Companies should examine their data privacy and security policies and practices before the start of the New Year to make sure that they are compliant with new changes in federal and state laws, regulatory guidance, self-regulatory programs and evolving enforcement priorities affecting consumer data protection and behavioral advertising. In addition, your practices may have changed over the last year or so and your policies may no longer be complete and accurate, and thus may need to be updated to avoid misrepresentation and deceptive omission claims.
In addition, beginning on January 1, 2014, CalOPPA will now also require the operator to disclose: (6) how the operator responds to “Do Not Track” signals or other mechanisms giving consumers the ability to exercise choice over the collection of personal information over time and across third-party websites or online services, if the operator engages in the collection of such information; and (7) whether other parties may collect such information over time and across different web sites when a consumer uses the operator’s site or service.
Please see our previous client advisory for more information and discussion regarding the potential impact and implications of this and several other new California data protection laws (including an expansion of its data security breach notification law). Also, don’t forget that if you share certain personal information (broadly defined) of California consumers (collected on or offline) to third parties for their direct marketing purposes, you must comply with the choice or information request obligations of California’s Shine the Light Act. Several class action lawsuits were filed in 2013 for failure to comply with the law.
In November 2013, the Council of Better Business Bureaus (“CBBB”) issued a compliance warning letter announcing that, beginning on January 1, 2014, the CBBB will commence enforcement actions against website publishers, operators, and other “first parties” (i.e., any entity that is the owner of a website or has control over a website) that fail to provide transparency with respect to data collected from visitors to their site and used by third parties for purposes of serving online behavioral ads. This includes both serving interest-based ads on your own site, and retargeting your site visitors with ads when they go to third party sites (“OBA”). The CBBB operates an accountability program for enforcing the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Principles (the “Principles”) governing the collection and use of web viewing data.
Accordingly, publishers should:
- Include a link from the disclosure to the DAA’s opt-out page or to every applicable third parties’ respective opt-out mechanisms.
- Ensure that an enhanced notice link (e.g., “About Ads”, “Interest-based Ads” or the DAA icon) is present on every page of its site where data collection or use for OBA occurs, and ensure that the link directs visitors to the website’s OBA disclosure and opt-out link. This can be done on the ad itself, but beware of data collection occurring on pages that may not have ads posted and where data is still being collected for OBA purposes. The link needs to be included on these site pages as well.
In an effort to encourage compliance, the CBBB delayed enforcement against site operators that fail to provide the required on-page, enhanced notice beginning until January 1, 2014 so companies should act now in order to avoid the risk of enforcement.
In October 2013, changes to the rules for text marketing and telemarketing under the Federal Telephone Consumer Privacy Act (“TCPA”) went into effect, including requiring prior, express, written consent. For a detailed explanation, click here. The ability to bring a private right of action combined with the ability to obtain statutory damages has led to hundreds of TCPA class action lawsuits for text marketing errors, with settlements in the tens of millions of dollars not uncommon.
In the summer of 2013, the federal COPPA Rule, regulating data privacy and protection of children under 13 years of age, materially changed in many ways. Many sites and apps are not yet in compliance and the FTC is expected to start enforcing the new rules in 2014. For a detailed explanation of the new requirements, click here.
Creating and Maintaining a Data Protection Compliance Program
Edwards Wildman’s Advertising, Marketing and Promotions, Digital Media and e-Commerce and Privacy & Data Protection practice groups assist publishers, e-commerce providers, advertisers, ad networks and exchanges and other online and mobile operators interpret trends in consumer data privacy and protection internationally and develop and maintain appropriate policies, practices and compliance programs. An outline on how to audit your practices and develop and maintain a compliance program is available here.
We have been actively working with our clients to ensure their data privacy and security practices and policies comply with evolving laws and best practices. Please contact one of the authors for more information.