Posted on

Are You Behaving Badly? Global Regulation of Behavioral Marketing

On Wednesday, September 30, 2009, from 12 noon – 1 p.m. (U.S. EDT), Rimon will be hosting a teleseminar as part of its “Doing Business Globally” series. Entitled Global Regulation of Behavioral Marketing, this seminar will be presented by Rimon partners Douglas J. Wood and Joseph I. Rosenbaum from New York, and Gregor Pryor from London. The seminar will explore the legal implications to advertisers, marketing professionals and brands associated with the labyrinth of global regulation increasingly applicable, or newly enacted, in connection with the targeting of consumers — on and off the web — through behavioral marketing.

Privacy and consumer groups object to such sophisticated techniques, fearful it further erodes what little privacy protection remains. Regulators are concerned such practices may violate privacy and data protection laws, or worse, are simply not covered by existing law and regulation. Marketers respond that such advances allow for a far more efficient, consumer-friendly marketplace, and that self-regulation has been a successful model in the advertising industry for more than 30 years. In this interconnected, networked age of social networking and global communication, understanding the implications and the legal and regulatory landscape is critical for every advertising professional and marketer, and the brands they represent. The camps remain far apart. Advertising industry associations call for self-regulation, recently releasing a report entitled Self-Regulatory Principles for Online Behavioral Advertising. Only about two months later, as previously reported in Legal Bytes, a coalition of 10 consumer advocacy and privacy groups released a fresh call for new regulation in a report referred to as a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions. The dividing lines remain drawn, tensions remain high, and the balance unclear – perhaps because the technology environment keeps rewriting the rules of engagement. Want to know more? Don’t miss this informative presentation.

Join us for this exciting and timely Rimon Teleseminar. You can view the Invitation to obtain more information, or go right to the Registration page. We look forward to your participation.

Posted on

Self-Regulatory Online Behavioral Advertising Principle No. 6: Sensitive Data

This post was also written by Anthony S. Traymore.

Almost down to the wire, here is the next installment summarizing the sixth of the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. For reference, the seven enumerated principles are:

The Sensitive Data principle segments sensitive data into two basic categories – personal information of children under the age of 13, and financial and health-related information, regardless of the age of the individual.

The Sensitive Data principle segments sensitive data into two basic categories – personal information of children under the age of 13, and financial and health-related information, regardless of the age of the individual.

With respect to the collection and use of data for online behavioral marketing purposes, if you have actual knowledge that any of the information being collected is from individuals under the age of 13, or if your website is targeted at children under the age of 13, the Sensitive Data principle states you should not be collecting any personal information from or be engaged in any online behavioral advertising with regard to that individual, unless you comply with the Children’s Online Privacy Protection Act (COPPA), and then, only to the extent specifically allowed by COPPA.

In case you’ve forgotten, COPPA requires you to have “verifiable parental consent” prior to collecting any personal data from children under the age of 13. The Federal Trade Commission routinely enforces COPPA, and violations may carry fines in excess of $1 million, in addition to the damage to goodwill and public image that can result. Compliance with the provisions of COPPA is tricky. While this post will not belabor the ambiguities that have already been reported about what constitutes “verifiable parental consent“, suffice it to say that when dealing with children under the age of 13, it is best to exercise considerable caution in connection with online marketing efforts – behavioral or otherwise – and to always consult an attorney well-versed in guiding you through the compliance maze.

With respect to personal information related to an individual’s financial or health status, age is not relevant to this sixth principle. What is relevant is the requirement that you obtain the consent of the individual if you are collecting the information online and you intend to use it. Prudent practice would indicate you should affirmatively obtain the individual’s consent in advance – whether during the process of registration, through formal acceptance of terms of use that clearly solicit consent, or through any other means. Clearly, if you plan to share this information with third parties in connection with online behavioral marketing efforts, you should indicate that to the individual. In all cases, the principle notes that you should always provide the individual with the right and an option, at any time, to opt-out of the use of his or her information for such purposes.

As mentioned, this is the sixth of the seven principles being highlighted, but if you would like to read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link. Legal Bytes will be bringing you a summary of the remaining principle next week. And now, as always, if you have any questions or need help, please feel free to contact Anthony S. Traymore or me, or any of the Rimon attorneys with whom you regularly work.

Posted on

Privacy and Consumer Groups Want More Than Just Self-Regulation

This post was also written by Adam Snukal.

As previously reported in Legal Bytes, it seems that not everyone is satisfied with the Self-Regulatory Principles for Online Behavioral Advertising recently promulgated by several leading advertising associations. A group of 10 consumer and privacy advocacy organizations (i.e., Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group and The World Privacy Forum called on Congress earlier this week to enact legislation in response to what they feel are genuine threats to privacy arising from online behavioral tracking and targeting.

The guiding principles the coalition wants Congress to follow in its enactment of privacy legislation are substantively contained in the following Fair Information Practices (“FIP”), which the coalition claims has been the foundation of U.S. privacy policies for decades: collection limitations, data quality, purpose specification/communication, use limitation, security safeguards, appropriate openness, individual participation and knowledge rights, accountability, and redress. FIP was coined by a U.S. government advisory committee in 1973 in response to the use of automated data systems that contained information about individuals. The U.S. Privacy Act of 1974 established a code of fair information practices, and the FTC refers to these practices in a report entitled, Privacy Online: Fair Information Practices in the Electronic Marketplace (May 2000).

A sample of the principles contained in the coalition’s Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions, includes:

  • A definition of “sensitive information,” along with guidelines as to the kinds of data that should not be collected or used for behavioral tracking/targeting
  • A prohibition on the collection or use of data from anyone under the age of 18
  • The right of an individual to obtain access to his/her personal or behavioral data
  • Personal and behavioral data collected must be relevant for the purposes for which they are to be used
  • A private right of action given to each individual whose data is collected and tracked, along with liquidated damages and appropriate federal/state regulation and oversight

Given the July release of self-regulatory principles, crafted and widely embraced by the advertising industry, with explicit support for self-regulation from the FTC itself, and three decades of successful self-regulation in the advertising industry (guided by the Council of Better Business Bureaus), it is not clear why a spokesperson for the Privacy Rights Clearinghouse would take the position that “The record is clear: self-regulation doesn’t work. It is time for Congress to step in and codify the principles into law.” Or why a spokesperson for Consumer Watchdog commented: “We’ve seen in industry after industry what happens when the fox is left to guard the chicken coop – consumers lose.”

With Congressman Boucher (D-Va.), Chairman of the Subcommittee on Communications, Technology and the Internet, indicating that his Subcommittee intends to visit this issue in the fall, it is not clear whether Congress will allow the industry and the FTC an opportunity to give self-regulation time to work, or if a perceived need to “do something” and change the status quo remains. One thing has not changed: the positions of the industry and consumer and privacy advocacy groups.

Legal Bytes will keep you posted on developments in this area as they evolve, but if you need help or want further information, feel free to contact Adam Snukal, me, or any of the Rimon attorneys with whom you regularly work.

Posted on

Self-Regulatory Online Behavioral Advertising Principle No. 5: Material Changes

Here is the fifth in our installments of summarizing the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, For reference, the seven enumerated principles are:

The Material Changes principle requires an organization engaged in behavioral advertising to obtain consent before applying any material changes to its existing online behavioral advertising policies and practices – specifically, to the data collection-and-use policies and practices that apply to data collected prior to the effective date of any material change to these policies and practices.

This principle also makes it clear that a change in policy or practice that would result in less data collection or more restrictive use of the data (i.e., less or more restrictive use of the data than existing usage) is NOT a material change that would require prior consent. This makes sense considering that the purpose of the principle, when coupled with Transparency and Consumer Control, is not to merely give consumers an absolute right to consent or to reject any and all changes, but only those that would broaden, deepen or alter in an expansive or materially different manner, the existing collection-and-use practices of the organization. If a change would result in less data being collected or more constrained use of the data being collected, a consumer would likely be notified of the change, but consent would not be required.

Legal Bytes will be bringing you a summary of the remaining two principles in the next week. And now, as always, if you have any questions or need help, please feel free to contact me or any of the Rimon attorneys with whom you regularly work.

Posted on

Death Knell or Glimmer of Hope: Care to Bet on Online Gambling?

Legal Bytes has previously reported to you concerning Title VIII of the Security and Accountability For Every Port Act of 2006 (or SAFE Port Act), which is the part of the SAFE Port Act endearingly known as UIGEA (the Unlawful Internet Gambling Enforcement Act of 2006). On Tuesday, the U.S. Court of Appeals for the Third Circuit rejected a claim by the Interactive Media Entertainment & Gaming Association that UIGEA is too vague or unconstitutional or infringes on the individual’s right to privacy. The unanimous ruling was issued amid a tug-of-war between the Justice Department that is anxious to crack down on the gambling industry, and the actions of Rep. Barney Frank (D-Mass.) and other members of Congress who are advocating legislation to legalize the gaming industry.

The decision to uphold UIGEA, which banned payment processing by U.S. financial institutions for online betting, might appear to be a blow to the gaming industry, but there is a potential ray of hope. On page 8 of the Court’s Opinion, the Third Circuit concluded UIGEA was not constitutionally vague, nor had the law made any gambling activity illegal. Rather, the vagueness problem cited by the Court arose from the underlying state law. To wit, the Court explicitly notes what many in the industry have known for a long time: “[T]he Act itself does not make any gambling activity illegal [under the UIGEA]. Whether the transaction in Interactive’s hypothetical constitutes unlawful Internet gambling turns on how the law of the state from which the bettor initiates the bet[.]”

One can thus read this decision as an opportunity for state gambling clarity. Currently, only six states in the United States have an outright prohibition against Internet gambling; the other 44 states (and U.S. territories) have an opportunity, if they wish to seize it, to legalize, authorize, license, regulate and potentially tax online gambling.

For the record, the Frank Internet gambling legislation that proposes to delay enforcement of UIGEA pending the enactment of a federal online gambling licensing and regulatory framework, has been pending in committee since May, and there are many pressing items on Congress’s plate. Thus, it is unlikely that Congress is poised for quick action on this legislation. That said, the court’s decision appears to leave the door to online gambling enabled by state legislation open. Stay tuned.

If you need to know more, contact Amy S. Mushahwar directly, or you can always contact me, or the Rimon attorney with whom you regularly work. We are happy to help.

Posted on

Useless But Compelling Facts – September 2009

While Oscar Wilde is credited with saying, "Life imitates art far more than art imitates Life", perhaps I can coin the phrase "Technology mimics living organisms far more than living organisms mimic Technology." Yes we have robotic arms, biotechnology and more, but come on – clouds, pods, viruses and worms – what’s next, social networks? What, they are here . . . did you miss that one?

In any event, that’s why it comes as no surprise to me the first use of the term "robot" is generally attributed to the wonderful Czech playwright Karel Čapek. Now Čapek never envisioned some metallic assemblage of mechanical parts. Oh no, he viewed robots more like our notion of androids – creations of chemistry. (I was a chemistry major at one point in life so I should have known this.) It probably also wouldn’t surprise you to learn the term "robotics" was first used in a short story ("Runaround") by the acclaimed science fiction writer, Isaac Asimov. But I digress again.

Now Čapek’s play R.U.R. (Rossum’s Universal Robots), which was first published in 1921, used the Czech word robota, which in English translates to labor, and "Rossum" is generally considered to refer to the Czech word rozum, which translates to either "reason," "wisdom" or "common-sense." Now you know all this background is leading up to a useless but compelling question, right? Of course. There is actually some evidence that the term "robot" was suggested by someone else, before Čapek penned his work. Another writer to whom Čapek actually gave credit and attribution for the term may well deserve the credit. Can you identify who that might be? If you think you know, send your answer first and fast directly to me at joseph.rosenbaum@rimonlaw.com

Posted on

Useless But Compelling Facts – August 2009 Answer

For last month’s contest, we extend our congratulations to first-time winner Kevin K. Forrester, who first sent us the key significant events that occurred July 4, 1826 – notably, in addition to being the 50th Anniversary of the signing of the Declaration of Independence, it was also the date both Thomas Jefferson and John Adams died. Many other folks noted this was also the birth date of Stephen Collins Foster. Foster, often cited as the "father of American music," was the pre-eminent songwriter of the 19th century in the United States, publishing his first song when he was only 18. His songs remain popular to this day, with such favorites as "Oh! Susanna," "Camptown Races," "Old Folks at Home" (generally known as "Swanee River"), "My Old Kentucky Home," and "Beautiful Dreamer." Foster was born and lived in a part of what is now Pittsburgh (Lawrenceville).

Posted on

Could the Government Seize Control of the Internet?

The text of the Cybersecurity Act of 2009 (the “Act”) is now available, and individuals, organizations and associations, and, of course, lawyers, are now starting to digest its contents.

This legislation, introduced by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), would appear to give the federal government sweeping and unprecedented authority over the Internet. Section 2 of the bill starts off with a lengthy series of observations about horrible things and consultants’ wisdom concerning our vulnerability to “attack.” Curiously, it is unclear exactly how the bill and the powers to be granted the government will correct that issue. But I digress.

So when the title of this post says “the Internet,” you’re kidding, right? Of course, you must mean government-operated networks or defense or intelligence systems, right? Well . . . not really. Hmm. Then you must mean those critical infrastructure systems related to national defense – you know, communications and transportation systems? Well . . . not exactly. You see the bill includes, within the meaning of systems and networks covered by the Act, “State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.” In other words, we’ll know what they are when the President tells us what they are. Comforting for federal legislation, isn’t it?

“Non-governmental” includes financial institutions – then again, the government already owns a chunk of those anyway – wired and wireless carriers, electricity grids, gas and power systems, and air and rail transportation systems, to name a few. All of these are currently in the hands of private companies and management. Go ahead, name some systems that aren’t directly or indirectly critical or connected to critical systems – my refrigerator, for instance, or your digital music account.

There is even a section in the Act that proposes to enable the President, with almost no restriction, to shut down all message traffic on the Internet in an “emergency,” and to order the disconnection of all critical infrastructure systems in furtherance of national security. Now if that amount of authority, without any guidance or parameters built into the legislation, isn’t enough, here’s more. The bill also gives the Secretary of Commerce the right to access all relevant data concerning these critical infrastructure networks without regard to any provision of law, regulation, rule, or policy that would otherwise temper or restrict such access. No standards. No limits on what data or why. No opportunity for judicial review, much less intervention.

Curiously, just this past June, the Government Accountability Office (GAO), in testimony before Congress entitled Cybersecurity: Continued Federal Efforts Are Needed to Protect Critical Systems and Information, noted that continuing efforts to remedy systems security and network vulnerability needed far less dramatic remediation – fixing things like correcting insufficient access controls, better network management, inadequate or poor audit procedures, ineffective information security programs, and in some cases, simply adding encryption where none exists today. Critics of the Act have questioned whether granting the President far-reaching and ambiguous power is proper, but just as significantly, whether they will actually deal with the problem.

As with many legislative initiatives, this appears to deal with the aftermath of a cyber-attack, not at preventing one from ever occurring. Has it occurred to anyone that mandating standards for security, updating and maintaining security where appropriate, and simply requiring government or other critical systems to practice security measures that have been known for years or even decades, is much more likely to allow the nation to avoid and withstand a cyber-attack?

One can only wonder whether placing control of the Internet in the hands of the government might actually make vulnerability to a devastating cyber-attack greater. When the ‘net was first conceived, it was precisely it’s dispersion, diversity and lack of central control that was at its core, and its endearing and enduring characteristic. No one point of control, no single point of vulnerability. Redundancy, multiple pathways, mirror image reflections and files ensured that if one part was crippled, others would continue to function. True, times change, technology changes, and, so too, must our defense mechanisms and postures. But one has to wonder whether centralizing command and control in an emergency might not just give the bad guys a single point of vulnerability and failure to concentrate on, instead of making it more difficult – precisely when we need the Internet the most. Food for thought.

For information about security (can you say PCI compliance?) or privacy (GLB anyone?) or data breach assistance (is your identity safe?) look up Joseph I. Rosenbaum, send me an email, or contact the Rimon attorney with whom you regularly work. We are happy to help.

Posted on

Self-Regulatory Online Behavioral Advertising Principle No. 4: Data Security

The Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, recently released its Self-Regulatory Online Behavioral Advertising Principles. When we announced these principles, we also promised to provide you with a bit more detail regarding each of these principles, which are listed below; so here is a brief summary of the fourth – Data Security. For reference, the seven enumerated principles are:

The Data Security principle requires entities to provide reasonable security for, and limited retention of, data collected and used for online behavioral advertising purposes. Consistent with the FTC standard, entities must maintain appropriate physical, electronic and administrative safeguards based upon the sensitivity of the data. Further, data collected and used may not be retained any longer than necessary to fulfill a legitimate business need (e.g., testing and auditing) or as required by law. In addition, the principle sets forth the steps that service providers (e.g., entities that provide Internet service, toolbars, web browsers or comparable desktop applications) must take in connection with data collection and use, including alteration, anonymization or randomization (e.g., hashing) of personally identifiable information; enhanced notice and disclosure at the time the data is collected; and the protection of the non-identifiable nature of data shared with non-affiliates. Under the Data Security principle, service providers will be held accountable for compliance with these principles in connection with their collection and use of data for online behavioral advertising purposes. Thanks to Stacy Marcus for her analysis.

We can now also report to you that yesterday a coalition of 10 consumer and privacy advocacy groups (i.e., Center for Digital DemocracyConsumer Federation of America, Consumers UnionConsumer WatchdogElectronic Frontier FoundationPrivacy LivesPrivacy Rights ClearinghousePrivacy Times, U.S. Public Interest Research Group, and The World Privacy Forum, has released a draft of their own principles, in the form of a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and SolutionsLegal Bytes will have a more detailed report for you on this new development in the next day or two, and in the meantime – or any time – feel free to contact me, Stacy Marcus, or any of the Rimon attorneys with whom you regularly work.