Developing Layered Privacy NoticesDesign Simplifies Online Policies for Consumers
One way of improving consumer data privacy and security online is to encourage layered privacy notices, says privacy lawyer Alan Friel.
See Also: IoT is Happening Now: Are You Prepared?
Friel, a partner in the law firm of Edwards Wildman Palmer, spoke with Information Security Media Group about the Federal Trade Commission's privacy framework and its implications for organizations seeking to adhere to the new standards.
The framework, which is a set of best practices and recommendations, is hoping to encourage Congress to come up with a simple baseline set of privacy principles, including implementing privacy by design into online products and services before they're released to the market, and to improve the condition of online privacy policies.
"The report takes aim at how complex privacy policies have gotten," Friel says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
To improve consumer privacy policies, Friel encourages his clients to provide layered security notices. The way a layered policy works is up-front, a user sees a bullet list containing the most important items, "something that can be read on a single smart-phone screen," Friel says. Then, if a user so wishes, he or she can click through the bullets to additional layers of detail.
"It's possible to have both simple, concise notice at the point of collection or at the point of download, but at the same time have multiple layers of detail if somebody so chooses to dig into that detail," he says.
In the interview, Friel:
- Encourages clients to adopt layered privacy notices, especially for mobile apps, in which simple explanations are presented in short, easy-to-read text on consecutive screens;
- Explains why businesses should benefit from following the FTC privacy framework;
- Discusses the impact of the framework on businesses whether or not Congress codifies FTC standards in legislation presented in the report.
Friel is a partner in the intellectual property department of Edwards Wildman Palmer and chairs its media and technology licensing and transaction practice and counsels clients on the privacy, data security, technology, regulatory and intellectual property implications of using mobile, digital and social media.
FTC Privacy Framework
ERIC CHABROW: What's the gist of the FTC report and how significant is it?
ALAN FRIEL: It's significant in that it outlines the commission's viewpoint on what companies ought to be doing with respect to consumer data privacy and security. It doesn't really come as any surprise and in some ways can be seen as a bit of a relief for industry in so far as it's only a set of best practices and recommendations, and two, confirms that the FTC is not planning to engage in any new rulemaking to essentially hoist regulations on the industry. They do encourage Congress to come up with a simple base-line set of privacy principles and to look specifically at ways to regulate data brokers, but as far as most data privacy and security issues go, they're looking to industry to self-regulate and would then be in the position to enforce violations of those self-regulatory schemes.
CHABROW: Would they have any authority at the moment to go further then they did and actually implement certain regulations, or do they need Congress to act?
FRIEL: That's a good question and, in fact, one of the four commissioners who dissented, Commissioner Rosch, descended because he believes that the guidelines might in fact be turned into mandatory requirements. The FTC under its Section 5 authority - Section 5 of the FTC Act - permits the FTC to protect consumers from misleading or deceptive advertising or unfair advertising of business practices. The unfair prong has sort of changed throughout the years depending upon administration. For the most part, it needs a showing of actual injury whereas the deception prong does not, but Commissioner Rosch worries that the concept of unfairness is sufficiently vague and amorphous, that these principles could be imposed essentially as requirement. Basically, if industry for the most part adopts them, failure to adopt them might be seen as unfair.
He points out that there are a number of situations where the market place should be allowed to determine what consumers are given in the way of choice and that privacy by default or privacy by design, something the report advocates, is not always necessarily in the consumer's best interest.
One good example of that is the mobile application space. Right now you can frequently purchase an app for $1.99 or more that has no advertising. However, if you want a free version of the app, it will have advertising as facilitated through the tracking of certain data about you, including your device identifier and the serving of ads to you. So Commissioner Rosch notes that is a "take it or leave it" choice with respect to privacy. If you want the free app, you have to accept that tracking and targeting. If you don't want the free app, you don't have to accept it. He worries about the report's recommendations of adopting privacy by design, which as a principle requires companies to always default to giving consumers affirmative choice before enabling any kind of data tracking or use.
CHABROW: You raise a point I find interesting. I want to use an app on my phone - my iPhone - and it tells me what the conditions are, and if I don't like it I don't accept it, which is often what I do because it seems like they want more information than I'm willing to give. Wouldn't that be enough under these guidelines or are you saying that I can say, "No, I won't follow it," but I still get the app?
FRIEL: I think that's Commissioner Rosch's concern. Again these guidelines are merely statements of principle. One of the things that the report urges is for companies to adopt privacy by design. Privacy by design is a process of looking at privacy impact at the time you conceptualize it and develop a product, and to start out with a baseline of giving consumers complete control over their privacy, essentially to have them affirmatively elect before a company can intrude upon that privacy. There's no law anywhere that imposes privacy by design; it's merely a concept. Reasonable minds might differ as to whether or not it's consistent with privacy by design to have a "take it or leave it" choice. Nobody's going to force a consumer to download a free app, but should they choose to do so, I think it's fair if the business model that supports that free app requires a certain amount of data collection and exploitation, as long as that's made clear through an easily conveyed and understandable notice - something that all the commissioners find to be important in something that there was no controversy amongst them as to whether or not there needed to be improvements in how privacy notices are given - that should be sufficient consumer choice.
CHABROW: Without legislation, what really can we expect to change here?
FRIEL: You're going to have the Department of Commerce and the FTC holding industry roundtables and discussions in order to develop self-regulatory programs. That's most likely going to happen because industry wants to avoid legislation. You're going to have a set of industry principles. The commissioner pointed to the Digital Advertising Alliance, a group of stakeholders in the Internet advertising space that have developed a pretty robust set of self-regulatory guidelines around online behavioral advertising. I think you're going to see the mobile industry doing the same thing and indeed, just as a result of the California Attorney General's initiative that was announced a couple of weeks ago, the vast majority of the operating system and platform providers in the mobile space have agreed to come together over the next six months and do just that. I think that's where we're going to see changes, and then you'll see the FTC continue to exercise its enforcement powers when there are misleading - whether explicitly or implicitly - privacy or data security statements. One of which may be, "We're a member of an industry group and we're not following their self-regulatory scheme." That would be an implicit misrepresentation. Or an explicit misrepresentation would be a privacy notice as A, B and C, when in fact D, E and F are the case. In those circumstances, the FTC is going to bring enforcement actions and then once they've got you for deception claim, they have so-called fencing-in authority where in the settlement agreement or the consent order they can impose far greater burdens on a company than they would otherwise under their Section 5 authority.
That's exactly what they did with Twitter, Facebook and Google in the last year. All three of those companies had privacy or data security issues that the FTC did not like their practices and have forced them to substantially change them and agree to 20 years worth of reporting and monitoring. The basis on which they had the authority to do that was the fact that all three are alleged to have made misleading statements in their privacy and data security policies, and it was based on that deception that the FTC was able to require them to engage in corrective action.
Implementing the Framework
CHABROW: So how burdensome would implementing this framework be on organizations?
FRIEL: It sort of depends upon where a product is in its lifecycle and how complex it is. That's one reason why the commission advocates the path by design approach. ... It's more difficult to go back and assess the impact after a product's already in the market, and as an afterthought rectify the issues that pre-exist to the extent that companies start thinking more about the issues as they conceptualize products and campaigns. They'll more easily be able to comply with where the consumers want them to be. Governments encouraging them to be and their own self-regulatory groups are likely to soon be requiring them to be.
Layered Privacy Policies
CHABROW: So what are you advising your clients?
FRIEL: One of the things that we've been doing for quite some time is to encourage companies to implement privacy by design in the development process. I don't necessarily think that means the privacy needs to be the default, but you need to be thinking about the privacy and data security impact of the product before it goes out in the market place.
Then, with respect to notice, one of the things that the report takes aim at is how complex privacy policies have gotten. They question whether or not that's effective notice anymore. Now I understand why particularly in complex ecosystems like mobile marketing, where you have all sorts of complex technologies and an ecosystem that's divided up amongst many, many players, you need relatively complex detailed notices, but I also understand the FTC's criticism that the average consumer isn't going to get to that level of detail. What we encourage clients to do is to provide layered notice where you have right up-front, in a few bullet points, something that can be read on a single smart-phone screen, the high-level, most important disclosures and that those can then be clicked through to added layers of detail. It's possible to have both simple, concise notice at the point of collection or at the point of download, but at the same time have multiple layers of detail if somebody so chooses to dig into that detail.
CHABROW: Should that just be for mobile, or should that also be for other forms of presentations such as a browser of the Internet or laptop?
CHABROW: Anything else you would like to add?
FRIEL: It's essential that companies understand what their marketing departments, what their technology groups are doing. Audit practices and policies at least once a year to ensure that what they're saying remains accurate. Although no amount of security is ever going to be 100 percent, they're auditing their systems to make sure particularly with respect to sensitive data like credit cards and personally identifiable data that they're exercising at least industry customary security procedures, and that they have a breach contingency plan ready, because at some point every company is going to have a data breach for the reason that no security is 100 percent. A number of states require notice to the state and to consumers in the event of a data breach, and Massachusetts now requires a list, a written information security policy to exist, and that you comply with that. These are not new issues or should not be new issues for companies. They have had a number of years to get their IT group on the right track here and I think we're going to start seeing more regulatory enforcement actions and more consumer class action lawsuits for the companies that aren't complying.