Tuesday, February 28, 2012

Self-Regulatory Online Privacy Program Part of Comprehensive White House Proposal

The White House, Department of Commerce and Federal Trade Commission each commended the Digital Advertising Alliance (DAA) self-regulatory privacy program for online, interest-based advertising.  This event was one carefully orchestrated part of a significant and comprehensive Consumer Privacy Bill of Rights the White House unveiled on the same day. This Bill of Rights is intended to provide consumers with greater online privacy protection through voluntary codes of conduct, federal legislation, and enforcement by the Federal Trade Commission and state Attorneys General.

Advertisers and agencies will likely watch closely this DAA self-regulatory program that is a White House-commended form of voluntary code of conduct provided for in the Consumer Privacy Bill of Rights.  Online advertisers in all industries will need to review their policies and processes for compliance with these DAA principles and programs as a forerunner of possible future regulatory and court action.

While Internet companies clearly seem to have gotten the message that they must regulate themselves or be regulated, they are likely to be more than a little nervous that a large percentage of consumers may opt-out, which could result in a significant re-tooling of behavioral advertising revenue models.  Notably, the self-regulation measures generally do not impact first-party behavioral advertising (such as targeted ads sent by Amazon to Amazon customers, or sponsored Google search results).

Digital Advertising Alliance

The Digital Advertising Alliance is a consortium of the nation’s largest media and marketing associations, including American Association of Advertising Agencies, the Association of National Advertisers, the National Advertising Federation, the Direct Marketing Association, the Interactive Advertising Bureau, and the Network Advertising Initiative. 

The DAA has several programs for guidance of advertisers for all types of businesses, including advertisers, agencies, web publishing or non-profits that have a presence on the web.

Most recently, last January, the DAA launched the “Your Ad choices” public education advertising campaign designed to inform consumers about interest-based advertising and how they can take greater control of their online privacy through the ad choices icon:

The educational campaign includes banner advertising that directs consumers to the icon and also links to a new informational website.  According to the DDA, “[w]henever you see the Icon, you’ll know two things: (1) You can find out when information about your online interests is being gathered or used to customize the Web ads you see, and (2) you can choose whether to continue seeing these types of ads.”

The first program of the DAA was launched in 2009 for Online Behavioral Advertising (OBA) by introducing seven self-regulatory principles of OBA.
In 2011 the DAA expanded the scope of its self-regulatory program beyond OBA with a self-regulatory guide for Multi-Site Data Principles” which established a framework governing the collection of online data from a particular computer or device regarding web viewing over time and across non-affiliated websites. 

See our previous analysis of the DDA “Multi-site Data Principles.   The Multi-Site Data Principles codified existing industry practices prohibiting the collection of multi-site data for the purpose of any adverse determination, including employment, credit, health treatment or insurance eligibility, as well as specific protections for sensitive data concerning children, health and financial data.

Pointer to the Future of Compliance

The commendation by the White House and government agencies may signal a new era in self-regulation and place greater focus on compliance with the DDA guidelines as being compliant with the direction that online consumer privacy law is taking.  Some privacy activists, however, have complained that these and similar guidelines  do not go far enough, and that the government should not trust this industry to regulate itself.  Time will tell.

      Paul C. Van Slyke                                        Bart Huffman

Monday, February 27, 2012

White House Announces New Consumer Privacy Bill of Rights Affecting Online ‎Advertising

The White House recently announced a significant and comprehensive Consumer Privacy Bill of Rights that, if adopted as law, will have major impact on advertisers, agencies, Internet companies, and consumers. The Obama administration is raising the bar on this measure in an area where Congress has struggled in order to provide consumers with greater online privacy protection through voluntary codes of conduct, federal legislation, and enforcement by the FTC and state Attorneys General. The measure also provides for a federal national standard for notification of data breaches and preemption of all similar state law.

On the same day, the White House, Department of Commerce and Federal Trade Commission each commended the Digital Advertising Alliance (DAA)  for its self-regulatory privacy program for online, interest-based advertising.   On also on that day, the DAA announced an industry self-regulatory program “that will immediately begin work to recognize browser-based choices with a set of tools by which consumers can express their preferences under the DAA Principles."  Major Internet players such as Google and Microsoft agreed to honor consumer do-not-track choices, a particularly significant development given that those players represent the majority of online behavioral advertising delivery and given that such a commitment is subject to FTC enforcement.

The White House initiative is an extension of a privacy report issued by the Department of Commerce on Dec. 16, 2010.  This privacy report was made by an Internet Policy Task Force charged to conduct a “comprehensive review of the nexus between privacy policy, copyright, global free flow of information, cybersecurity, and innovation in the Internet economy.”

Multi-Pronged Approach

The White House said the “blueprint will guide efforts to protect privacy and assure continued innovation in the Internet economy by providing flexible implementation mechanisms to ensure privacy rules keep up with ever-changing technologies.”  The action steps for this blue print are:

  • Making Enforceable the  Consumer Privacy Bill of Rights:  The Commerce Department’s National Telecommunications and Information Administration (NTIA) will soon convene Internet companies and consumer advocates to develop enforceable codes of conduct that comply with the Consumer Privacy Bill of Rights, building on strong enforcement by the Federal Trade Commission. The Administration will also work with Congress to enact comprehensive privacy legislation based on the rights outlined here.
  • Achieving privacy policies for a Global, Open Internet: The Administration’s plan lays the groundwork for increasing interoperability between the U.S. data privacy framework and those of U.S. trading partners.
  • Industry Action: In response to calls from the Administration and the Federal Trade commission (FTC), leading Internet companies and online advertising networks are committing to use Do Not Track technology from the World Wide Web Consortium in most major web browsers to make it easier for users to control online tracking.

Seven Fundamental Protections
According to the White House press release, the Bill of Rights consists of seven fundamental protections that consumers should expect from companies:

  • “Individual Control:  Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
  • Transparency:  Consumers have a right to easily understandable information about privacy and security practices.
  • Respect for Context:  Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  • Security:  Consumers have a right to secure and responsible handling of personal data.
  • Access and Accuracy:  Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
  • Focused Collection:  Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  • Accountability:  Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.”

Federal Privacy Legislation
The White House Report, ambitiously titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” calls for Congress to enact  legislation to:
  • Codify the Consumer Privacy Bill of Rights
  • Grant the FTC and state Attorneys General authority to enforce the law directly
  • Pre-empt state privacy laws that are inconsistent with the Consumer Privacy Bill of Rights
  • Establish a safe harbor from enforcement for companies that adhere to voluntary codes of conduct that the FTC has reviewed and adopted
  • Set a national standard for security breach notification that pre-empts existing laws in 47 states.
      Paul C. Van Slyke                                        Bart Huffman

Wednesday, February 22, 2012

NRLB Weighs in on Employer Social Media Policies and Employee Disciplinary Action

The National Labor Relations Board (“NLRB”) recently provided a second report offering additional guidance to employers on disciplinary actions and social media policies. The report highlights 14 cases: half involving employee discharges based on employees’ Facebook posts; and the other half reviewing employer social media policies. As expressed by the NLRB, its guidance seeks to underscore two points:
  • Employer policies should not be so sweeping that they prohibit the kinds of activity protected by federal labor law, such as the discussion of wages or working conditions among employees; and
  • An employee’s comments on social media are generally not protected if they are mere gripes not made in relation to group activity among employees.
The NLRB is particularly concerned about employers infringing upon employee National Labor Relations Act (“NLRA”) rights “to engage in … concerted activities for … mutual aid and protection,” including activities to address the terms and conditions of the employees’ employment. All employees covered by the NLRA, whether union members or not, have these rights. While the NLRB acknowledges that individual employee gripes made on social media which are not directed toward sparking group discussion or activity are generally not protected, the NLRB has continued to find that many disciplinary decisions based on social media activity infringe upon NLRA rights. Further, even if the disciplinary action at issue did not infringe upon such rights, the NLRB has continued to find that employer policies with broad or vague language could reasonably be construed by employees to restrict conduct protected by the NLRA. The January 24, 2012, publication is instructive to employers—both as a reminder regarding social media/Internet activity-related disciplinary actions, and as a source of specific examples of language the NLRB disfavors in social media policies.
  • Recognize employees’ rights under Section 7 of the NLRA. The NLRB indicates that social media policies should contain language to clarify that the policy does not restrict employees’ rights under the NLRA, including their Section 7 rights to engage in concerted activity concerning the terms and conditions of employment or other mutual aid or protection. However, while this language may show the employer’s good intent, the NLRB does not find such a clause to be sufficient to address otherwise vague or overbroad terms that employees may perceive to prohibit Section 7 protected activity.
  • Watch the adjectives. The NLRB’s memo stressed repeatedly that vague terms such as “appropriate/inappropriate,” “professional/unprofessional,” “disparaging” and “disrespectful,” when used in broad statements in social media policies, can be construed by employees as restricting their Section 7 rights and should be avoided.
  • Context and examples can help. The NLRB indicated that with the addition of context and specific examples the employer can narrow the behavior prohibited by social media policies. Thus, an otherwise vague term like “appropriate” may be lawful if used within a narrowed context because the employee would understand his/her Section 7 rights are not covered.
  • Requiring prior authorization or disclaimers that opinions expressed belong solely to the employee should be limited. Except in the case of endorsements, testimonials or other positive statements about an employer or its products, which are governed by Federal Trade Commission regulations, the NLRB found that requiring employees to get prior authorization, or to always identify their position with the company and state that the opinions belong to the employee alone, could be too burdensome.

  • Identity of employer should not be broadly prohibited. Again, except with endorsements and testimonials, the NLRB found that using the company’s name or logo may be a tool in an employee’s outreach efforts for protected concerted activity and should not be subject to a blanket prohibition or requirement of prior approval before use.
Given the NLRB’s issuance of this follow-up report, even employers who have updated their social media policies as recently as a year or two ago may want to take a look and revise their policies accordingly. Employers should stay tuned for future decisions from the NLRB.


Megan E. Alexander                    Hanna Fister Norvell                 Gregory T. Casamento