Privacy Enforcement Update: FTC Settles with Twitter and Chitika
As we have previously reported on our blog, 2011 has seen a whirlwind of privacy enforcement activity. The FTC, NLRB, EEOC, HHS and FINRA have all taken privacy enforcement actions this year. This March, the FTC has announced privacy settlements with Chitika and Twitter.
Chitika – FTC Alleges Deceptive Behavioral Targeting Opt-Outs
On March 14, 2011, the FTC announced that Chitika, an online advertising company, has entered into a settlement over allegations that the company did not respect consumers’ choice to opt out of receiving targeted ads online. According to the FTC complaint, Chitika buys ad space on websites and contracts with advertisers to place cookies on those websites. Chitika also uses cookies to tracks consumers’ activities on the web, including searches and visited sites.
The company displays ads to consumers based on their online activities. Chitika’s privacy policy said that consumers could opt out of having cookies placed on their browsers and receiving targeted ads. According to the FTC, however, Chitika’s opt-out lasted only 10 days. After that time, Chitika placed tracking cookies on browsers of consumers who had opted out and displayed targeted ads to them again.
The FTC charged that Chitika engaged in a deceptive practice in violation of Section 5 of the FTC Act by tracking consumers’ online activities even after they used Chitika’s opt out mechanism to direct the company to stop tracking them online and serving targeted ads.
The settlement bars Chitika from making misleading statements about the company’s data collection practices and the extent to which consumers can control the collection, use or sharing of their data. The settlement also requires that every targeted ad Chitika displays include a link to a clear opt-out mechanism that allows a consumer to opt out for a period of at least five years. It also requires that Chitika destroy all identifiable user information collected when the defective opt out was in place. Finally, Chitika must alert consumers who previously tried to opt out that their attempt was not effective, and they should opt out again to avoid receiving targeted ads through the company.
Twitter – FTC Alleges Failure to Safeguard Personal Information
On March 11, 2011, the FTC announced final settlement with Twitter over allegations that the company deceived consumers and put their privacy at risk by failing to safeguard the security of their personal information. The FTC alleged that serious lapses in the company’s data security practices allowed hackers to obtain unauthorized administrative control of Twitter and access users’ personal information and tweets that users designated as private. The hackers also gained the ability to send tweets from any account. The FTC complaint alleged that hackers were able to gain administrative control of Twitter on at least two occasions.
According to the FTC, Twitter’s website privacy notice stated that the company “employ[s] administrative, physical, and electronic measures designed to protect your information from unauthorized access.” In addition, Twitter offered its users privacy settings that enabled them to designate their tweets as private. The FTC alleged that Twitter’s representations that the company (i) used reasonable and appropriate security measures to prevent unauthorized access to nonpublic user information, and (ii) honored users’ privacy choice were deceptive and violated Section 5 of the FTC Act.
The settlement prohibits Twitter from misleading consumers about the extent to which the company protects the security, privacy and confidentiality of nonpublic consumer information, including the extent of the measures the company takes to prevent unauthorized access to the information. Twitter also must honor the privacy choices made by consumers and establish and maintain a comprehensive information security program. The program must be assessed by an independent auditor every other year for 10 years.
Lessons Learned
With privacy enforcement on the rise, companies are well advised to take proactive approach to compliance with privacy and information security laws, regulations, guidelines and best practices. The FTC expects businesses to collect, use, disclose and process personal information in a fair and transparent way, and to accurately represent their privacy and security practices to consumers. Take a look at these Fair Information Practice Principles and think how your business can apply them to its personal information practices.