burdensome task.” Google also cited employee privacy concerns as a reason for not turning over the emails. Despite finding that the company did collect personal data, the FCC cleared it of charges that it had acted illegally. A copy of the FCC’s order is available at http://transition.fcc.gov/DA-12-592A1.pdf.
A company spokesman released a statement that said Google disagrees with the FCC’s characterization of their co-operation and plans to file a response. “As the FCC notes in their report, we provided all the materials the regulators felt they needed to conclude their investigation and we were not found to have violated any laws.” Privacy advocates, on the other hand, regard the proposed penalty as insufficient to deter a company that, according to the Chicago Tribune, posted nearly $38 billion in revenue in 2011.
“I appreciate that the F.C.C. sanctioned Google for not co-operating in the investigation, but the much bigger problem is the pervasive and covert surveillance of Internet users that Google undertook over a three-year period,” Marc Rotenberg, executive director of the EPIC told the Times for its April 15 story.
On April 16, 2012, EPIC, which filed the original FCC complaint regarding Street View, sent a letter to U.S. Atty. Gen. Eric H. Holder Jr. calling the investigation inadequate. EPIC’s Executive Director Marc Rotenberg wrote the letter calling on Holder to conduct further investigation, writing that the FCC investigation “did not address the applicability of federal wiretapping law to Google’s interception of emails, user names, passwords, browsing histories, and other personal information.”
According to an April 17, 2012 article in the Chicago Tribune, Rep. Edward J. Markey (D-Mass.) insisted Congress hold a hearing and “get to the bottom of this serious situation” because “the circumstances surrounding Google’s surreptitious syphoning of personal information leave many unanswered questions.” Sen. Richard Blumenthal (D-Conn.), who had in 2010, as Connecticut attorney general, tried to get Google to turn over its Street View consumer data, also urged an investigation by the Justice Department and states’ attorneys general.
Street View investigations are ongoing in Connecticut and several other states, which launched inquiries in 2010. Further, the company continues to face international investigations in Europe. According to the Tribune, the French Commission Nationale de l’Informatique et des Libertés fined Google 100,000 euros for collecting personal information while gathering Street View data.
– Mikel J. Sporer
Silha Research Assistant