NOTE: To use the advanced features of this site you need javascript turned on.

Home arrow H&B News arrow Likely Changes to Federal Law on the Collection and Use of Consumer Data in 2009
Likely Changes to Federal Law on the Collection and Use of Consumer Data in 2009 Print E-mail

January 2009

For more information contact Jim Kaminski at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it   or 202-293-8975.

ederal privacy laws and regulations determine how marketers may collect and use consumer data in the United States.  This area of the law changes rapidly because new technologies provide distinct and inventive ways for marketers to learn more about their customers or web site visitors.  Federal law enforcement officials are constantly finding ways to apply old laws to these new technologies.  Further, the technologically-savvy Obama administration is sure to have its own approach on these issues.  While not intended to be legal advice, a short refresher course on privacy laws follows.  Further, we look into our crystal ball to see what may be on the horizon in 2009.

The ABC’s of Federal Privacy Law:

A.The Federal Trade Commission (“FTC”) is the U.S. government agency that has general authority to determine how marketers may collect and use consumer data.  Practically speaking, the FTC holds companies accountable and ensures that any consumer data collected online will be used in accordance with any promises contained in a privacy policy.  The irony is that there is no general FTC requirement for a company to post a privacy policy (although certain state laws do require them).  As a result, the privacy policies that are often posted and become a source of trouble for companies were never specifically mandated by law.   

B.Congress has mandated that the FTC place additional restrictions on the collection and use of certain classes of consumer data.  Financial institutions (a term that is interpreted very broadly) that receive information from individuals to obtain financial services have special obligations.  For example, they are required to distribute privacy policies and are generally prohibited from transferring data to third parties.  Financial institutions also have additional obligations to maintain the data in a secure fashion.  Children’s information is also protected under the Children’s Online Privacy Protection Act Rule or “COPPA Rule”.  The general requirement under the COPPA Rule is that a company must receive parental consent before a child under 13 years of age submits information via a web site. 

C.The FTC takes its role as the Nation’s privacy policeman very seriously.  The agency has brought at least 25 law-enforcement actions in this area against such household names as Eli Lilly, MicroSoft, Tower Records, Gateway and ValueClick.  In its law-enforcement actions, the FTC may levy heavy monetary penalties (amounting to millions of dollars), obtain injunctive restraints on a company’s marketing practices and require the company to file compliance reports for the agency’s regular review.

The FTC takes its role as the Nation’s privacy policeman very seriously

Hot Button Issues:

•Behavioral Marketing

Behavioral marketing is sure to receive a great deal of attention in 2009.  Put simply, behavioral marketing is the use of internet technologies to target ads to individuals based on their interests.  That information is gleaned by employing ways to track an individual’s surfing and viewing history on the internet. 

To date, restrictions on behavioral marketing have remained relatively few.  Companies may choose to adhere to a set of self-regulatory principles issued by the Network Advertising Institute.  Again, adherence to those principles is voluntary.  Nevertheless, the buzz in Washington is that the administration may attempt to regulate in this area which would have a major impact on how marketers structure their marketing campaigns.  For example, Congress may determine that consumer consent is necessary prior to the collection of sensitive data in order to deliver targeted ads to consumers.  Similarly, Congress may require companies to present consumers with full disclosure that the advertiser is engaging in behavioral marketing. Another option is that the FTC may be required to develop a do-not-track list similar to the do-not-call list regarding telemarketing.

In an interview for this article, Betsy Broder, Assistant Director of the FTC Division of Privacy and Identity Theft, informally commented that the FTC is waiting for guidance from the new administration.  Nevertheless, both sides on the issue are gearing up for a fight.  Industry is advocating for a more self-regulatory approach. Four industry groups announced on January 13, 2009, that they are exploring the establishment of industry guidelines or the creation of a self-regulatory body to implement responsible practices.  Privacy groups are taking a different approach.  They purportedly recently met with the Obama team to advocate for more regulation.  Whichever side wins, the way marketers conduct behavioral marketing will certainly be impacted in 2009.

•Security, Security, Security

The FTC’s Betsy Broder also commented that data security issues are likely to remain a priority for the agency.  As recently as November 2008, the FTC reached a settlement with a mortgage lender for a data breach.  The FTC placed stringent, and perhaps what some would consider onerous requirements over the lender to maintain data in a secure fashion.   The FTC is sure to bring more law-enforcement actions in this area.  Further, the FTC is sponsoring a conference in March 2009 on securing data in the global environment.  In this manner, data security is on the FTC’s radar screen for 2009.  

•Identity Theft

The FTC has gradually increased its resources targeting identity theft over the past few years.  Up to this point, the FTC has taken mainly an informational role by providing resources for victims and other law-enforcement agencies regarding identity theft.  That approach will change in 2009.  Beginning in May 2009, the FTC will begin enforcing its “Red Flags Rule” – the regulation that requires financial institutions and creditors to maintain identity theft prevention and detection programs.  The agency will require those programs to consist of measures to identify, detect and respond to identity theft.

A Few Cases:

ValueClick, Inc. (March 2008)

The FTC alleged that ValueClick, Inc. (“ValueClick”) violated the CAN-SPAM Act (the federal law that regulates the transmission of commercial email) and made misrepresentations regarding its data security systems.  According to the FTC, the company offered “free” merchandise that actually required a purchase in violation of the CAN-SPAM Act’s prohibition against false and misleading information transmitted via commercial email.  It also claimed that ValueClick did not secure sensitive data as noted in the company’s privacy policy because the data was not encrypted.  The FTC also noted that the company’s security systems were actually susceptible to SQL injection, a common hacker attack.  As a result, the FTC levied a $2.9 million civil penalty against the company.  Further, the FTC is requiring ValueClick to make several disclosures in its advertising and to maintain extensive security measures.  The company is required to obtain third-party audits of its security systems for the next 20 years. 

Goal Financial, LLC (March 2008)

Goal Financial, LLC (“Goal Financial”) entered into a settlement with the FTC for violations of the FTC Safeguards Rule -- the federal regulation that requires financial institutions to maintain financial information in a secure fashion.  The FTC alleged that the company’s employees transferred more than 7,000 files with consumer information to third parties without authorization.  One employee purportedly sold surplus hard drives that contained information pertaining to approximately 34,000 individuals.   The consent order bars Goal Financial from any future misrepresentations as to data security and requires the implementation and maintenance of a comprehensive security program.  In addition, the company must obtain a third-party audit of the security program every two years for the next 10 years to ensure that its security measures meet the standards of the order.

Life is Good, Inc. (January 2008)

Life is Good, Inc. (“Life is Good”) collected names, addresses, and credit card expiration dates and security codes from consumers in connection with its online retail apparel business.  The company’s privacy policy promised:  “All information is kept in a secure file and it is used to tailor our communications with you.”  Despite those promises, the FTC alleged that the company:  (1)  stored credit card information as readable text on its network along with security codes; (2) failed to evaluate its systems to prevent foreseeable attacks; (3) failed to implement low-cost security improvements; and (4) failed to detect unauthorized access of credit card information.  As a result, a hacker was able to hack into the company’s database and steal consumer credit card data via a SQL injection.   The company entered into a settlement with the FTC that requires the company to establish and maintain a comprehensive security program with safeguards that are appropriate to Life is Good’s size, nature of its activities, and the sensitivity of the personal information it collects.  In addition, a third-party independent auditor must assess the company’s security programs on a biennial basis for the next 20 years.

© 2009 Hughes & Bentzen, PLLC.

< Prev   Next >