Archives: Online Advertising

Written by Adam Veness

Google has recently announced changes to its terms of service that will allow Google to incorporate its users’ photos, comments and names in advertisements.  This new policy will go into effect on November 11th.

Seemingly always quick to action when privacy issues are implicated, Senator Edward J. Markey (D-MA) has already written a letter to the Federal Trade Commission (“FTC”) Chairwoman asking that she look into whether the proposed changes to Google’s privacy policy violate the terms of the settlement agreement that Google reached with the FTC in 2011 over its Google Buzz privacy violations.  (With the government shutdown still looming, it is surprising that anyone was at the FTC to open the letter — maybe Google was hoping it could slip this one by during the shutdown).

Specifically, Senator Markey is concerned with the new “opt-out” requirement that Google is proposing which would require Google+ users to affirmatively opt-out of sharing profile information such as name, photos and endorsements.  In his letter, Senator Markey reminds the FTC that the terms of the settlement agreement prohibit Google from future privacy misrepresentations, requires Google to implement a comprehensive privacy policy, and initiates regular, independent privacy audits of the company for the next twenty years.

Although Senator Markey opposes Google’s “opt-out” requirement, this may be better received by the FTC than Facebook’s recently proposed privacy policy changes (reported here), which require users to grant Facebook wide permission to use their personal information as a condition to using Facebook.  Another major difference between the two internet giants’ revised policies is that actions by users under the age of 18 will not appear in shared endorsements in ads and other certain contexts under Google’s policy changes.  Facebook’s proposed revisions to its policy, however, tell its users under the age of 18 that “you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.”

In its new terms of service, Google suggests that these new changes are actually very beneficial to users.  “Feedback from people you know can save you time and improve results for you and your friends across all Google services, including Search, Maps, Play and in advertising.”

Once the government reopens (it never gets easier to say that), stay tuned to see if the FTC takes any substantive action.  In the meantime, it would be great if you could +1 this post below and advertise for us with your name, endorsement and photo on Google+, unless of course you’ve opted out…


Two data privacy bills, Assembly Bill 370 and Senate Bill 568 have been sent to California Governor Jerry Brown for signature.  As we previously reported, A.B. 370 would require commercial websites or online services that collect personally identifiable information to disclose how that site or service responds to “do not track” signals or similar mechanisms.  S.B. 568 would require that the operator of any website or online service remove all content or information submitted to the site or service by a minor at that minor’s request.

Governor Brown is expected to sign both bills.  Our Privacy & Security Matters blog will continue to provide updates, including information regarding implementation and compliance deadlines, as they become available.

Written by Jake Romero

 What did you do over your summer vacation?  Yes, the sad truth is that summer is almost over.  You can tell because there wasn’t a single superhero movie that opened at the box office last weekend (no, Smurfs2 does not count) and because the California Senate is preparing to reconvene from its summer recess.  If you are a member of the California Senate, my guess would be that you spent your summer break finally reading Gone Girl and thinking about how when you get back to the Capitol, you get to turn your attention to Assembly Bill 370.

A.B. 370 was passed unanimously by the California Assembly in May, and received “do pass” approval from a Senate committee in June.  When the Senate returned to Sacramento on Monday, it is one of a handful of bills that may receive a floor vote before the Senate adjourns again in September.

A.B. 370 would amend Section 22575 of California’s Business and Professions Code to require any operator of an online service to disclose in its privacy policy how it responds to “do not track” signals or similar tools and settings.  As amended, Section 22575 would also require operators to disclose whether other parties may “collect personally identifiable information about a consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

One potential issue with A.B. 370 is the lack of a universal standard for Do Not Track.  Do Not Track still being hotly debated and service providers like Mozilla have put unique standards in place.  This type of uncertainty can create a liability trap for online service providers even if they attempt to comply with the bill’s requirements.  On the other hand, with so many users relying on Do Not Track mechanisms (17% of U.S. users, according to Mozilla’s estimates) there has been considerable support, including from California Attorney General Kamala Harris, in favor of making this type of information available to consumers.

Regardless, the concern that should be at the forefront of every online service provider’s mind is whether that provider has a clear understanding of how the various aspects of its online service (including components hosted or serviced by third party service providers) do or do not respond to Do Not Track signals.  Understanding precisely what can be collected while a consumer uses a Do Not Track tool will be essential if A.B. 370 becomes state law, but that determination may not be straightforward (and may need to be reassessed on a continuous basis) where third party service providers are involved.

Your Mintz Levin privacy team is happy to discuss any questions you may have about A.B. 370 or chat with you about what you did on your summer vacation (off the clock, of course).

Privacy gaffes and tidbits to start your week.


Keeping up with Kardashians is NOT a defense under HIPAA

[Originally posted in Mintz Levin’s Health Law & Policy Matters Blog]

Written by Dianne Bourque

The LA Times recently reported the firing of six workers at Cedars-Sinai Medical Center in connection with the unauthorized access to patient medical records.  The firings occurred in the days following the birth of reality TV show personality Kim Kardashian and rapper Kanye West’s baby, although the hospital has not confirmed the identities of the affected patients.  The incident demonstrates the need for vigilance in maintaining the security of records that are subject to public curiosity and value to the paparazzi.  The incident also demonstrates – remarkably – that there is information about Kim Kardashian that is not public.

Vendor Group to Develop “Best Practices”  for Retail Location Analytics — But is Perception More than Reality?

A group of mobile vendors is teaming with The Future of Privacy Forum.   According to the FPF’s statement, “[t]he companies, including Euclid, WirelessWERX, Mexia Interactive and ShopperTrak, provide solutions to retailers to develop aggregate reports used to reduce waiting times at check-out, to optimize store layouts and to understand consumer shopping patterns.  The reports are generated by recognizing the Wi-Fi or Bluetooth MAC addresses of cellphones as they interact with store Wi-Fi networks.’   Whether the best practices will benefit retailers, the vendors who develop apps to better track in-store location and shopper activity or a combination of both, privacy advocates argue that the consumer will likely not reap benefits of added privacy — only some additional vague “notices” in fine print (perhaps on those signs way up at ceiling level that say “Video surveillance active..” or some such sign, and most certainly buried deep within a multi-screen TOS document on launch of a store app.   The argument is that shoppers can always “opt-out” or turn off that phone — neither one of which is practical if you have been in a mall anytime in the last few years.   Sounds like yet another “industry guideline” that will not lead to legally enforceable standards.

To read more:

  • New York Times
  • FierceRetail


Apropos of the Above Post — The Do-Not-Track Standards Group is Off Track

On a conference call last week, the co-chair of a group trying to create DNT standards apparently has been unable to break the log jam.   Last February, Peter Swire announced that the World Wide Web Consortium’s (W3C) tracking protection group should reach “last call” by July.   That would mean that the group would have reached final consensus and release a report for public comment by the end of this month.  On a conference call last week, Swire reportedly announced to group participants that “there is not a way to get to last call by the end of July.”   Talks have reportedly turned “acrimonious” and it is unlikely that the group will ever agree.

To read more:   Wendy David at the Daily Online Examiner has been following this issue closely — Daily Online Examiner


Lloyds of London:  Cybersecurity is the No.3 Global Business Threat

The index – a survey of more than 500 of the world’s most senior business leaders – noted that cybersecurity is firmly at the top of the agenda for boards of global enterprises, third only to the risks posed by high taxation and the loss of customers. “With the risks to global organizations higher than ever, it is clear that cybersecurity has finally reached the attention of business decision makers across the enterprise – no longer just an agenda item but a key point of discussion,” said Matt Middleton-Leal, regional director for UK & Ireland at Cyber-Ark.

To read more:  InfoSecurity Europe Magazine








Written by Amy Malone

After rounds of comments and public workshops, the FTC has finally released an update to its digital advertising disclosure guidelines (here).  The FTC first released guidance on digital advertising in 2000 (see those guidelines here) and last May the FTC requested comments on how the guidelines could be updated.  The FTC points out on the first page that “consumer protection laws that apply to commercial activities in other media apply online, including activities in the mobile marketplace.”

Extending the same rules across media poses issues due to the space available (compare your phone screen to your laptop screen, and you get the idea).  How can you ensure your disclosures are up to snuff?  Well, the FTC focuses on providing disclosures that meet the “clear and conspicuous” standard and provides an appendix full of examples that include pictures of mobile screens displaying both acceptable and unacceptable disclosures.  The FTC also touched upon using endorsements and testimonials in advertisement (for more information on the guidelines the FTC released in 2010 see our blog post here).

Factors to consider in ensuring your ads meet the “clear and conspicuous” standard

  •  Proximity and Placement.  Disclosures are most effective when placed near the claim it qualifies.  Close proximity increases the likelihood that consumers will see the disclosure and realize it relates to the claim or product.  On a mobile device it may be difficult, if not impossible, to include the disclosure on the same screen as the product or claim.  In those cases the advertisers are encouraged to provide “text prompts” that indicate to the consumer that more information is available (e.g. “see below for important information on restocking fees” alerts the customer to scroll and look for the information).  If you decide to use a hyperlink, make sure it’s obvious that the link provides a disclosure and use language that is clear; this point harkens back to our “see below for important information on restocking fees” example which could also be used as a hyperlink.  Advertisers should steer away from using hyperlinks that contain general statements like “important information.”


  •  Prominence.  It’s your responsibility to draw attention to required disclosures.  Consider size, color and graphics that will affect the disclosure’s prominence and increase the likelihood that the consumer will associate the disclosure with the claim or product.


  • Distracting Factors in Ads.  The FTC warns that graphics, sound, text and links that lead to other screens may entice the consumer away from the original screen and the disclosure.  You’d be wise to ensure that whatever graphics/sounds/text you have on a page are not so flashy as to draw the consumer away before reading the disclosure.


  • Repetition.  Disclosing information more than once makes it more likely that a consumer will notice and understand the disclosure, but there is a fine line between helping the consumer and annoying them to the point that they ignore the disclosure.  Repetition is probably necessary if consumers can access and/or navigate the website or application in different ways.  Placing the disclosure in multiple places will help assure that the consumer sees it.


  • Multimedia Messages and Campaigns.  Ads may contain audio messages, videos or animation that require disclosures.  If providing disclosures in a multimedia platform weigh factors such as: if it’s audio is the volume sufficient for a reasonable consumer to hear and understand it?  If you are using video, are the visual disclosures appearing for duration sufficient for consumers to notice, read and understand them?   The FTC points out that fleeting online disclosures are not likely to be deemed sufficient.


  • Understandable Language.  Consumers need to be able to understand the disclosure.  Use clear language and avoid technical jargon and legalese.


Over the last year, the FTC has been on a mobile rampage, releasing guidelines on mobile app development, mobile app payment issues and bringing actions against mobile app and mobile device developers (see our blog posts here, here, here, and here).  Last week, the FTC released a video with additional tips for mobile app developers. Anyone working in the mobile sphere needs to be vigilant and aware of the regulatory focus.


Mobile app developers have some unique challenges when it comes to preparation and implementation of privacy policies.   But, regulators have made it quite clear that the general privacy laws and regulations apply whether the application is online or mobile.  To refresh your memory, see our Mintz Client Alert (here) regarding the California AG’s agreement with mobile app platforms regarding developer privacy policies.

Today, the Federal Trade Commission (FTC) published a “guide” for mobile app developers, emphasizing that they too must comply with the same truth-in-advertising standards and basic privacy principles as everyone else.   The launch of “Marketing Your Mobile App: Get it Right from the Start” is another in a recent line of FTC public statements and workshops on mobile privacy.

The FTC’s announcement also listed “helpful hints” as to what mobile app developers must take into consideration before launching that “killer app”:

  • Tell the Truth About What Your App Can Do. – “Whether it’s what you say on a website, in an app store, or within the app itself,  you have to tell the truth,” the publication advises;
  • Disclose Key Information Clearly and Conspicuously. – “If you need to disclose information to make what you say accurate, your disclosures have to be clear and conspicuous.”
  • Build Privacy Considerations in From the Start. – Incorporate privacy protections into your practices, limit the information you collect, securely store what you hold on to, and safely dispose of what you no longer need.   “For any collection or sharing of information that’s not apparent, get users’ express agreement.  That way your customers aren’t unwittingly disclosing information they didn’t mean to share.”
  • Offer Choices that are Easy to Find and Easy to Use. – “Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made.”
  • Honor Your Privacy Promises. – “Chances are you make assurances to users about the security standards you apply or what you do with their personal information.  App developers – like all other marketers – have to live up to those promises.”
  • Protect Kids’ Privacy. – “If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act.”
  • Collect Sensitive Information Only with Consent. – Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.
  • Keep User Data Secure. – Statutes like the Graham-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information.

The Mintz privacy lawyers can help provide counsel and review of policies and procedures to help you “get it right from the start.”


North American marketers take note:  Canada is set to finalize one of the toughest anti-spam laws in the world.   Canada had fallen behind when it came to introducing anti-spam legislation, but it is now making up for lost time.  Ottawa’s new Bill C-28— known as “CASL” and expected to be finalized early in 2013 — has severe fines for violations and is viewed by many as too tough.

In a nutshell, CASL requires a business to obtain express or implied consent from the recipient before it sends out commercial electronic messages.  CASL is not limited to email; consent must be given for any electronic message, which could also include messages sent via social media, text messaging, instant messaging, sound or video.

It applies to all messages sent from, or received in, Canada, which means American firms marketing in Canada fall under its jurisdiction. A recent study found 60 per cent of American marketing executives were completely unaware of the new law.

Individuals who breach the law can face penalties of up to $1 million, while corporations are liable for as much as $10 million. Officers and directors may also be held liable if they participated in, or acquiesced to the breaches. The act also creates a private right of action for CASL violators, paving the way for potential anti-spam class actions, with remedies capped at $1 million per day.

The Canadian law is more stringent than its U.S. counterpart, 2003’s CAN-SPAM Act, meaning most U.S. firms will not be compliant when CASL comes into force. CAN-SPAM allows companies to send messages unless consumers opt-out with an unsubscribe mechanism. CASL reverses the onus, requiring recipients to opt-in by consenting up front.

Our friends at Canadian law firm Blakes have put up an excellent microsite resource containing a wealth of information on CASL.



The FTC has again provided us with a road map to compliance through the Myspace consent order.   Here are the takeaways that should concern every company with an online presence.

Keeping the FTC Out of Your Space — The Takeaways

Much can be learned from how the FTC has evaluated the adequacy of Myspace’s privacy policy when compared to its actual day-to-day procedures. The most important thing to take away from the FTC Order and its allegations in the complaint is that companies must practice what they promise. Superficially complying with your privacy policy will not pass the FTC’s strict standards when it comes to accurate and adequate privacy policy disclosure. Companies must evaluate how their current practices may even indirectly provide customer PII to third parties and violate the company’s privacy policy. The following are a few important steps you should take to keep the FTC out of your space:

Review your privacy policy, and then review it again. When is the last time that your company undertook a review of its privacy policy and data collection activities? Two years ago? Longer? No idea? Although this seems obvious, many companies fail to continually update and review their privacy policies to ensure that they are still complying with the terms they have established. You should particularly focus on what you have promised your customers or users with regard to what PII you will disclose to third parties, and how you will disclose it. Then look at your actual practices with regard to how you manage and disclose customer PII to third parties and make sure you truly practice what you promise. If your privacy policy states that you comply with the U.S.-E.U. Safe Harbor Framework ensure that your data use and collection practices comply with all seven of the Safe Harbor Privacy Principles: Notice, Choice, Onward Transfer (transfer to third parties), Access, Security, Data Integrity, and Enforcement. You cannot pick and choose and still be Safe Harbor-compliant.

Don’t Let Default Be Your Fault. Much of the FTC’s complaint focused on Myspace’s default settings which displayed a user’s full name on their profile page. When advertisers obtained the FriendID from Myspace, they were almost certainly then given access to the user’s full name because of the default setting. You should examine your default settings to ensure that your users are not disclosing PII to third parties unless they have expressly agreed to do so, and unless it is absolutely necessary. Ensuring that you maintain a high level of privacy protection under your default settings may prevent third parties from indirectly accessing users’ PII. Default settings should be reviewed each time that new functionality is added, technical solutions or plug-ins are changed, and at least annually.

Indirect Access Can Still Mean Direct Liability. Aside from understanding the direct implications of how you share customer information with third parties, you should perform your own assessment regarding how third parties could use the limited information that you provide them as a stepping stone to greater access to customer PII. As Myspace now knows, the FTC will closely scrutinize even the indirect implications of how you handle customer PII compared to what you promise customers in your privacy policy.

Best Practices. Why wait until the FTC files a complaint against you to implement procedures and designate staff to handle privacy and PII concerns? The best way to prevent your company from falling asleep at the wheel is to implement formal privacy practices and procedures. The first step in doing so is to designate at least one person, either in-house or a friendly neighborhood Mintz Levin privacy attorney, to be in charge of all things privacy related. Going forward that person should regularly evaluate your company’s privacy policy and compliance with that policy, and prepare a report concerning his or her evaluation. This process will ensure that your privacy policy talks the talk, and your procedures walk the walk.

Written by Adam Veness

Earlier today, the FTC held a press conference and issued a final report setting forth best practices for businesses to protect American consumers and to provide consumers with greater control over the collection and use of their data.  You can find the full report here:  Final Commission Report on Protecting Consumer Privacy.

The final report is an expansion of the preliminary staff report the FTC issued in December 2010.  In its press release, the FTC explains that the report calls on companies handling consumer data to implement recommendations for protecting privacy, including:

  •  Privacy By Design – companies should build in consumers’ privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy;
  •  Simplified Choice for Businesses and Consumers – companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities; and
  •  Greater Transparency – companies should disclose details about their collection and use of consumers’ information, and provide consumers access to the data collected about them.

In the press release, FTC Chairman Jon Leibowitz suggested: “We are confident that consumers will have an easy to use and effective Do Not Track option by the end of the year because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don’t.”  This statement acts as a warning to companies that they must take the initiative to act on their own in implementing an effective Do Not Track system, or likely face legislation requiring them to do so.

Other important issues discussed in the final report and the press release include privacy protections and disclosures related to: companies offering mobile services, data brokers and large platform providers.

For more information related to the FTC report and press release issued today, click on the links below or contact a member of the Mintz Levin Privacy team.

FTC press release

Final Commission Report on Protecting Consumer Privacy

UPDATE – Comment from Senator John Kerry — Report Stresses Need for Commercial Privacy Bill of Rights

Senator John Kerry (D-Mass.), Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet, also released a statement following the FTC’s press conference.

Senator Kerry is the author of bipartisan internet privacy legislation in the Senate along with Senator John McCain (R-Ariz.)

“Today’s report from the FTC again underscores the need for action from Congress,” said Sen. Kerry.  “Senator McCain and I introduced the Consumer Privacy Bill of Rights to put Americans in control of their information.  This report again affirms the value of setting a national standard for the collection, use, and distribution of personal information.  This discussion is taking place at home and abroad, and we’d be wise to act now rather than defer decisions until future Congresses.”

Last week, Senator Kerry renewed his call for a Commercial Privacy Bill of Rights in a guest blog post for the website ThinkProgress.

At the White House today, President Obama unveiled his administration’s framework for new privacy regulations and the long-awaited white paper entitled “Consumer Data Privacy in a Networked World:  A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.”   This follows up on the Department of Commerce “green paper” issued well over a year ago.    [We compared the Commerce Department proposal and Federal Trade Commission privacy proposals last year — here for your reference.]

The blueprint includes a “Consumer Privacy Bill of Rights” along with steps to incorporate these principles into federal regulations.    Like the previous Green Paper, today’s final report calls for a comprehensive privacy framework for all data, instead of the current sector-specific approach to data protection that leaves some personal data (outside of the communications, health care, education, financial services and children’s-online sectors) largely unregulated. The Framework calls for federal legislation to create such a “privacy bill of rights” that would supplement and fill in the gaps of existing federal privacy policy and lays the groundwork for a cooperative approach between government and industry for a “4P” arrangement — a “Privacy Public Private Partnership.”

In addition, the White House announced the first by-product of this framework:  an industry agreement on “Do Not Track” technology for online behavioral advertising.   This industry agreement was signed by a group of web advertising networks, including Google, Yahoo, Microsoft and AOL, and is intended to lead to the adoption of “Do Not Track” features integrated into web browsers.  The intent is to allow consumers to opt out of behavior-based marketing, blocking ad “cookies” and preventing cross-site tracking of behavioral information.  Companies signing onto this agreement are now subject to Federal Trade Commission oversight and enforcement of its terms.

Further information:

Statement from FTC Chairman Jon Leibowitz

Statement from Intel

Statement from Center for Democracy & Technology