Tuesday, August 28, 2012

Consumer Privacy and Cookies: What the FTC's $22.5 Million Settlement With Google Means For Your Company

Author: Paul C. Van Slyke

Recently the Federal Trade Commission reached a record $22.5 million settlement with Google for consumer privacy violations of an earlier order involving what is called “online behavioral advertising” or OBA.  The Google case is a roadmap for avoiding serious legal missteps for tracking of consumer interests in violation of a company’s own policies and claims that are commonly made and often overlooked.  In the Google settlement, the FTC sent a loud and clear message that it will not tolerate promises and claims made in fine print to protect the privacy of consumers and breaking those promises by use of cookies and user tracking tools in day-to-day operations long after the promises in fine print are forgotten. 

Overlooked Privacy Claims in the Google Case

Most companies have gotten the message that what they say in their privacy policies has to line up with their day-to-day operations. The problem is that many companies are conveying claims not just in a formal privacy policy in the fine print on the website, blog or social media brand page, but also where the company states choice mechanisms, opt-outs, and other ways consumers can customize their experience.  The FTC’s complaint against Google highlights alleged misrepresentations on the company’s Advertising Cookie Opt-Out Plug-in page that were overlooked for compliance.  Cookies are the unique file codes placed on a consumer’s computer when a website is opened and consumer choices are made on the website.

Google claimed in its fine print that for users of the Safari browser that it would not place tracking cookies on the users’ computers or serve them targeted advertisements.  The  FTC alleged that Google used codes to disguise its cookies to work around Safari’s opt-out default setting. 

Overlooked Claims of  Self-Regulatory Compliance

Many companies promote on their website their affiliation with self-regulatory programs.  For example, to join the Network Advertising Initiative (NAI), a voluntary self-regulatory group for the online advertising industry, company members agree to disclose to users their data collection and use practices.  Although Google touted its NAI membership on its website, the FTC says the company did not truthfully disclose what it was doing with Safari users’ data. 

Key Points

  • The CEO and top executives of your company must often repeat that they are committed to compliance with consumer privacy and advertising laws and they will hold the IT director and Chief Marketing Officer accountable.
  • Your information technology staff needs to take the lead in compliance before your marketing managers and legal advisors get involved.
  • It helps for a company to adopt an internal consumer privacy policy that places primary responsibility on the IT Department and secondary responsibility on the marketing staff for compliance with laws and regulations on the use of cookies and user tracking tools.
  •  The internal policy should require that IT department make and update a list of all the places on your company websites, social media promotions and sponsored blogs where  privacy representations and claims are made,  maintain an inventory of the cookies they use, and not launch new ones without both marketing and legal review.
  • The internal policy should also require that the marketing staff make and update a separate list of all the user tracking tools being used on your company websites, social media promotions and sponsored blogs and maintain an inventory of the categories of data being collected from users, and not launch new tracking tools or categories of data being collected without both IT and legal review.
  •  Sidestepping users’ preferences can lead to costly legal missteps.