International In-house Counsel Journal Vol. 7, No. 26, Winter 2014, 1

International In-house Counsel Journal ISSN 1754-0607 print/ISSN 1754-0607 online

Consumer Privacy and Transparency in the Digital Age: An argument for the continuation of Self-Regulation by the U.S.

Marketing Industry

JEANETTE FITZGERALD SVP & General Counsel,Chief Privacy Officer

Epsilon Data Management, USA &

NICOLE TACHIBANA Privacy Manager, Epsilon Data Management, USA

Never has privacy1 been more debated than in today’s digital age. The advent of the internet and proliferation of devices such as smartphones have enabled the instantaneous sharing, compiling and use of data for a multitude of purposes. As consumers’ shopping habits increasingly shift to the online space to buy goods, businesses are also shifting to new technologies to better understand and track consumers’ wants and needs. At this crucial time, we must adapt our privacy safeguards and policies to the new technologies and reality of our times. But the question is “how?”

The United States Constitution does not explicitly guarantee a "right to privacy"2; however, over time, the court system has recognized privacy rights, the legislature has established consumer protection laws such as the Fair Credit Reporting Act (“FCRA”)3, and government agencies have promoted guidance such as the Fair Information Practice Principles (“FIPPs”), all with the goal of extending a right of privacy to Americans. Privacy rights in the United States are not all-encompassing, but rather segmented and sectorial. These segmented laws have been developed to govern more sensitive areas like privacy of health,4 financial5 and consumer reporting6 information.

This patchwork approach creates a legal void in certain industries. This void is filled by the Federal Trade Commission (“FTC”) and self-regulatory groups. The FTC has authority to initiate actions where a company uses unfair or deceptive trade practices.7 It has carved out a niche in the privacy field by developing what some scholars describe as the agency’s privacy “common law.”8 The FTC has, for example, authority to take

1 This article focuses on information privacy and refers to a person’s interest in keeping certain information confidential or secret - i.e. personal information that is not in the public domain. 2 Griswold v Connecticut, 381 U.S. 479, 481-486 (1965)(privacy is not explicitly stated but the court recognized a “zone of privacy created by several fundamental constitutional guarantees”). 3 15 U.S.C. § 1681 et seq. 4 Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), P.L. 104-191 (1996) and the regulations promulgated thereunder by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160, 162, and 164; the Health Information Technology for Economic and Clinical Health Act (“HITECH”), P.L. 111-5 (2009). 5 Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq. (1999). 6 15 U.S.C. § 1681 et seq. 7 Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 41-58, as amended. The FTC has authority to investigate and take action on “unfair or deceptive acts or practices in or affecting commerce...” § 45 (a)(1). 8 Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. (forthcoming 2014) “It is fair to say that today FTC privacy jurisprudence is the broadest and most influential regulating force on information privacy in United States.” Id. at *2.

2 Jeanette Fitzgerald & Nicole Tachibana

deceptive trade practice action against a company for failing to live up to the promises made by the company in their privacy policy. When these cases settle—and nearly all settle—the privacy community meticulously reviews the consent decrees. Though consent decrees are technically only between the FTC and the company, privacy scholars have taken to treating them as a kind of common law of consent decrees.

The FTC leadership has become more active in the privacy field. FTC Chairwoman Edith Ramirez and Commissioner Julie Brill have been vocal about the need to protect consumer privacy and have expanded the scope of their investigations beyond the failure to uphold privacy policy promises. In particular they have expanded to privacy in the digital age: the Internet of Things, the use of online and offline tracking in marketing (cross-device, tracking inside retail establishments), “Big Data,” and data broker collection and practices. Commissioner Brill has launched a campaign demanding more transparency from data brokers called, “Reclaim Your Name.” In Reclaim, she proposes that all handlers and sellers of data uniformly adopt policies of transparency on how consumer information is collected and used and how to access and correct the information.9 The FTC has also been vocal by calling for a “one-stop” opt-out website for information sharing.10 Industry has pushed back on the universal opt-out website as unworkable. It is unclear if Reclaim and the FTC’s recent recommendations for data brokers will result in a transformation of the data broker industry.11

Another notable in the privacy arena is self-regulation. The United States has a segmented approach to privacy due, in part, to the efforts of various industries that worked cooperatively to promote self-regulation. The Clinton-era Information Infrastructure Task Force (“IITF”) worked closely with businesses, consumer groups, and representatives from the emerging Internet economy to determine the best way to regulate this emerging digital industry. It issued two reports in the mid-1990s, both recommending self-regulation for these businesses to promote Internet commerce through consumer choice and competition.12

Self-regulation is also traditionally supported by the FTC as an effective mechanism to foster innovation and growth.13 Under this scheme, a business would make the rules by way of promises via privacy policy and the FTC would enforce those promises. However, as discussed in more detail in Part II, the FTC has started taking more aggressive action in investigating and enforcing perceived privacy violations.

Given the complexities of the technology, how does industry continue to grow, foster innovation, and protect consumer privacy? Part I discusses the emergence of consumer privacy as an issue, including both online and offline technology developments. Part II explores the history and current federal and state privacy laws as well as the transformation of the FTC into the premier privacy agency in the US. Part III discusses the history of self-regulation, the FTC’s waning support of self-regulation in certain areas, and how self-regulation works for privacy issues.

Part I: Emergence of consumer privacy as an issue

9 Natasha Singer, F.T.C. Member Starts ‘Reclaim Your Name’ Campaign for Personal Data, NY Times (June 26, 2013), available at http://bits.blogs.nytimes.com/2013/06/26/reclaim-your-name/. 10 Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, FTC Report (Mar. 2012), http://ftc.gov/os/2012/03/120326privacyreport.pdf. 11 See discussion infra Part III. 12 President William J. Clinton & Vice President Albert Gore, Jr., A Framework for Global Electronic Commerce (July 1, 1997). 13 Solove & Hartzog, supra note 8, at *13.

Consumer Privacy 3

With the rise of technology, today’s businesses operate differently than at any other time in history.14 Computers have become cheaper, easier, and more sophisticated to the point that even a small business can manipulate consumer information into a complex database or a fully developed marketing strategy with ease. Improving technology has economic benefits—reduced costs and increased productivity. But along with these improvements, personal information is being collected by more businesses, used in new ways and stored longer. The information is no longer limited to a consumer’s name, address, and phone number. Businesses collect information on offline and online shopping habits, social media activity, and detailed demographic data.

Using marketing as a backdrop for this discussion highlights the precise issues that are causing concern. In this new age of targeted advertisement, we are seeing an expansion in the way businesses collect information on and market to consumers: cross-targeting, cookies, digital fingerprint. Even the offline bricks and mortar stores have new, innovative ways to target consumers.

A. Online marketing Consumer information has been collected for decades. The shop owners knew what kind of product you liked and were likely to buy in the future, so they kept it in stock. Now that process, and many more, are automated. As a society, Americans have always been conscientious of protecting their privacy, but the online space is creating new challenges. Consumers are noticing that after they view a pair of shoes on a website, ads on unrelated websites display an ad for the same shoes. They walk by a store and receive a text from that store with an offer. Consumers are noticing—and asking questions.

Consumers learned of non-edible “cookies” and worried. Cookies are small text files that help users navigate websites efficiently and perform certain functions. Cookies allow a website to understand a consumer’s travel patterns around their site to improve website functionality or to deliver ads to the user based on their website viewing history.

Consumer privacy groups have called for more transparency over cookie use and have called for a unified “Do Not Track” (“DNT”) standard. DNT has many definitions, but for purposes of this paper it is the method where a user could set a preference to not be tracked online either by a browser setting or a persistent DNT cookie. Some browsers, such as Apple’s Safari, block these cookies; however, websites are not obligated to honor the DNT signal. The World Wide Web Consortium (“W3C”), an organization that helps set internet web standards, tried to bring together a group of businesses, regulators and consumer privacy experts to define DNT and create workable standards for recognizing consumer preference. Recently the W3C efforts have faltered, with large industry groups leaving the W3C to set their own course.15

With the fledgling DNT effort stalled, companies like Microsoft and Google are exploring different technology as browsers start taking control of the online ad tracking capabilities using their own technology. Google is creating an anonymous identifier to tie users, without the use of cookies, to the Chrome browser.16 Microsoft is also exploring an alternative that would give them greater cross-device capabilities (tracking users across several devices).17 Instead of cookies, it is rumored the new technology would be a

14 FRED H. CATE, PRIVACY IN THE INFORMATION AGE, 20 (1997). 15 Sam Pfeifle, Is this the End for DNT? DAA Pulls out of W3C Process, IAPP (Sept. 17, 2013), https://www.privacyassociation.org/publications/is_this_the_end_for_dnt_daa_pulls_out_of_w3c_process. 16 Claire Cain Miller, Google is Exploring an Alternative to Cookies for Ad Tracking, N.Y. Times Bits (Sept. 19, 2013), http://bits.blogs.nytimes.com/2013/09/19/google-is-exploring-an-alternative-to-cookies-for-ad-tracking/?_r=0. 17 Aaron Taube, Microsoft, Google and Apple Now All Want the Cookie to Die, Business Insider (Oct. 9, 2013), http://www.businessinsider.com/microsoft-plans-tracking-alternative-to-cookies-2013-10.

4 Jeanette Fitzgerald & Nicole Tachibana

type of digital fingerprinting. Digital fingerprinting has the potential to be more invasive than cookies because it determines the types of ads a user receives based on the characteristics of the computer and cannot be erased when the user deletes browsing history or cookies. The theory is that, like skin patterns on a finger, users each have unique identities based on computer/internet settings.18

Cross-device marketing is also a concern for regulators. It involves the ability to track consumers across multiple devices, resulting in the ability to deliver an ad on a mobile device that matched a search the user conducted on a desktop or laptop computer. Senator Edward Markey sent a letter to FTC Chairwoman Edith Ramirez asking the FTC to investigate cross-device tracking, saying that the “implications of this evolution are enormous for the privacy of millions of Americans.”19 As technology advances, these new technologies will require a reexamination of how we protect privacy while encouraging technological growth.

B. Offline marketing The offline front is not immune to the digital advances in technology. Video cameras, or closed-circuit televisions, have been a common feature in retail establishments to reduce shoplifting, but retailers have taken monitoring to a new level. Using smart-phone tracking or facial recognition, stores can link consumers’ in-store activity, including how long they looked at a product or waited in line, to the related transaction and, subsequently, the consumer’s name and contact information. Offline tracking, particularly mobile location analytics, will be explored in more detail in Part III.

C. Privacy concerns with new technology Though privacy concerns have been around for years, industry, regulators, and consumer advocates are still grappling with how to provide adequate privacy notice. The current form of notice is lacking. Companies build complex privacy statements that a typical consumer would not have the time or inclination to read. The average privacy policy takes a user 10 minutes to read; it would take an estimated 76 work days to read all of the privacy policies a user encountered in a year.20 Our current legal and regulatory developments increasingly require businesses to add more information to the privacy policy and seems to be aimed at making the experience less inviting with each addition.

Industry and research groups are trying new ways to address the same issues: lack of transparency and control of information from a consumer perspective. Emerging technology, such as hybrid online-offline technology, shows the practical issues with traditional privacy disclosures. How would an end user get appropriate disclosure of information sharing practices with a product that does not have a user interface that can support the disclosure, such as a refrigerator? These new practices are forcing the industry and regulators to think more creatively and to evolve traditional privacy protections. Instead of privacy policies, researchers have suggested “privacy badges” - infographics that show the most important elements a business should disclose, potentially making the experience faster and more inviting for the end user.

18 Adam Tanner, The Web Cookie is Dying. Here’s the Creepier Technology that Comes Next, Forbes.com (June 17, 2013), http://www.forbes.com/sites/adamtanner/2013/06/17/the-web-cookie-is-dying-heres-the-creepier-technology-that-comes-next/. 19 Claire Cain Miller, A Senator Raises Privacy Questions about Cross-Device Tracking, N.Y. Times Bits (Oct. 10, 2013), http://bits.blogs.nytimes.com/2013/10/10/a-senator-raises-privacy-questions-about-cross-device-tracking/. 20 Alexis C. Madrigal, Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days, The Atlantic (Mar. 1, 2012), http://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/

Consumer Privacy 5

PART II: US PRIVACY LAWS AND THE TRANSFORMATION OF THE FTC

Consumer privacy legislation developed in the US from a complicated maze of federal and state laws, regulation, and rules. The following section provides some background of federal and state action, and talks about how the FTC is evolving to become the primary privacy agency in the US.

A. Federal and State Legislation Early privacy legislation arose from a demand for privacy protections in certain sectors, such as financial and healthcare. The Fair Credit Report Act (“FCRA”) was enacted in 1970 to regulate credit reporting agencies’ use of consumer data for certain eligibility purposes. It was the first U.S. federal law to regulate the use, and thus protect privacy, of personal information by private businesses.21 The FCRA framework required credit reporting agencies to implement reasonable procedures and provide customers with rights22 such as notice, consent, accountability and reasonableness. Subject-matter statutes in banking, healthcare, and a statute providing protections for children online followed suit.

Privacy legislation has started to evolve from the early subject-matter approach to a more comprehensive, process-oriented approach. While reasonableness still applies, the state and federal legislatures are focusing more on the businesses’ continual processes to protect private information instead of the end product.23 States24 have made more progress than Congress on creating comprehensive data protection legislation. The Massachusetts Office of Consumer Affairs and Business Regulation, for example, enacted a regulation that requires businesses that collect personal information about Massachusetts residents to safeguard that information by mandating a comprehensive information security program.25

While we saw a rise of comprehensive laws, the subject-matter approach is still the frontrunner due to the ease of addressing emerging individual issues without trying to overhaul or create a data protection regime. However, these laws often lead to less than desirable results for industry, consumers, and regulators. Using California as an example, the legislature recently passed AB 370, often referred to by its misnomer “Do Not Track” (“CA-DNT”) 26 in response to consumer concerns about online tracking and cookies. Companies were not obligated to honor a DNT browser setting or DNT cookie. CA-DNT resulted in a transparency/disclosure law that got a lot of attention in the media but, practically, did nothing to resolve the DNT issue. It still does not require companies to honor DNT signals; it simply requires notice of how the companies respond to such signals. Does this help consumers or businesses? Not really. Consumers are left with yet another disclosure sentence added to overly long privacy statements. But businesses are left with vague definitions and little guidance to help them navigate the complexities of online tracking.

The federal and state legislation have common themes. First, as discussed with CA-DNT, the laws frequently result in additional disclosures that are not helpful to consumers or businesses. The intent is noble but consumers and businesses are left with long, arduous,

21 Jonathan K. Sobel et al., The Evolution of Data Protection as a Privacy Concern, and the Contract Law Dynamic underlying it, in SECURING PRIVACY IN THE INTERNET AGE 57 (Anupam Chander et al. eds., 2008). 22 Id. 23 Thomas J. Smedinghoff, Defining the Legal Standard for Information Security, in SECURING PRIVACY IN THE

INTERNET AGE 23 (Anupam Chander et al. eds., 2008) (“Security is a process, not a product.”). 24 E.g. 201 MASS. CODE REGS. 17.01 et seq (2010); NEV. REV. STAT. § 603A.030 (2009). 25 201 MASS. CODE REGS. 17.01 et seq (2010). 26 AB 370 amends CalOPPA, the California Online Privacy Protection Act, Business & Professions Code §§ 22575-22579.

6 Jeanette Fitzgerald & Nicole Tachibana

and confusing privacy policies, leading to frustration instead of clarification. Second, because technology is frequently changing, the law becomes practically obsolete as soon as it is enacted. The Children’s Online Privacy Protection Act (“COPPA”), for example, was enacted in 1998 and the FTC has already issued a significant amendment to respond to emerging technologies. Third, because of American political gridlock, proposing new laws or amendments to existing laws is time consuming.

B. How the FTC transformed into a consumer privacy agency

The predecessor to the FTC, the “Bureau of Corporations,” was founded in 1903 and was tasked with helping the regulators find the right balance between promoting economic growth and protecting society from the harms associated with unchecked corporations. With the passage of the Clayton Antitrust Act and the Federal Trade Commission Act (“FTCA”) in 1914, the newly formed FTC expanded to include enforcement power for companies using “unfair methods of competition.”27 The FTC’s shift to become a consumer protection agency began in 1938 when the Wheeler-Lea Act expanded its oversight to include “unfair or deceptive acts or practices” and allowed for direct consumer redress for false or misleading advertising.28

In 1970, we saw the FTC’s consumer protection duties expand again. Congress tasked the FTC with rulemaking and enforcement power for the first US consumer protection act dealing with privacy concerns, FCRA. The FCRA responded to consumer complaints over credit reporting agencies using consumer information to determine eligibility for employment, credit, and other situations that, if the information was incorrect, could cause harm to the consumer.

The late 1990s saw a huge boost to the FTC’s privacy responsibilities. The FTC gained privacy prominence with the enactment of COPPA in 1998 and the Gramm-Leach-Bliley Act (“GLBA”) in 1999. The FTC is solely responsible for the rulemaking and enforcement under COPPA and is one of many agencies responsible for rulemaking and enforcement under GLBA.

International privacy also came into play during this time with the US-EU/US-Swiss Safe Harbor Frameworks (“Frameworks”). The European Commission passed the 1995 Directive on Data Protection, Directive 95/46/EC, which mandated a baseline of protection for consumer’s personal information.29 One of the requirements, notable to this discussion, is the prohibition of transferring consumer’s personal information to countries outside of the EU that do not guarantee an “adequate” level of protection. In response, the US Department of Commerce negotiated an agreement with the EU and Swiss governments that allows transfer of consumer’s personal information if the company has registered with the Department of Commerce and self-certified that the company will follow a specified set of privacy principles. In order for the frameworks to be effective, an enforcement mechanism was needed: the registered company agrees to be bound by the principles and agrees to FTC jurisdiction for any violations under the Frameworks.

Recently the Frameworks have come under fire as being ineffective in light of the National Security Agency’s (“NSA”) aggressive surveillance of the international community. When the NSA’s surveillance techniques were discovered, it caused national and international outrage. To calm the home waters, President Barack Obama said,

27 15 U.S.C. § 45. 28 Milton Handler, The Control of False Advertising Under the Wheeler–Lea Act, 6 Law and Contemp. Probs. 91-110 (Winter 1939). 29 The Directive required EU members to implement national legislation. The proposed EU Data Protection Regulation may replace the Directive and standardize data protection across the EU. The Regulation would apply directly to the member countries without the need for individual countries to pass legislation to adopt it.

Consumer Privacy 7

“[t]here is no spying on Americans.” Europeans, who consider privacy a fundamental human right, were irate that they were not similarly protected and their rights were dismissed so easily. These underlying cultural beliefs are driving different perspectives on privacy. The FTC Commissioners have been vocal in their defense of the Frameworks. It remains to be seen how the NSA’s actions will affect international data protection cooperation.

C. The FTC’s power is questioned With the increase of privacy-related responsibilities, the FTC has taken steps beyond the privacy policy. Gone are the days of the FTC merely enforcing the rules created by the business community. The FTC is now creating the rules, and not just in the areas specifically delegated to them under COPPA, FCRA, or GLBA. When the FTC investigates a company for “unfair or deceptive” practices, the company usually settles to avoid exposure or the high cost of litigation. These settlements, or consent decrees, are binding agreements between the business and the FTC. The FTC uses these consent decrees to craft rules for businesses to follow and, while not technically binding on other companies, privacy scholars have interpreted the consent decrees as a method for putting businesses on notice.

This rulemaking by consent decree has resulted in some pushback by businesses. The most notable case is the FTC v. Wyndham.30 In 2012, the FTC charged Wyndham hotels with “unfair and deceptive acts and practices” under their powers derived from Section 5 of the FTC Act.31 Wyndham suffered a series of data breaches between 2008 and 2010. Hackers gained access to information, including full credit card numbers, from the Wyndham systems, resulting in 619,000 consumer credit card numbers being compromised and $10.6 million in fraud loss. Wyndham’s privacy policy guaranteed, “commercially reasonable efforts . . . and other appropriate safeguards.”32 The FTC argued that Wyndham violated its privacy policy by not providing reasonable and appropriate security for its consumer data and set security standards the FTC deemed reasonable and appropriate.

The Wyndham case has garnered interest because of Wyndham’s response—they chose fight over flight. As mentioned earlier, most FTC investigations result in consent decrees, but Wyndham claims the FTC does not have authority to regulate data security and to be the sole decision-maker of what is “reasonable” and “appropriate” for data security. Wyndham argues the FTC exceeded the authority delegated to it by Congress by setting unfairness standards. Wyndham also argues the FTC improperly relied on standards that more appropriately should have gone through formal rulemaking, giving businesses proper notice and opportunity to comment. Wyndham poignantly stated, “Congress gave [the FTC] rule-making authority. So if they want to do something, they have to publish the rules.”

LabMD, a medical laboratory, is facing the same type of FTC action and making the same arguments. LabMD was the victim of two breaches, in 2010 and 2012, which resulted in the loss of consumer information from 10,000 patients.33 LabMD has vowed

30 FTC v. Wyndham Worldwide Corporation, FTC File No. 1023142, Case No. 2:12-cv-01365-SPL (D. Ariz. Aug. 9, 2013). 31 Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 41 (a)(1), as amended. 32 Complaint at 9, FTC v. Wyndham Worldwide Corporation, FTC File No. 1023142, Case No. 2:12-cv-01365-SPL (D. Ariz. Aug. 9, 2013). 33 FTC Complaint Against Medical Laboratory Signals Agency’s Continued Intent to Assert Authority in Data-Security-Breach Actions, Robes & Gray (Sept. 11, 2013), http://www.ropesgray.com/news-and-insights/Insights/2013/09/FTC-Complaint-Against-Medical-Laboratory-Signals-Agencys-Continued-Intent-to-Assert-Authority.aspx

8 Jeanette Fitzgerald & Nicole Tachibana

to “aggressively defend” their actions, calling the FTC’s complaint a “witch hunt.” The CEO of LabMD colorfully accused the FTC of “making up” cybersecurity rules as it goes along. He is quoted as saying, “[i]f you really want to upset [FTC officials], ask them what the standards are.”34

Representative Lee Terry echoed these concerns in a hearing of the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade. He urged the FTC to prioritize their goals and to stay within the scope Congress has delegated to it. He added that when the FTC strays from the legislative scope, it “add[s] to the regulatory uncertainty many businesses already feel.”35 Spectators have noted that these cases have the possibility of limiting the FTC’s jurisdiction over these types of actions.36 Others have noted that if the judicial actions limit the FTC’s power, we may see Congress pass legislation to once again expand the FTC’s privacy jurisdiction, or the FTC may start exercising their formal rulemaking power.

Part III: Self-Regulation and the FTC Self-regulation is the American standard for promoting innovation and growth while reining in businesses using industry standards and industry enforcement. As discussed above, the rise of the internet created some unique challenges, but this is not the first time Americans have addressed these challenges. President Clinton, seeking the best route to handle these issues, commissioned the Information Infrastructure Task Force, which worked closely with industry and consumer groups and released two reports recommending self-regulation.37

The Task Force set some basic principles on handling this emerging industry. First, the internet is unique and governments should recognize those unique qualities. Regulations and laws that govern offline behavior need to be re-examined before trying to apply those same principles online. Second, the private sector should lead and the government should avoid undue restriction on electronic commerce. The Task Force said, “[i]nnovation, expanded services, broader participation, and lower prices will arise in a market-driven arena, not in an environment that operates as a regulated industry.”38 The Task Force specifically warned against unnecessary regulations and bureaucratic procedures that could adversely affect the growth of electronic commerce. Finally, when government involvement is needed, the Task Force recommended that the intervention be minimalist, predictable and simple.

The Task Force also recognized the potential privacy concerns of the internet. It stated that commerce will only thrive if businesses properly balance the privacy rights with the free flow of information.39 The Task Force recommended industries implement notice of collection/use practices and choice to limit collection and use, stating “[w]e believe that private efforts of industry working in cooperation with consumer groups are preferable to government regulation.”40

Under this backdrop of governmental support, self-regulation for consumer privacy issues increased and led to the rise of self-regulatory standards for privacy protections

34Grant Gross, Critics Question FTC’s Authority to Bring Data Security Complaints, CIO.com (Sept. 12, 2013), http://www.cio.com/article/739585/Critics_Question_FTC_s_Authority_to_Bring_Data_Security_Complaints?taxonomyId=3089 35 The FTC at 100: Where Do We Go From Here? Hearing before the S. Comm. on Commerce, Mfg., & Trade (Dec. 3, 2013) (opening statement of Rep. Lee Terry). 36Id. 37 Clinton & Gore, supra note 12. 38 Id. 39 Id. 40 Id. (while reserving the right to reevaluate if privacy protections are not installed).

Consumer Privacy 9

that mirror current federal privacy protections - they are segmented by industry and not all-encompassing. This, however, is not a defect. Self-regulatory groups benefit the consumer in a number of ways, such as offering more oversight. Because the group deals exclusively in a particular area, it is in sync with the issues unique to that industry. It can move faster and provide clearer industry-specific guidance tailored to the industry needs and developments.

Some industries have very strong industry groups that issue guidance and standards and have enforcement mechanisms. The Direct Marketing Association (“DMA”), for example, is a leading voice on direct marketing in the US and is in tune with the issues that can impact the industry. Privacy developments are central to a lot of recent DMA activity as they work to promote the responsible use of data for marketing purposes. The DMA has issued the “Guidelines for Ethical Business Practices.”41 The Guidelines cover best practices for marketing and online marketing, but also address privacy concerns such as proper collection, use, and choice. The DMA also monitors legal and regulatory developments, regularly informs members of these developments, and makes itself available to help answer any questions. Members of the DMA are subject to sanctions by the DMA for non-compliance.42

A. The FTC’s waning support of self-regulation With the rise of the FTC’s privacy power, we also saw the waning of the FTC’s support for self-regulation in some key fields. Using the data broker industry as an example, FTC spotlighted recommendations for data brokers in the 2012 FTC study “Protecting Consumer Privacy in an Era of Rapid Change”43 and Commissioner Julie Brill has targeted data brokers through her initiative Reclaim Your Name. One tenet of FTC’s data broker initiatives, first noted in the FTC study, is a single site where consumers could opt-out of information sharing by data brokers.

The single opt-out is problematic for several reasons. First, it signals that the industry needs more oversight by the FTC. In an area that has traditionally functioned in the self-regulatory arena, the data broker industry has continued to contribute to economic growth when other industries have declined. Additional regulatory oversight may also result in a decline in this industry. According to a recent study by the Direct Marketing Association (“DMA”), the data-driven marketing economy added $156 billion in revenue to the US economy and fueled more than 675,000 jobs in 2012 alone.44 Sharing information is essential to the marketing industries, with $110 billion associated with the ability to exchange data.45 The DMA already provides a central site for consumers to opt-out of direct mail. This list is used by all members to prevent mailing to consumers who have expressed a choice.

Second, the FTC provides no clear definition of which companies fall under the “data broker” umbrella. Currently, any company that collects and shares data is nominally considered a data broker, which could capture the majority of websites operating today. Even narrowing the definition would leave hundreds, if not thousands, of companies that would need to be included in that single site, requiring consumers to scroll through massive lists and begin an opt-out process with each company they select. Further

41DMA, Guidelines for Ethical Business Practices (May 2011). 42The DMA makes a list of member companies available to the public. Member companies who are noncompliant are suspended from the DMA and may be referred to the appropriate governmental agency for further action. http://thedma.org/compliance/ 43 Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, FTC Report (Mar. 2012), http://ftc.gov/os/2012/03/120326privacyreport.pdf. 44 DMA, The Value of Data: Consequences for Insight, Innovation, and Efficiency in the U.S. Economy: A Study Commissioned by DMA’s Data-Driven Marketing Institute (DDMI) (Oct. 14, 2013). 45 Id.

10 Jeanette Fitzgerald & Nicole Tachibana

complicating the issue is the globalization of business. Different countries and regions have varying legislation surrounding the use of data. The ideal single opt-out site would be unable to account for international brands.

Third, the issue of harm cannot be ignored. There are different types of harm but the most commonly cited harms associated with data brokers are those that effect eligibility: data resulting in the denial of employment, insurance, or credit. This use is already regulated under the FCRA, one of the few laws that already directly addresses these issues, and any additional regulation for data brokers would be unnecessary and burdensome. Another commonly stated harm is that the consumer simply is unaware of what the data broker is doing, but data brokers are increasingly making their practices more transparent by updating their practices to allow consumer access and further developing opt-out mechanisms.

Finally, the FTC’s proposals are inconsistent with the Task Force’s recommendations. Critics of the data broker industry are quick to point out that data brokers are “largely unregulated,” but that is by design—self-regulation was chosen as the best route for the emerging internet, with many of these data brokers operating in the data-driven marketing environment and supporting the free use and growth of the internet. The FTC’s proposals are ignoring the unique qualities of this industry, the benefits they provide, and the current self-regulatory structure. Reclaim, as Wyndham and Rep. Terry point out, may also be beyond the scope of the FTC’s powers and is creating uncertainty in the industry.

The self-regulatory principles of notice and choice are working, and the marketing industry will continue to refine these principles as the industry changes. Responsible marketers already act ethically by using consumer data responsibly: using data only for marketing purposes and building privacy by design into their products and services. Businesses also need to educate consumers about what opting out means and the benefits that advertising provides. Opting out of data collection does not eliminate advertising. Additionally, data-driven advertising is the underlying foundation that delivers revenue to websites and that enables them to develop and provide news, music, entertainment and social media channels at no charge to consumers.

B. The case for self-regulation: Euclid Euclid Analytics showcases the value of industry working together to resolve a consumer privacy issue. Euclid provides bricks and mortar stores with the capability of collecting mobile location analytics (“MLA”). Participating stores buy an easy-to-install device that detects and tracks cell phone signals by pinging the wireless signal of consumer’ wireless phones (called the MAC signal) as they pass, enter, and browse the store.46 This practice is currently used by 100 companies, including large retailers such as Nordstrom and Home Depot.47

Senators Al Franken and Charles Schumer reached out to Euclid, the industry, and the FTC to address MLA. Sen. Franken sent Euclid a letter on March 29, 2013, expressing his concerns with MLA and asking them for more information on their practices. Euclid responded and detailed the privacy protections they take with the MLA product, such as offering an opt-out, using anonymous hash (also known as a scrambled address) for the signals received from consumers’ mobile devices, and promising never to link data to specific individuals. They further stated the MAC signal that MLA collects does not

46 Kashmir Hill, Those Creeped Out by Retailers Tracking their Movements Using their Phone will be able to Opt Out, Forbes (Oct. 22, 2013), http://www.forbes.com/sites/kashmirhill/2013/10/22/those-creeped-out-by-retail-stores-tracking-their-movements-using-their-phones-will-be-able-to-opt-out/. 47 Jake Romero, Big Brother Is Watching You (Shop For Pants), Mintz Levin (Nov. 12, 2013), http://www.mondaq.com/unitedstates/x/274422/Data+Protection+Privacy/Big+Brother+Is+Watching+You+Shop+For+Pants+Mobile+Analytics+Firms+Implement+Code+Of+Conduct+For+Tracking+Customers+While+They+Shop

Consumer Privacy 11

contain any personally identifying information. Euclid further promised to begin implementing new privacy practices, including requiring posted signage for consumers and strengthening the privacy policy. Sen. Schumer followed up with a letter to the FTC on July 30, 2013, asking them to investigate MLA as a possible “unfair or deceptive” trade practice.

The MLA industry banded together and responded to the issue. On October 22, 2013, a consortium of MLA companies, Sen. Schumer, and the Future of Privacy Forum (“FPF”) released a MLA Code of Conduct. The Code calls for short, clear signs with a standardized symbol to be physically posted at sites that use MLA services. MLA companies must provide information on MLA services and information on how to opt-out in their privacy policies. The Code also calls for MLA companies to not collect any personal information unless de-identified, and to create a central opt-out for MLA.

The Euclid case showcases how quickly and effectively self-regulation can address these issues. From start, with Sen. Franken’s initial inquiry letter, to finish, with the Code of Conduct, the industry was able to address a major consumer privacy concern in less than six months and reach an agreement that all sides found workable. Sen. Schumer called the code “a significant step forward in the quest for consumer privacy. This agreement shows that technology companies, retailers, and consumer advocates can work together in the best interest of the consumer.”48

Conclusion With the emergence of the digital age, we are struggling to define the best ways to balance innovation and growth while protecting consumer privacy. All the signs point to self-regulation. Segmented federal and state laws fail to capture the issues associated with emerging technologies in the various industries. The FTC’s recent actions fail to take into account the unique qualities of the marketing internet economy and can potentially harm the internet by creating unnecessary regulations and bureaucratic procedures, in direct opposition to the recommendations made by the Information Infrastructure Task Force.

As we saw in Euclid, self-regulation can be fast, effective, and can create workable solutions. By having industry-created guidelines, such as the DMA’s Guidelines for Ethical Business Practices, we guard against confusing or burdensome regulations or laws. In addition to providing guidance, self-regulatory groups provide a direct route for supervision and redress. As in-house counsel, support self-regulation by following industry best practices and engaging in the ongoing conversation with your self-regulatory group.

The ultimate goal should be to find the line where consumer privacy is protected and the industry can function at maximum efficiency. The cost of protecting privacy is not the cost of doing business. These are not mutually exclusive; industry can achieve both through self-regulation.

*** Jeanette Fitzgerald imparts legal expertise to the executive team and manages legal strategy, specifically as it relates to Epsilon's growth in the marketing services industry. She guides the company on privacy developments and impact to the company. Prior to joining Epsilon, Jeanette served as Vice President and Assistant General Counsel for five years at Alliance Data and was pivotal in Alliance Data's acquisition of Epsilon. At Alliance Data, Jeanette provided strategic counsel on issues ranging from intellectual property to M&A activity.

48 Press Release, The Future of Privacy Forum and Sen. Schumer Announce Important Agreement to Ensure Consumers Have Opportunity to “Opt-Out” Before Stores Can Track Their Movement Via Their Mobile Devices (Oct. 22, 2013).

12 Jeanette Fitzgerald & Nicole Tachibana

Previously, Jeanette worked at EW Blanch, as a leading re-insurance broker, where she presided over contracts, M&A activity and served as general corporate counsel. Nicole Tachibana, CIPP/US, is an attorney working exclusively on privacy at Epsilon as the privacy manager. Prior to joining Epsilon, Nicole worked in Western Union’s privacy office and interned for the Chief Privacy Officer at Qwest Communications.