If you promise customers that their personal information is secure, you had better deliver on that promise. That is the message of last week’s settlement between the FTC and Twitter — the FTC’s first case against a social networking service. It’s a message the FTC has sent to industry before.
The matter arose when hackers twice secured administrative control of Twitter in early 2009. (How? In one case, an automated password-guessing tool smoked out the administrative password – ”a weak, lowercase, letter-only, common dictionary word,” according to the complaint.) The breach led to a series of phony tweets from a number of user accounts — including one from then President-elect Obama. Hackers also reviewed non-public user information. Read more »
Yesterday, the Federal Trade Commission released answers to frequently asked questions about its Guides Concerning the Use of Endorsements and Testimonials in Advertising. These FAQs provide helpful additional guidance regarding the FTC’s revisions to the Guides. Key issues addressed by the FAQs include: Read more »
The FTC has consistently brought enforcement proceedings against companies that do not follow their own privacy policies (see examples here, here, and here). In the most recent example of this trend, the FTC has settled charges that an Arizona company called LifeLock Inc. had made false promises about the extent of its data security measures. You can read the settlement agreement here.
LifeLock casts itself as the “industry leader in the rapidly growing field of identity theft protection” providing its customers with “early notification of identity threats” (fraud alerts). The company advertised in print and on radio, television, and the Web. While marketing the service, the company collected personally identifiable information for more than one million customers. The FTC complaint alleged, among other things, that the service did not prevent identity theft, as advertised. Read more »
The Federal Trade Commission has scheduled a public meeting to consider changes to the Children’s Online Privacy Protection Rule. “Protecting Kids’ Privacy Online: Reviewing the COPPA Rule” will be held June 2, 2010 at the FTC Conference Center in Washington, DC. The COPPA Rule applies to 1) operators of commercial Web sites and online services directed to children under 13 that collect, use, or disclose personal information from children; and 2) operators of Web sites or online services focusing on general audiences where those entities have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. Read more »
Yesterday the FTC announced the review of its Children’s Online Privacy Protection Act (COPPA) Rule. COPPA imposes requirements on operators of Web sites that are aimed at children under 13, or that knowingly collect personal information from children under 13. For example, the Rule requires online operators to get parental permission before collecting, using, or disclosing personal information from children. Read more »
If you are a provider of sensitive Web-based services, do you send all data exclusively using secure sockets layer (SSL) protocol? The Electronic Frontier Foundation — citing a March 17th FTC “roundtable” speech by Commissioner Pamela Jones Harbour – reports that SSL is now on the FTC’s agenda. While the largest Web services (Yahoo!, Facebook) will give a lot of thought to Commissioner Jones’ comments, we believe all providers of cloud-based services that trade in sensitive information should give their users the option of using SSL (or, better yet, default to SSL). Not only does this demonstrate a commitment to protecting sensitive information about customers, it also helps minimize online fraud and data theft.
We previously mentioned that the FTC will explore online privacy issues at its next privacy roundtable on January 28th at the Berkeley Center for Law and Technology. The FTC unveiled the agenda for the roundtable today.
The Commission also released more information on its third and final privacy roundtable – in Washington, DC on March 17, 2010. This roundtable will focus on protection of health data and other sensitive consumer information, and identity management and accountability approaches to privacy.
FTC Chairman Jon Leibowitz and David Vladeck, chief of the FTC’s Bureau of Consumer Protection, recently spoke with editors and reporters of the New York Times about online privacy. In their discussion, available here, both signaled again that they expect the commission to take a more active role in protecting consumer privacy online.
Specifically, Mr. Vladek indicated that the advise-and-consent framework adopted by previous commissions (whereby a company would advise consumers — usually via a privacy policy — about what they are doing with their personal information, and obtain their consent) “depended upon the fiction that people were meaningfully giving consent.” Mr. Liebowitz hinted that the commission may head towards an opt-in framework, which would be a significant departure from advise-and-consent, in that companies could then be required, as a default practice, to limit their dissemination of personal information about consumers, and only be able to share such information if a consumer affirmatively chooses to allow it.
The FTC will explore these issues at a privacy roundtable on January 28th, and plans to issue a report on the subject in June or July.
The FTC issued a congressionally mandated report today about online virtual worlds. ”Virtual Worlds and Kids: Mapping the Risks” details the types of content found in online virtual worlds, and the methods virtual world operators currently take to prevent youth access to explicit content. The report is the result of an FTC survey of 27 virtual worlds. The FTC found “at least one instance of either sexually or violently explicit content” in 19 of the 27 virtual worlds it studied. “It is far too easy for children and young teens to access explicit content in some of these virtual worlds,” said FTC Chairman Jon Leibowitz in the press release accompanying distribution of the report. The report, which we are studying, is available online here.
The Federal Trade Commission (“FTC”) recently approved a settlement of a complaint against Sears Holding Management Company (“Sears”) regarding the failure, by Sears, to disclose certain online data collection practices. The settlement, which reflects the FTC’s increasing focus on privacy, has received attention. Below is a summary of the case, and suggestions for companies that track online user behavior.
The Complaint
According to the FTC’s administrative complaint, Sears presented 15% of the visitors to its sears.com and kmart.com websites with a “My SHC Community” pop-up box.
Read more »
FTC, Laws and Regulations, Privacy, Twitter | editor | 
June 28, 2010 3:03 pm | 
Comments (0) 
Subscribe
