Earlier this month, two key regulatory bodies summed up their current perspective on organizations’ responsibility for data security and privacy. Companies that are dealing in any way with electronic consumer data — and its hard to imagine any being completely disconnected from the connected world — ought to be listening more closely to the regulators. Yet experience suggests not enough are. Continuing to not respond to regulators’ concerns and to not stay abreast of consumer expectations about data-handling practices could very well result in less business flexibility and more business risk given the current environment.
The first was the U.S. Federal Trade Commission. On Feb. 1, it released a staff report entitled Mobile Privacy Disclosures: Building Trust Through Transparency. If any doubt existed that the FTC no longer considers viable the "check-the-box" privacy model that some still follow, the FTC put that to bed. It observed that now "the commission’s approach to privacy and data security generally [is that] a paper exercise alone — such as having written policies and procedures in the back of a file drawer or empty contractual provisions — does not sufficiently uphold the privacy and security of users’ information." The report goes on to make several suggestions that underscore the breadth of the potential impact to privacy practices its changed approach may bring.
Less than a week later, the European Commission issued a proposed directive on network and information security. The directive would sweep into its ambit a wide number of companies operating in EU online environments, not just infrastructure providers. In its accompanying Joint Communication called Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, the EC observed that the current cyberspace environment is increasingly vulnerable and the proposed directive is therefore aimed at changing private actors’ approach to data security in Europe. It further invited industry to "[p]romote cybersecurity awareness at all levels, both in business practices and in the interface with customers. In particular, industry should reflect on ways to make CEOs and boards more accountable for ensuring cybersecurity." The White House is expected to issue an executive order regarding cybersecurity standards. While expected to be voluntary, it, too, undoubtedly will push industry to take on more responsibility for data security.
In seemingly less than a year, the world has moved from one where regulators, while advocating the adoption of Privacy by Design principles, often seemed to take a hands-off approach, to one in which they assert a broadening scope of potential enforcement liability and relief, where they raise explicit questions about widely deployed business practices, and where regulators openly chide boards and others to pay closer attention and disclose more about company’s activities in the connected world. What happened?
One really needs to look no further than app disclosure practices, and industry’s general lack of response to regulatory prodding, to answer that question. In its February 2012 report aptly named "Mobile Apps for Kids: Current Privacy Disclosures are Disappointing," the FTC expressed chagrin over industry disclosure practices. The agency concluded in its report that, despite the likely applicability of the Children’s Online Privacy Protection Act, or COPPA, the apps the FTC surveyed provided little, if any, information to parents about their privacy practices and interactive features. The FTC saw ample room for improvement.
Yet a fairly substantial number of app providers did not appear to get the message. Late in 2012, the FTC issued a follow-on report. Its title again sums up the agency’s perspective: "Mobile Apps for Kids: Disclosures Still Not Making the Grade." Summarizing a summer 2012 survey, the FTC remarked "[i]ndustry appears to have made little or no progress." It was still the case that "most apps failed to provide basic information about what data would be collected from kids, how it would be used, and with whom it would be shared." So, the FTC concluded, "more needs to be done."
Harris is of the same view, and has taken direct action to force more change. Led by the AG’s new Privacy Enforcement and Protection Unit (homed in the eCrime Unit), the office sent out some 200 notices in October 2012 to app providers warning them of their alleged non-ompliance with the California Online Privacy Protection Act. It followed up by suing Delta Airlines under the act in December for failing to provide an adequate privacy notice. The FTC gave Harris credit for her actions in its February 2013 Mobile Privacy Disclosures Staff Report, while also noting that substantial progress still needs to occur. Indeed, in the past two months, the FTC has announced additional investigations into industry practices, including whether gaps exist between what companies disclose about data practices and what they actually do, whether any of these practices violate COPPA or whether they constitute unfair or deceptive trade practices under consumer protection laws (the FTC’s principle enforcement authority).
Other recent public FTC initiatives illustrate how lack of disclosure has led the FTC to question more broadly data handling practices across industries. In the most recent children’s app report, for example, the FTC noted that users are not being told that apps collect device IDs and geolocation data or that, across the hundreds of apps studied, a majority shared device IDs and other user information with data aggregators.
The reference to data aggregators was not an aside. In response to its growing concern about the lack of transparency it perceives, the FTC announced in late December that it has launched an investigation into data aggregators’ privacy practices. It is seeking information on the nature and sources of the data they collect, and how they use, maintain and disseminate consumer data. Similar investigations are also being conducted by Congress, and FTC commissioner Maureen Ohlhausen reportedly remarked recently that she expects the issue to be a "hot topic of discussion." Amendments to COPPA that will take effect on July 1, moreover, likely will increase the commission’s enforcement activity in this area, insofar as they change the definition of personal information for COPPA purposes to include geolocation information and persistent identifiers that can be used to recognize a user over time and across different online services.
Other COPPA amendments and FTC actions also illustrate how the FTC is now pushing to expand the scope of responsibility, and thus potential liability, that companies may have for the actions of others interacting with their data tools. Under COPPA, the FTC may now seek to impose liability on website operators for data collected through third-party features available on their sites. The FTC last year also brought or settled a number of data breach enforcement actions where the alleged breach was in a third-party’s system. Also, in the recent Mobile Privacy Disclosures report, the agency proposed that app platform providers consider imposing and enforcing privacy requirements on app developers.
The Mobile Privacy Disclosures report draws on themes seen in the FTC’s recent enforcement actions to present an overall view of the agency’s current approach. First, the FTC is advocating for privacy by design principles as a baseline practice for data collection, protection and sharing, encompassing the expectation that project managers work privacy principles into system design from the ground up. Second, the FTC is pushing for clearer, just-in-time disclosures and more express, opt-in consents as minimal best practices. Third, the agency considers extending do not track choice more broadly, including in the mobile world, a priority.
The California attorney general’s choice of Delta Airlines to sue first could not have been a mistake. Nor was the Securities and Exchange Commission’s pushing The Hartford and others last year to disclose more regarding cybersecurity practices in SEC filings. Both seem calculated to send the message, which the EC explicitly sent, that understanding data-handling practices is no longer just for the IT folks. That is, as outgoing FTC commissioner Jon Leibowitz recently observed: "Some companies are doing a good job following these principles and protecting consumer privacy, but if other companies don’t wake up and do better, industry is more likely to face more proscriptive laws down the road. And not very far down the road, because privacy is a bipartisan issue."
James DeGraw is a corporate technology partner at Ropes & Gray in San Francisco. His practice includes advising clients on the collection, handling and protection of data, and for navigating the opportunities and concerns raised by changes to data privacy and security laws and by the growth of social media. Michelle Visser, an associate in the firm’s S.F. office, focuses on complex business litigation, including data security breach matters.