Twitter's New Tailored Suggestion Service Raises Questions

UPDATED JUNE 5, 2012 TO REFLECT FEEDBACK FROM TWITTER, NOTED IN BOLD BELOW

First, thanks to InfoLawGroup Law Clerk Nihar Shah, who contributed to this post.  Let's talk about one of my favorite topics - privacy policy changes and updates! 

The buzz words in privacy over the last few months (really much longer than that) have been “Do Not Track,” particularly in regard to joint efforts by browser companies and the FTC to introduce "Do Not Track” (DNT) options.  Twitter is just the latest company to adopt a DNT browser option, indicating in a blast email to all Twitter users that the setting is now available for implementation if a user so chooses. Interestingly, a much less publicized setting was also presented in that same email blast: Twitter’s new “tailored suggestion feature.” Applications and widgets created by Twitter will begin to collect data about Twitter users from third party websites that feature those products. This is an entirely new feature from Twitter, and is being implemented as a default option for both new and existing Twitter users.

The addition of the service has drawn the attention of Congress, with Representatives Joe Barton (R-TX) and Cliff Stearns (R-FL), both members of the Bipartisan Privacy Caucus and the House Committee on Energy and Commerce, recently sending a letter to Twitter asking for clarification on numerous issues relating to the tailored suggestions program, and its interaction with Twitter’s commitment to the DNT browser option. The Congressmen seek clarification on how Twitter purports to honor a user’s choice to opt-out of targeted advertising and data collection using the DNT browser option, while simultaneously collecting user information from third party websites under the tailored suggestions program. Further, the letter asks for a broad overview of Twitter’s data collection, retention, and disposal methods. Twitter has until June 15th to respond to the Congressmen’s inquiries.

The FTC may also take notice of the tailored suggestions program, perhaps analyzing the issue under the Gateway consent decree from 2004, which the FTC cites as part of the “fundamental FTC law and policy that companies must deliver on promises they make to consumers about how their information is collected, used, and shared” (2009 FTC Self-Regulatory Principles for Online Behavioral Advertising, Pg. 40). Since Gateway, the FTC has required entities to obtain affirmative express consent from users where the “retroactive application of [the entity’s] revised privacy policy [containing material changes to its practices that were inconsistent with the entity’s original promise to consumers] causes or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers.”

The FTC clarified the standard both in the 2009 Self-Regulatory Principles for Online Behavioral Advertising and the 2012 Final Report on Online Consumer Privacy. The 2009 report determined that the standard “is limited to changes that are both material and retroactive,” where materiality is defined as “(i) using data for different purposes than described at the time of collection, or (ii) sharing data with third parties, contrary to promises made at the time of collection.” The FTC concluded that “a retroactive change does not include the circumstance where a company changes its privacy policy and then proceeds to collect and use new data under the new policy.” In these circumstances, the FTC suggests an opt-out choice accompanied by “some form of prominent notice,” such as “sending an email notice to their customer … or providing a prominent notice on the landing page of their website.” According to the 2012 report, “sharing consumer information with third parties after committing at the time of collection not to share the data would constitute a material change.”

It is not clear how the Gateway analysis would apply to the Twitter changes, but we can compare some features of the previous and current versions of Twitter’s privacy policy.   It appears that Twitter has updated its privacy policy five times from 2007-2012, and only the most recent version contains any reference to the type of data required to be collected and used as part of the tailored suggestions program. This “Widget Data” is defined as data collected from Twitter buttons or widgets on third party websites, and is then attached to the unique cookie file on a user’s computer. This information is kept separate from the “Log Data” which collects “page-visit” information (i.e. referring web page, location, browser used); however, Log Data does contain information from the same buttons and widgets that collect Widget Data. Notably, Widget Data and Log Data both collect data from the same sources, Twitter buttons and widgets. There are references to the data collected from “applications” in the previous version of the Twitter privacy policy in which Twitter acknowledges collecting Log Data from applications on third party websites, but promises to “either delete [the data] or remove any common account identifiers, such as your username, full IP address, or email address after 18 months.” Twitter now apparently separates that data as Widget Data and specifically does not de-identify the data for the purposes of providing targeted services for a period of 10 days, after which the Widget Data is deleted or de-identified.

Takeaways?  Remains to be seen.  But, as always, organizations making changes to privacy policies should not implement them in an ad hoc manner.  In addition to consulting with all internal stakeholders for accuracy and anticipating future use cases that might require additional changes, companies need to consider whether changes are material and/or retroactive, and craft appropriate mechanisms for notifying (and, as applicable, obtaining the consent of) users to such changes.