chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2022-2023 | Volume 78, Issue 1

Recent Developments in Privacy Law

Meg Strickler

Summary

  • This year’s update addresses a variety of legal developments: a policy statement by the Federal Trade Commission (“FTC”), federal enforcement actions, a report on data practices, and self-regulation in the industry.
  • Part II considers online privacy protections for children, including a discussion of the FTC’s position on education technology and a review of recent enforcement actions. Part III covers two recent settlement agreements pertaining to large-scale misrepresentations about privacy.
  • Part IV reviews an FTC study that examined the privacy practices of six major Internet service providers. Finally, Part V discusses a major shift in the self-regulation of data brought about by Apple’s App Tracking Transparency policy.
Recent Developments in Privacy Law
iStock.com/ma li

Jump to:

I. Introduction

The continued proliferation of technology- and surveillance-based business models has demanded constant evolution of the privacy law landscape to address growing concerns for privacy and data security. This year’s update addresses a variety of legal developments: a policy statement by the Federal Trade Commission (“FTC”), federal enforcement actions, a report on data practices, and self-regulation in the industry. Part II considers online privacy protections for children, including a discussion of the FTC’s position on education technology and a review of recent enforcement actions. Part III covers two recent settlement agreements pertaining to large-scale misrepresentations about privacy. Part IV reviews an FTC study that examined the privacy practices of six major Internet service providers. Finally, Part V discusses a major shift in the self-regulation of data brought about by Apple’s App Tracking Transparency policy.

II. Privacy Protections for Children

A. The FTC’s Stance on Education Technology and Children’s Online Privacy

On May 19, 2022, the FTC issued a policy statement emphasizing its commitment to ensure that providers of education technology tools continue to meet their legal obligations with respect to children’s privacy. The Children’s Online Privacy Protection Act (“COPPA”), enacted in 2000, authorized the FTC’s enforcement of substantive restrictions on operators’ ability to collect, use, and retain children’s data. The recent policy statement adopted by the FTC discusses the application of COPPA requirements in educational settings and makes it clear that companies cannot force parents to choose between their children’s privacy and participation in digital classrooms.

Over the past decades, the online collection and monetization of consumers’ personal information has become a growing concern as companies become more sophisticated and aggressive in harvesting individuals’ personal data. The FTC addresses how this concern has become amplified in the school context, with the COVID-19 pandemic forcing schools to shift to virtual learning alternatives. This trend of technology in the classroom has left children exposed to an industry dominated by the commercial surveillance business model as they pursue their educations. However, the FTC’s policy statement underscores that providers of education technology tools must fully comply with all provisions of the COPPA Rule and children must be able to access their schoolwork without being required to forfeit their privacy.

The FTC intends to vigilantly enforce full compliance of all substantive prohibitions and requirements of the COPPA Rule by companies, including education technology providers. Specifically, the FTC’s policy statement focuses on four key provisions for investigating potential COPPA violations in educational settings: prohibitions against mandatory collection, use prohibitions, retention prohibitions, and security requirements. First, prohibitions against mandatory data collection prevent companies from conditioning participation in any activity on a child’s disclosure of more information than is reasonably needed. Second, education technology providers that collect personal information from a child with the school’s authorization are prohibited from using the information for any commercial purpose, including marketing or advertising. Third, education technology providers are prohibited from retaining children’s data for longer than reasonably necessary to fulfill the purpose for which it was collected. Providers may not retain children’s data for speculative future use. Finally, education technology providers are required to have procedures to maintain the confidentially, security, and integrity of children’s personal information.

B. Recent Enforcement of the COPPA Rule

Over the past year, the FTC has continued investigating potential violations of the COPPA Rule to ensure crucial privacy protections for children’s data online, which resulted in several federal enforcement actions against companies.

1. United States v. KuuHuub Inc.

On July 21, 2021, the Department of Justice and the FTC announced a settlement agreement reached with KuuHuub Inc., Kuu Huub Oy, and Recolor Oy, which resolved alleged violations of COPPA and the FTC Act related to the companies’ “Recolor” mobile app and digital coloring book. The FTC alleged that the defendants collected and disclosed personal information of children under thirteen using the Recolor app.

The complaint, filed in the U.S. District Court for the District of Columbia on June 30, 2021, claimed that the coloring book app included a “kids” category with illustrations specifically targeted at children. The FTC alleged that the defendants had actual knowledge that children under the age of thirteen were not only using Recolor, but also accessing the social media features available on the app for communication. The complaint further alleged that the defendants allowed third parties to collect persistent identifiers of children using the app to serve behavioral advertising without obtaining verifiable parental consent, in direct violation of COPPA.

In a stipulated order, the defendants agreed to pay a civil penalty of $3 million (all but $100,000 of which is suspended) to resolve the claims. The order prohibits the defendants from engaging in the disputed practices in the future and requires notification to users of the app about the alleged violations. Further, the companies are obligated to allow refunds requested by any current subscribers of the app who were underage at sign-up. The defendants are required to delete any personal information of children in their possession, in addition to seeking the deletion of information held by third-party advertising networks to whom data was disclosed. Finally, the order mandates that the operators of the app continue to meet their legal obligations with regard to recordkeeping, certification, and compliance.

2. United States v. OpenX Technologies, Inc.

On December 15, 2021, online advertising platform OpenX Technologies, Inc. reached a stipulated settlement, agreeing to pay $2 million to the FTC for alleged violations of children’s privacy laws. The FTC claimed the California-based advertising company directly violated the COPPA Rule by collecting personal information from children under the age of thirteen without parental consent.

OpenX operates an automated advertising exchange that provides a real-time bidding platform for auctioning advertising space. The company is self-described as the largest independent advertising exchange with tens of thousands of demand-side partners (i.e., buyers of ad inventory) and over 50,000 operators of websites and applications monetizing their property. The company’s programmatic advertising model enables advertisers to select criteria and deliver targeted messages to preferred audiences. According to OpenX, it has the only traffic quality team in the industry that conducts a human review of each property to ensure compliance with the company’s policies and that the subject matter of websites and apps is accurately classified for the benefit of customers.

Investigation by the FTC revealed that OpenX reviewed hundreds of child-directed apps that included age ratings for children under the age of thirteen and identified their intended audiences with phrases such as “for toddlers,” “for kids,” “kid’s games,” or “preschool learning.” The FTC claimed that the data collected from these apps were not flagged as child-directed and were included in the OpenX advertising exchange. Through the exchange, OpenX passed personal data along to third parties who then used the information to target advertisements to users of the child-directed apps. The complaint alleged that OpenX violated the COPPA Rule because the company had actual knowledge that child-directed apps were in the advertising exchange and continued to collect and disclose the personal information of children under the age of thirteen.

In a press release announcing the settlement agreement, Samuel Levine, director of the FTC’s Bureau of Consumer Protection, commented: “Digital advertising gatekeepers may operate behind the scenes, but they are not above the law,” referring to the alleged privacy violations committed by OpenX. The stipulated order requires OpenX to delete all data collected to serve targeted ads and institute a comprehensive privacy program in compliance with the COPPA Rule. OpenX is prohibited from any future collection or retention of personal data from children under thirteen, which requires the company’s re-review of apps on a regular basis to identify any child-directed apps and ban them from the ad exchange. Further, OpenX is ordered to keep records of websites and apps that have been banned or removed from its exchange. In a concurring statement, Commissioner Phillips noted that OpenX exposed itself to liability under COPPA by having humans review apps for child-directed material, and expressed his view that it would be poor policy “to discourage human review of whether apps are child directed.”

3. United States v. Kurbo, Inc.

On February 16, 2022, the U.S. Department of Justice filed a complaint on behalf of the FTC in the U.S. District Court for the Northern District of California, alleging that WW International, Inc. (formerly known as Weight Watchers), and its subsidiary, Kurbo, Inc., had collected sensitive health information of children without parental notice or consent, in violation of COPPA. Together, the defendants market a health and wellness app and website called “Kurbo by WW” for use by children as young as eight years old. In addition to collecting personal information such as names, email addresses, and birth dates, the app also tracks users’ food intake, activity, and weight.

The FTC alleged that the sign-up process for Kurbo by WW encouraged younger users to falsely claim they were over thirteen. The FTC found that, from 2014 to 2019, hundreds of users who had signed up for the app claiming to be over thirteen had later changed their birthdates on their profiles to indicate they were actually under thirteen. The complaint further alleged that Kurbo failed to provide a means to ensure that users choosing the parent sign-up option were indeed parents, rather than children attempting to bypass the age restriction. The complaint also claims Kurbo violated COPPA by failing to comply with notice requirements where parents were only shown a notice about information collection if they followed a hyperlink buried among others in the sign-up process. Lastly, the FTC alleged Kurbo violated the COPPA Rule’s data retention provisions by indefinitely retaining personal information of children and only deleting the data upon specific request by a parent.

On March 3, 2022, the parties entered a stipulated settlement agreement to resolve the claims, with the defendants agreeing to pay a civil penalty of $1.5 million. The stipulated order prohibits the companies from retaining data collected from children in the future for more than one year. The injunctive provisions of the order require that Kurbo take reasonable efforts to provide notice to parents regarding its information practices for children, including notice through a prominent and clearly labeled online link on the platform. Further, prior to any future collection, use, or disclosure of children’s information, the company is required to obtain verifiable parental consent. Additionally, the order requires the destruction of all personal information previously collected without obtaining parental notice and consent, unless the companies subsequently obtain parental consent to retain the data. The settlement also requires the companies to destroy “any models or algorithms” that they developed using the illegally collected data.

III. Misrepresentations About Privacy

In an attempt to combat misrepresentations about privacy made to consumers, the FTC has continued to pursue federal enforcement actions over the past year against technology companies that employ deceptive data practices.

A. In re Residual Pumpkin Entity, LLC (CafePress)

On June 23, 2022, the FTC finalized a consent decree with the companies operating the CafePress website, resolving allegations that the companies failed to secure consumers’ sensitive personal data and covered up a major data breach. The complaint, originally filed on March 15, 2022, alleged that the online customized merchandise platform made widespread misrepresentations regarding the privacy and security of user data. The complaint details several statements disseminated to CafePress users assuring them of the safety and security of personal information on the platform, despite weak data security practices that ultimately enabled a significant breach. The complaint alleged that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including Social Security numbers in plain text, inadequately encrypted passwords, and answers to password reset questions. The complaint also alleged that the company further failed to implement readily available protections against well-known threats and to properly respond to security incidents, which led to multiple data breaches.

The FTC’s investigation revealed that the company’s lax security enabled a hacker to infiltrate the network and gain access to millions of names, email addresses, physical addresses, and passwords, along with over 180,000 Social Security numbers and tens of thousands of partial card payment numbers. Some of this information was later found on the dark web for sale. Despite receiving multiple notices of the security vulnerability and data breach, the company failed to investigate for several months or notify affected customers. CafePress withheld this essential information from consumers and only instructed users to reset their passwords as an update to the privacy policy in September 2019, after the breach had been widely reported on. In addition to security failures, the FTC alleged the company misled consumers by using email addresses for marketing purposes despite promising that such information would be used only to fulfill orders placed by the consumer.

The consent order requires Residual Pumpkin to pay $500,000 to redress victims of the data breach, and to notify consumers affected by the data breach, providing specific information about how consumers can protect their privacy and data. The companies are also required to implement comprehensive information security programs, which includes: replacement of inadequate authentication measures with multi-factor authentication methods; encryption of Social Security numbers; minimization of the volume of data collected and retained; and third-party assessments of the company’s information security programs.

B. United States v. Twitter, Inc.

On May 25, 2022, the U.S. Department of Justice and the FTC took action against Twitter for deceptively using consumers’ account security data for targeted advertising. According to the complaint, filed in the U.S. District Court for the Northern District of California, Twitter began requesting users provide either a phone number or email address under the pretext of enhanced account security in 2013. Over a period of five years, more than 140 million Twitter users provided their phone numbers or email address after the company told them the information would be used to secure their accounts as a means of two-factor authentication. The FTC alleged that Twitter neglected to inform users that the contact information would additionally be used for targeted advertising. According to the complaint, Twitter used the email addresses and phone numbers to enable advertisers to deliver specific ads to specific consumers by matching the information with data from other brokers.

In addition to violating the FTC Act and the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, Twitter’s misrepresentations allegedly violated a 2011 FTC Order that explicitly prohibited the company from misrepresenting its privacy and security practices. The 2011 order prohibited the company from misrepresenting the extent to which the company maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.

On May 25, 2022, the parties filed a proposed order to resolve the FTC’s claims in the 2022 complaint, which includes a civil penalty of $150 million to be paid by Twitter. As of this writing the order is pending. The parties also stipulated to a modification of the 2011 order, which includes provisions prohibiting Twitter from profiting from deceptively collected data; allowing users alternative means to implement multi-factor authentication such as mobile authentication apps or security keys; notifying users that Twitter misused their information collected for account security to target ads; providing users with information about the platform’s privacy and security controls; maintaining a comprehensive privacy and information security program that examines and addresses any potential privacy and security risks of new products; limiting employee access to users’ personal data; and notifying the FTC if the company experiences a data breach.

IV. Privacy Practices of Major Internet Service Providers

Over the past decades, the Internet has become a ubiquitous aspect of consumers’ daily lives, serving as a fundamental tool for communication, information, commerce, and entertainment. Especially given the effects of the global pandemic, consumers have become increasingly dependent on Internet service providers (“ISPs”), and concerns about privacy and competition issues associated with Internet access have continued to grow. In August 2019, the FTC began conducting a comprehensive examination of the privacy practices of ISPs by issuing orders to the six largest U.S. ISPs seeking information on the ISPs’ data collection and use practices. A staff report setting forth key findings and observations was published on October 21, 2021. The FTC’s study investigated the practices of AT&T, Verizon, Comcast, Charter, T-Mobile, and Google Fiber, which together comprise approximately 98.8 percent of the mobile Internet market in the United States.

A. Legal Framework

Today’s ISPs have consolidated into major companies offering a multitude of services, including the provision of Internet access, but historically, federal laws have placed legal significance on classifications attached to services. While this has created some areas where jurisdiction may be unclear, the FTC does retain jurisdiction over ISPs’ Internet privacy practices, which are not classified as a common carrier activity. The FTC enforces several laws that apply to the data practices of ISPs. Section 5 of the FTC Act prohibits ISPs and their affiliates from engaging in unfair or deceptive practices. As discussed in Part II, COPPA prohibits operators of child-directed websites from collecting personal information of children under thirteen without parental authorization. Additionally, the Fair Credit Reporting Act applies to ISPs providing information to consumer reporting agencies, imposing an obligation to ensure the information they are providing is accurate. In addition to laws enforced by the FTC, ISPs are subject to laws enforced by the FCC related to telecommunication services. Finally, state and local laws may also address privacy practices of ISPs.

B. FTC Staff ’s Findings and Observations: Data Collection and Use

Despite the patchwork of laws operating to keep ISPs in check, the vertical integration of platforms and services has enabled these companies to grow into technology giants, accounting for over $185 billion of revenue in the Internet industry annually. The consolidation of Internet, cable, voice, content, distribution, smart devices, advertising, and analytics in the industry has dramatically increased the volume of data ISPs are able to collect about consumers. The ISPs in the FTC’s study collected and used information to provide: (1) core services to consumers, such as Internet, voice, and video; (2) additional services to consumers, such as smart devices, streaming content, etc.; (3) marketing for their own products and other businesses’ products; and (4) other services offered to businesses, such as creating consumer behavioral profiles and aggregated business insight reports. Not only are ISPs combining data collected across their product and service lines, they are compiling consumers’ personal information, app usage, and web browsing history to create specific behavioral profiles for commercial advertising purposes. Most of the ISPs in the report also use the collected data to group consumers into segments based on sensitive characteristics, enabling third-party advertisers to target consumers based on their race, ethnicity, sexual orientation, religious beliefs, economic status, or political affiliations. The filings also revealed a major trend among ISPs to share real-time location data of specific subscribers with third-party customers.

As key players in nearly every market, ISPs have gained unchecked access to data in unprecedented volumes. These large pools of sensitive customer information combined with data from third-party data brokers allow ISPs to collect highly granular data about individual users. Further, the report observed that the average consumer does not expect ISPs to gather and use data in this potentially harmful way. The report emphasized the importance of restricting the use of data with regard to the creation of behavioral profiles classified by sensitive demographics.

C. FTC Staff ’s Findings and Observations: Privacy Practices

The report raised concerns in four areas related to the privacy practices of ISPs: issues with opacity, illusory choices, meaningful access, and data retention and deletion. Although many of the ISPs purported to offer choices to consumers, they were found to often be illusory through unclear, problematic interfaces that even seem to nudge consumers to share more data. Further, despite ISPs’ promises to customers that their data would not be sold, ISPs failed to reveal the plethora of ways that data can otherwise be used, transferred, or monetized outside of selling by burying such disclosures in their policies’ fine print. Many consumers appeared to have a lack of meaningful access to their data, with ISPs often providing information that was indecipherable without context. Finally, several ISPs in the study said that information was retained as long as it was needed for a business reason, granting them virtually unfettered discretion on data retention practices. The FTC concluded the report by observing how the major ISPs in the United States have grown to be at least as intrusive as large advertising platforms to the privacy of consumers.

V. Self-regulation: Apple’s App Tracking Transparency Feature

In April 2021, Apple announced that the updated iOS 14.5 software would require all apps to request users’ permission to track consumer activity across other apps as a part of the new “App Tracking Transparency” framework. Apple’s updated privacy policy gives individual users the power to decide whether to share their personal data and with whom to share it. The new policy gives each user control over the unique serial number assigned to their devices, known as the Identifier for Advertisers (“IDFA"). Any app seeking to track a user’s data must first request permission to access the device’s IDFA specifically for tracking the user’s activity across apps. This request presents as a pop-up notification and users are required to either decline or enable the request to proceed. Users must opt-in to allow app providers to use IDFA data for advertising purposes.

This major shift in Apple’s privacy policy has led to improvements for user privacy. Tracking libraries can no longer access IDFAs, which has directly impacted the business of data brokers that rely on this third-party information on consumers. However, this change in policy did not affect companies’ ability to track users within their own applications. Despite the increased self-regulation and privacy resulting from Apple’s policy, the benefits of this policy to consumers are limited as users are still highly susceptible to data tracking through other means. Even without IDFAs, trackers gain access through “fingerprinting,” which involves the collection of seemingly innocuous information, such as device information, carriers, IP addresses, and user settings, which can then be compiled to effectively serve the same purpose as IDFAs. In addition, the policy’s benefits are limited in light of Apple’s extensive tracking of its own customers to serve advertisers. While other smaller companies have limited access to user data as a result of App Tracking Transparency, Apple now has unique access to users’ IDFAs, giving the company an even greater share of the advertising technologies and market.

VI. Conclusion

As technology continues to permeate individuals’ daily lives, privacy and data security will continue to grow increasingly important. The current pandemic marked a significant shift in our digital economy, with an even wider variety of markets and services becoming accessible online. Technology conglomerates have gained unprecedented access to valuable data of consumers, and the role of privacy law in protecting individuals’ information has become even more important. The FTC remains a key player in enforcing data privacy, especially with respect to children’s privacy, and companies like Apple have also taken large strides internally to limit the tracking of user data. However, companies largely rely on targeted advertising for their marketing, and it remains difficult to enforce meaningful limits on the exchange of sensitive consumer data.

* ABA Fellow, Steering Group Member, ABA International Law Section Women’s Interest Network. Partner, Conaway & Strickler, PC. The author gratefully acknowledges the contributions of Maya Fouad, Georgia State University College of Law, J.D. candidate 2023.

    Authors