- ABA Groups
- Resources for Lawyers
- About Us
Dominique Shelton is a partner in the intellectual property department of Edwards Wildman’s Los Angeles office. She advises advertisers, product manufacturers, and cable studios regarding privacy, regulatory issues arising from Web 3.0 marketing, behavioral advertising, social networking websites, user-generated content, and digital advertising. She can be reached at email@example.com. The author wishes to acknowledge the contributions of her colleagues Alan L. Friel, Laurie A. Kamaiko, and Mark E. Schreiber to the material used in this article.
2012 began with over 100 consumer class actions pending in the U.S. courts, relating to companies tracking users’ behavior online and on mobile devices in order to create targeted advertisements. Targeted advertising has become global and ubiquitous.
Online behavioral advertising (OBA) is a type of targeted advertising, by which companies track consumers’ online activities to target them for digital advertising directed at their specific interests. Digital advertising is an $80.2 billion industry.1 With online ad spending now exceeding that of print advertising, the appropriateness of using OBA, particularly the level of notice afforded and consent required of consumers, is increasingly being scrutinized. Other forms of tracking customer online behavior also are under attack. In December 2011 alone, over 60 class actions were filed against the mobile industry for tracking user behavior for internal analytics and measurement purposes, rather than for advertising purposes.
Significant privacy concerns have been raised by regulators and legislators, and in a rash of class actions against a wide range of companies, regarding the practice of tracking user behavior online or via mobile devices. Industries targeted for scrutiny include telecommunications and media companies, Internet providers, wireless phone manufacturers and device makers, and software development companies.
As companies increasingly avail themselves of new technologies and platforms to connect to their customers, they too are subject to becoming named in such regulatory and legal proceedings. Beyond the technology industries, any company that has a website or markets using mobile applications is vulnerable to claims that it has targeted advertising or tracked user behavior to create customized product offerings. For example, retailers, mobile marketers, health care institutions, and even insurers face this exposure (both as users of OBA themselves and as insurers of other companies that track consumer activities for targeted advertising and other purposes).
Companies across industries are increasingly availing themselves of new technologies and platforms to connect with their customers, market their products, assess product development, and track trends that present significant areas of interest to both them and their customers. Many companies are actively developing products that will allow them to combine data from a variety of sources to develop product offerings, analyze customer purchasing trends, and develop internal metric tools. There is now the potential ability for companies to overlay consumer purchasing trends (through loyalty programs) with social networking data (from Facebook or Twitter), where companies and individuals often have a presence, allowing for the creation of highly targeted and segmented advertising profiles and the delivery of the most customized product offerings based upon consumers’ individual interests.
Last year, one major credit card company published patents described as advertising databases that could combine consumer purchasing history with other online social networking preferences, which enable the development of an advertising profile that could be targeted to particular consumers. Companies in a wide range of businesses operate websites and smart phone applications containing tracking technology that can identify the websites users visit, their specific geographic locations, and the pages that they “Like” through Facebook. This tracking has had the benefit of permitting website operators to serve targeted ads, which have click-through rates that are twice as effective as regular banner ads, which users have come to ignore. Tracking for internal analytic purposes has also allowed companies to create infrastructure based upon users’ locations, and create new products tailored to users’ interests.
The widespread usage of such OBA has captured the attention of class action attorneys, alleging common law claims and violations of various federal and state statutes directed at limiting collection and dissemination of information about individuals. Some of these statutes often require specific disclosures, with statutory penalties and fines for violations.
Companies are likely to be called upon to address these issues as targets of these class actions for marketing their own products through websites and tracking users, and as customers of vendors that create company microsites and smart phone applications pursuant to contracts for which there may be inadequate defense, indemnity, and insurance clauses. The recent privacy class action claims can present an unexpected exposure for companies. First, the vendors whom the companies relied upon to create the apps or microsites may no longer be in business themselves. Second, the indemnities (if they exist in the contract) may be meaningless if the vendors have no assets. Third, tendering these class actions to insurers for defense triggers the challenge insurers face of addressing requests for coverage under policies not intended to cover such risks. In the latter case, insurers are presented with an opportunity to develop new products to specifically address these exposures.
In light of these activities and exposures, a good understanding of the developing issues relating to tracking and behavioral advertising is essential for companies marketing through mobile applications, websites, and social networks.
Federal regulators have already taken action based on existing federal statutes, as well as proposed amendments to expand existing legislation to encompass OBA within their scope.
The Federal Trade Commission (FTC) defines OBA as a process of “tracking . . . consumers’ online activities in order to deliver tailored advertising.”2 It often, but not always, includes a review of the searches consumers have conducted, the web pages visited, the purchases made, and the content viewed—in order to deliver advertising tailored to an individual consumer’s interests. In its March 2012 report titled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, the FTC calls for a “Do Not Track” option to prevent targeted advertising without consumer consent.3
On September 15, 2011, the FTC also recommended amendments to the Children’s Online Privacy Protection Act (COPPA),4 which would expand the definition of “personal information” to include OBA information. Final comments were due at the end of December 2011, with the amendments still to be finalized. One hundred eighty comments were filed by privacy public interest advocates and industry groups.
Also in 2011, the FTC announced four enforcement consent orders against companies for delivering OBA without consumer consent. For each of these actions, the FTC alleged “deceptive” acts in violation of FTC Act § 55 and imposed ongoing reporting requirements for some of up to 20 years.
FTC Consent Decrees Regulating OBA in 2011
June 2011: The FTC pursued Chitika for having an “opt out” for behavioral advertising that expired after 10 days, alleging this was a “deceptive” practice because the opt-out period was not meaningful. Chitika now has a 20-year reporting requirement to the FTC.6
August 2011: The FTC pursued its first mobile app complaint against W3 Innovations, d/b/a Broken Thumbs Apps, and against one of its officers, resulting in a consent decree against a mobile advertiser that served targeted ads to children under the age of 13 in violation of COPPA.7
November 8, 2011: The FTC issued a consent order against digital third-party advertiser ScanScout for its alleged use of flash cookies to target advertising and failure to allow consumers to opt out of receiving the cookies, despite ScanScout’s claim that they could do so.8
November 29, 2011: The FTC released its consent agreement with Facebook for alleged deceptive practices pertaining to tracking.9
President’s Privacy Framework
Consumer Privacy Bill of Rights
1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide data.
4. Security: Consumers have a right to secure and responsible handling of personal data.
5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.18
The Electronic Communications Privacy Act (ECPA)10 prevents access and tracking of user behavior without consent. Sections within the ECPA have become the basis of claims asserted in many of the pending class actions.
The Federal Wiretap Act11 is part of the ECPA. To prevail on a claim under the Wiretap Act, plaintiffs must prove that the defendants intentionally intercepted or endeavored to intercept the contents of an electronic communication using a device.12 It provides for statutory damages of $10,000 per violation or $100 per day.13
The Stored Electronic Communications Act (SCA)14 is part of the ECPA. The SCA prohibits “(1) intentionally access[ing] without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceed[ing] an authorization to access that facility; and thereby obtain[ing], alter[ing], or prevent[ing] authorized access to a wire or electronic communication while it is in electronic storage in such system.”15
The Computer Fraud and Abuse Act (CFAA)17 makes it unlawful to track user browsing behavior if this causes $5,000 in economic loss. Where economic harm is not specified, courts have been willing to dismiss CFAA complaints.19
Plaintiffs in the pending class actions have alleged a wide variety of state law claims, relying heavily on state consumer protection statutes as well as state common law claims. These can impact the class certification issues, as states vary as to whether their consumer protection acts apply to out-of-state consumers, and can give rise to state law variations among multistate classes that potentially can be raised as a defense to prevent class certification.
On March 16, 2011, the Obama administration called for a universal privacy bill, and specifically supported the FTC’s “Do Not Track” proposals. Legislators have responded. In the 112th Congress (2011–12), there are now three privacy bills that address tracking in the House of Representatives and two bills in the Senate.20
In addition, on January 30, 2012, in response to the filing of at least 60 class actions against the mobile industry for tracking for non-OBA analytic purposes, Representative Ed Markey (D-MA) announced his intent to introduce the Mobile Device Privacy Act, which would require companies to disclose to consumers the capability of software to monitor mobile telephone usage and require the mobile phone users’ express consent before tracking their usage, whether or not such tracking was for advertising purposes.21 Thus, the act of tracking user behavior online or via mobile devices is being challenged on privacy grounds even apart from the concerns raised about OBA.
Moreover, in 2012, the Obama administration went further than merely calling for national privacy legislation. Specifically, on February 23, 2012, the Obama administration issued a comprehensive 52-page framework for consumer privacy protection titled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.22 The document outlines a vision for consumer privacy and provides important guidance, particularly in the area of behavioral advertising and in mobile media. It also contains an expanded definition of “personal data” that encompasses information (e.g., mobile unique identifiers) used to deliver targeted marketing.
The president’s privacy framework is comprised of: (1) a Consumer Privacy Bill of Rights (key provisions of which are quoted in the sidebar on this page); (2) a multistakeholder process to develop enforceable codes of conduct; (3) enhanced enforcement by the FTC and safe harbors for companies that adopt codes of conduct; and (4) a commitment to increase interoperability with the privacy frameworks of our international partners. The president has also called upon the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to convene multistakeholder meetings in the near future to consider a code of conduct; NTIA is currently seeking public comments regarding the topics for and structure of the process. While the FTC is called upon to participate in these multistakeholder meetings, the adoption of a code of conduct will not preclude future FTC enforcement actions altogether. Nonetheless, according to the FTC chairman, compliance with a code of conduct could be a mitigating factor in such actions.
The president’s proposal also encourages privacy policies to be modified for mobile use such that the key provisions are easily readable on small screens. It also calls for “do not track/target” mechanisms to be implemented.
State legislatures are not far behind. California, which is typically at the forefront of privacy legislation, has proposed a “Do Not Track” bill that contains a private right of action and statutory penalties.23
The California AG pointed to studies showing that the vast majority of mobile apps have no privacy policies; specifically she noted that only 19 percent of the top 340 mobile applications post privacy policies, and overall only 5 percent of all mobile apps do so. She warned that California would apply section 22575’s requirements against the mobile industry and would not hesitate to bring enforcement actions via California’s Unfair Competition Law.27
In addition, after months of discussions with the six mobile application platform providers, representing 90 percent of the market, the California AG revealed that her office had entered into an agreement with these platform providers for a set of privacy principles, specific notice and consent requirements, and a commitment by these platform providers to implement a process for policing app publishers.28 The California AG characterized the agreement as “strengthen[ing] the privacy protections of California consumers and of millions of people around the globe who use mobile apps. . . . By ensuring that mobile apps have privacy policies, we create more transparency and give mobile users more informed control over who accesses their personal information and how it is used.”29
Since January 2011, the class action bar has filed more than 138 putative class action lawsuits, alleging violations of the ECPA, the Federal Wiretap Act, the SCA, the CFAA, and state statutes and common law. Many include allegations of a broad range of violations of other state statutes in addition to the ECPA and CFAA, ranging from state wire tap laws to computer crime laws to state consumer protection statutes, as well as common law causes of action for trespass, misrepresentation, unjust enrichment, and violations of rights to privacy, among others. Damages are already a major issue, with defendants challenging plaintiffs’ standing to pursue the class action claims based on lack of economic harm as required by statutes such as the CFAA, and plaintiffs seeking statutory damages as allowed by certain of the statutes allegedly violated. For example, the Federal Wiretap Act,37 which is often cited in these actions, provides for statutory damages of $10,000 per violation or $100 per day. The recent claims against the mobile industry for tracking allege monitoring software was installed on 151 million phones, resulting in a floor of alleged damages of $1.5 billion.
While the first wave of class actions, filed in 2010, focused on cable companies providing Internet services, in recent months targets of putative class action complaints have included companies ranging from online retailers to financial institutions. Allegations range from assertions of improper use of “spyware,” “persistent tracking cookies,” and other applications to track consumer behavior, to assertions of failure to provide requisite disclosures and obtain requisite consents, as well as a broad range of statutory and common law violations.38
These class actions are still in the early stages, with issues such as class certification, standing, viability of certain causes of action, and alleged damages still to be fully litigated, although some early decisions indicated that plaintiffs may face difficulties pursuing ECPA, CFAA, and common law privacy claims in many of the suits, and courts at least initially showed a willingness to infer consent to receive behaviorally targeted advertising if a consumer reviewed privacy disclosures provided by companies. However, these early rulings relate to only a few of the class actions pending, and in many instances portions of the actions have survived and are still pending.
Any company that advertises online or through mobile phone applications, has a website, or otherwise collects, uses, or stores consumer data is potentially exposed to OBA and other types of “Do Not Track” claims.
Companies that are engaged in marketing their products online and through smart phone apps need to be aware of the domestic and global landscape. Companies across industries also are increasingly using sophisticated databases to track consumer interests, web views, social networking patterns, and even purchasing patterns, and merging that data into their own databases to create advertising/marketing profiles. Many of these activities likely entail some component of tracking technology. Moreover, their vendors (who create the smart phone apps, serve targeted ads, or create microsites) also are often actively engaged in behavioral advertising promotions, or tracking customer data for their own internal analytic purposes.
Given the importance of digital advertising revenue to digital business models, concerns over tracking and privacy will only continue to grow, as will regulatory scrutiny and litigation.
1. eMarketer, http://www.emarketer.com (June 2011). Digital spending is expected to exceed $94 billion in 2012. Id.
2. FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising 2 (2009), available at http://www.ftc.gov/os/2009/02/P0085400behavadreport.pdf.
3. Available at http://ftc.gov/os/2012/03/120326privacyreport.pdf.
4. 15 U.S.C. §§ 6501–06; Children’s Online Privacy Protection Rule, 16 C.F.R. pt. 312, available at http://www.ftc.gov/os/2011/09/110915coppa.pdf. The FTC also issued a guidance regarding consumers and cookies. See Cookies: Leaving a Trail on the Web, OnGuardOnline.gov (Nov. 8, 2011), http://onguardonline.gov/articles/0042-cookies-leaving-trail-web.
5. 15 U.S.C. § 45(a).
6. See Chitika, Inc., FTC Docket No. C-4324, File No. 102-3087 (June 17, 2011), available at http://www.ftc.gov/os/caselist/1023087/index.shtm.
7. See United States v. W3 Innovations, LLC, No. CV-11-03958-PSG (N.D. Cal. Sept. 8, 2011), available at http://www.ftc.gov/os/caselist/1023251/index.shtm.
8. See ScanScout, Inc., FTC Docket No. C-4344, File No. 102-3185 (Nov. 8, 2011), available at http://www.ftc.gov/os/caselist/1023185/index.shtm.
9. See Facebook, Inc., FTC File No. 092-3184 (Nov. 29, 2011), available at http://www.ftc.gov/os/caselist/0923184/index.shtm.
10. 18 U.S.C. § 2510.
11. Id. § 2511.
12. Id. § 2511(1).
13. Id. § 2520.
14. Id. § 2701.
15. Id. § 2701(a).
16. See, e.g., In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) (dismissing the plaintiffs’ ECPA claims with leave to amend); In re Facebook Privacy Litig., No. 10-02389 (N.D. Cal. Nov. 22, 2011) (dismissing the plaintiffs’ claims with prejudice on the ground, among other things, that no harm had been shown); Mortensen v. Bresnan Commc’n, L.L.C., No. 1:10-cv-00013, slip op. at 12 (D. Mont. Dec. 13, 2010) (No. 30) (dismissing plaintiffs’ class action allegations based upon the federal ECPA on grounds that Bresnan’s privacy disclosures disclosed its collection and tracking of user “browsing behavior,” and concluding that by using “Bresnan’s Internet Service, [the plaintiffs] gave or acquiesced their consent to such interception”).
17. 18 U.S.C. § 1030.
18. See Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights, White House (Feb. 23, 2012), http://www.whitehouse.gov/the-press-office/2012/02/23/fact-sheet-plan-protect-privacy-internet-age-adopting-consumer- privacy-b.
19. See, e.g., LaCourt v. Specific Media, Inc., No. 10-1256-GW, 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011). The court held that the plaintiffs failed to allege economic harm as required by the CFAA. Id. at *8. Similarly, in Bose v. Interclick, Inc., No. 1:10-cv-9183 (S.D.N.Y. Aug. 17, 2011) (No. 36), the court dismissed with prejudice the plaintiff’s claims of alleged violations of the CFAA for failure to allege harm. See also In re iPhone Application Litig., No. 11-MD-02250-LHK (N.D. Cal. Sept. 20, 2011) (No. 8).
20. H.R. 611, 653, and 654, recommend “do not track” without consumer consent (introduced, respectively, by Representatives Bobby Rush and Jackie Speier, all in February 2011). Senators John Kerry and John McCain introduced similar legislation on the Senate side. See Commercial Privacy Bill of Rights Act, S. 799, 112th Cong. (Apr. 2011). Senator John “Jay” Rockefeller introduced the Do-Not-Track Online Act of 2011, S. 913, which would create a “universal legal obligation” for companies to honor users’ opt-out requests on the Internet and mobile devices.
21. Mobile Device Privacy Act (Discussion Draft), available at http://markey.house.gov/sites/markey.house.gov/files/ documents/Mobile%20Device%20Privacy%20Act%20--%20Rep.%20Markey%201-30-12_0.pdf.
22. Available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.
23. In California, a “do not track” bill is pending. The bill (S. 761) was introduced by state Senator Alan Lowenthal in April 2011. It would require the state attorney general to issue regulations that would require web companies to notify state residents about online data collection and allow them to opt out. In addition, the California bill contains a private right of action and $1,000 statutory damages per violation.
24. Press Release, State of Cal. Dep’t of Justice, Office of Attorney Gen., Attorney General Kamala D. Harris Secures Global Agreement to Strengthen Privacy Protections for Users of Mobile Applications (Feb. 22, 2012), available at http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-secures-global-agreement-strengthen-privacy.
25. Cal. Bus. & Prof. Code § 22575.
26. Id. § 22575(a).
27. Id. § 17200 (also permitting class actions by consumers).
28. Press Release, State of Cal. Dep’t of Justice, Office of Attorney Gen., supra note 24.
30. Press Release, Info. Comm’r’s Office, “Must Try Harder” on Cookies Compliance, Says ICO (Dec. 13, 2011), available at http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on- cookies-compliance-says-ico-13122011.aspx.
31. Available at http://www.gsma.com/publicpolicy/privacy-design-guidelines-for-mobile-application-development/.
32. Available at http://www.mmaglobal.com/news/mobile-marketing-association-releases-final-privacy-policy-guidelines-mobile-apps.
33. Guidelines: Privacy and Online Behavioural Advertising, Office of Privacy Commissioner of Can., http://www.priv.gc.ca/information/guide/2011/gl_ba_1112_e.pdf (last updated June 2012).
36. See 16 C.F.R. pt. 312.
37. 18 U.S.C. § 2520.
38. See supra notes 16, 19.