Increasing Scrutiny of Consumer Data Collection

January 03, 2013

Recent FTC and California Attorney General actions highlight the need to reassess privacy policies.

The Federal Trade Commission (FTC) recently ordered the data brokerage industry to provide information on the collection and use of consumer data and tightened restrictions on the collection of user data by websites and mobile applications (apps) directed to children. Both the FTC and the state of California have become focused on disclosures about use of consumer data in mobile apps. These recent actions highlight the need to carefully consider privacy disclosures for full compliance, particularly in any mobile or social app or with respect to any information about children.

Compilation of Consumer Data by Data Brokers

On December 18, 2012, the FTC issued orders to nine data brokerage companies, requiring the companies to provide information on their collection and use policies for consumer data.

Data brokers collect personal information about consumers from a variety of public and nonpublic sources in order to compile and sell this information to other companies. Since data brokerage companies typically obtain their consumer information from public records and other data companies, rather than from direct interaction with consumers, many consumers are unaware of the existence and purpose of data brokers. The FTC's goal is to determine the nature and sources of the consumer information collected; the ways in which companies use, maintain, and disseminate this information; and the extent to which companies allow consumers to access and correct their information or to opt out of having their personal information sold. The nine responses will be used to prepare a study and make recommendations on whether, and how, the data brokerage industry can improve its privacy practices. The FTC notes that there are currently no laws requiring data brokers to maintain the privacy of consumer data, unless the data is used for credit, employment, insurance, housing, or other similar purposes.

An FTC report published earlier this year, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, laid out a voluntary framework of best practices for businesses based on the concepts of privacy by design, consumer control, and increased transparency for the collection and use of consumer data.

Children's Privacy – Children's Online Privacy Protection Act

On December 19, 2012, the FTC adopted final amendments promulgated pursuant to the Children's Online Privacy Protection Act (COPPA)(COPPA Rule) that will tighten restrictions on the collection of personal information by websites and mobile apps directed to children under 13 years of age. The final, updated COPPA Rule, scheduled to go into effect July 1, 2013, will broaden the definition of protected "personal information" to include "geolocation information, as well as photos, videos, and audio files that contain a child's image or voice" and "persistent identifiers," such as IP addresses, mobile device IDs, and cookies. Such information cannot be collected from children without parental notice and consent, with the exception of persistent identifiers to the extent they are used for the sole purpose of supporting a website or an online service's internal operations. The rule also modifies the current definitions of "operator" and "website or online services directed to children" under 13. These definitions will now also cover third-party plug-ins integrated on websites directed to children, advertising networks that collect personal information from such websites, and any other outside services that have "actual knowledge" that such information collection occurs. The FTC did clarify that third-party marketplace platforms will not be liable for the child privacy practices of the numerous apps sold on these platforms. According to the FTC, COPPA Rule violators will be subject to fines as high as $16,000 per incident.

The COPPA Rule updates come after a two-year public comment and proposed rule revision drafting process, during which the FTC withdrew several proposals that would have included websites intended for teenagers and young adults. The FTC also withdrew its proposal to impose COPPA responsibilities on third parties that "know or have reason to know" they are collecting personal information through their integration on a site that may have child users, in favor of a much higher "actual knowledge" requirement for such parties.

Mobile and Social Apps – FTC and California Online Privacy Protection Act

Through a December 10, 2012, staff report[1] detailing the FTC's concerns regarding child privacy and mobile apps, the FTC announced[2] its intentions to update COPPA further to address mobile apps. Concurrently, the FTC staff launched nonpublic investigations to determine whether entities in the mobile app marketplace are violating COPPA or engaging in unfair or deceptive practices in violation of the FTC Act.

Mobile apps also have been the focus of enforcement action in California. Under the California Online Privacy Protection Act (CalOPPA), Attorney General Kamala Harris has issued warning letters regarding the state's concern about mobile app privacy policies to scores of companies. Further enforcement of CalOPPA is expected, and the Attorney General has made clear that California intends to strictly apply CalOPPA to mobile and social apps. CalOPPA's impact may, in effect, be national. The California Attorney General's position is that CalOPPA reaches all "operators of a commercial web site or online service" that gather personal information about California residents. Under the act, an "operator" is any person or entity that owns a website located on the Internet or an online service, including mobile and social apps. Thus, for companies with mobile apps, the dispositive question likely is not where they are located geographically but what type of personal information—if any—the app collects from its California users.

If the statute applies, there are two steps for compliance: 1) crafting a compliant privacy policy and 2) posting it "conspicuously" in the manner required by the statute. Although the statute provides options for posting, the options described are geared more toward websites, leaving companies that have mobile apps with the challenge of how to apply them in that context. CalOPPA itself does not mention apps, but the recent enforcement activity underscores the state's position that there is a need for a compliant privacy policy accessible from the app itself and specifically tailored to that app and the personal information it collects—even if a privacy policy already exists on the online website. When an app's privacy policy should appear to a user is unclear in the statute, but the Attorney General's press releases and an agreement struck in February with large platform providers indicate the Attorney General's intent is that consumers should have the opportunity to review an app's privacy policy on the download screen in the platform store before download.

Generally, violations of CalOPPA occur only if the operator fails to conspicuously post its compliant privacy policy within 30 days of being notified of noncompliance, unless failure to comply is "knowing and willful" or "negligent and material." Nevertheless, it is prudent for companies to be proactive in assessing their apps' compliance, as fines of up to $2,500 per download may be imposed.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis attorneys:

Gregory T. Parks

San Francisco
W. Reece Hirsch
Carla B. Oakley

Washington, D.C.
Ron N. Dreben
Anita B. Polott

[1]. View the report here.

[2]. View the press release announcing the report here.