Lost in Translation? Privacy and Unfair or Deceptive Acts or Practices in Commerce in the USA

Gehan Gunasekara and Jingyi XiongDepartment of Commercial Law

The University of Auckland Business SchoolAsian Privacy Scholars Network 5th International Conference

University of Auckland Business School, 14 December2016

Introduction

• Only selected private-sectors covered by US privacy laws • Rest under prohibition against unfair/deceptive acts or

practices• Paper examines 200+ settlements brought by Federal Trade

Commission (FTC) • Compare with principles-based privacy legislation (e.g. NZ)

Goals of research

• FTC actions address privacy issues at cutting edge of technology– Actions include those against largest and most popular players in Internet

space e.g. Google, Facebook, Snapchat• NZ Law Commission recommendations for addressing systemic

issues• Terms of settlements potential model for content of compliance

notices– E.g. ongoing monitoring, reporting and privacy programmes

• Does conduct targeted fall within NZ-type privacy rules• Case-specific or principles-based approach preferable?

FTC section 5 Jurisprudence

• Unfair or deceptive practices contains 2 limbs:– Conduct likely to mislead; or– To cause or likely to cause substantial injury to consumers, not avoidable

& outweighed by benefits• Majority under first limb• Mandate under other laws e.g. rule-making & enforcement

under COPPA• Overlap with sector legislation

– E.g. under Fair Credit Reporting Act breach deemed to contravene s 5 FTC Act

FTC Jurisprudence cont’d

• Farrar: strong discretion gives right to create standards• C.f. weak discretion latitude to apply concepts to circumstances• FTC example of first• No strict stare decisis

– Solove & Hartzog argue settlements = new “common law” of privacy • Importance of “soft law” analogous to obiter comments

– E.g. reports see Protecting Consumer Privacy in an Era of Rapid Change (2012)

• Settlement process involves other stakeholder unlike stare decisis

FTC Jurisprudence cont’d

• Deception limb includes insufficient notice of invasive practices• Lack of certainty criticism: Bentham's “dog law”? • Contrast NZ prescriptive notice requirements

– Application to novel technological contexts also problematic• Unfairness limb includes inadequate data security even where no

promises made– E.g. Rental research Services, Inc.

FTC Jurisprudence cont’d

• Characterisation of harm = tangible c.f. emotional (see Spokeo, Inc. v Robins 578 US (2016) SC)

• Contrast NZ/Aus “injury to feelings/humiliation”• Substantive standards (5):

– Retroactive policy changes– Deceitful collection– Improper use– Unfair design– Unfair security practice

• Access/correction rights largely missing hence proposed legislation

Research methodology

• Settlements 1995 – January 2016• FTC website under Legal Resources• Filters to avoid sector specific overlap e.g. Safe Harbor, children

etc• Target filters used: Privacy and Security, Consumer Privacy &

Data Security• Sector specific included where separate s 5 breach alleged

(63%)• Automatic s 5 breaches not examined except for statistical

comparisons (41%)

Methodology cont’d

• Targeted settlements quantified into 10 key areas (NZ/Aus):– collection limitation, indirect collection, notice of collection, fairness of

collection, data security, data access and correction, data quality, data retention, data use and disclosure & unique identifiers

• Quantified by type of industry or business• Quantified whether linked to online/mobile environment• Examined remedial action required in terms of settlements

Impugned conduct

Yes76%

No24%

ONLINE ACTIVITY

Value of personal info. In digital economy

• Settlements illustrate business models/economies of scale – E.g. Consumerinfo.com. Inc (consumers to monitor own credit worthiness)– LifeLock, Inc. (ID theft prevention service $10 a month and >1 million

customers, monitoring credit reports, changes to address etc)– Latter’s own security deficient facilitating ID theft!

• “Trojan Horse” phenomenon – access to some info. all info.– E.g. Upromise Inc. (cash rebates into college savings fund; toolbar to ID

partners & advertising preferences)– In fact collected info. On all websites visited, links visited, usernames,

passwords & search terms)– Special software and expertise to detect/remove

Agency problem

• Potential deficiency in NZ/Aus regime• Agency must collect/hold data• Many settlements against those providing technology/services to

others doing collection/holding• Problematic if user/holder invokes domestic affairs exception• E.g. Snapchat, Inc.

– False assurance message would disappear after user-set period– promise of notification of screenshot by recipient to sender not kept– Current wording (see s 3(4) PA) strained to view individual as agent of

Snapchat

Privacy Enhancing Technologies (PETs)

• Snapchat also involved other collection for own use hence would have breached NZ law

• NZ law reform recommendations:– Strict liability for domestic outsourcing– Would catch Microsoft Corporation (Passport Wallet, Kids Passport

services)• PETs problematic

– E.g. Bonzi Software Inc.– E.g. Snapchat Inc.

Translating conduct to NZ/Aus principles

• Impugned conduct could be classified under these• Overlap: more than one principle contravened

– E.g. inadequate notice, data security, retention & disclosure– Vindicated redundancy in NZ/Aus approach – Some areas difficult to pigeonhole e.g. use of cookies (security)

• Graph depicts breakdown

Breakdown of conduct by NZ/ Aus principles

9 8

51

20

57

48

11

47

10

10

20

30

40

50

60

No.

of S

ettl

emen

ts

Privacy Principles Attributed to Defendant Conduct

Criticisms of FTC approach

• Lack of standard notice of collection template – E.g. Google Inc. promise to follow self-regulatory online advertisers Code

(NAI).– Placed “DoubleClick” advertising cookies on safari browsers – Told default settings would shield web browsing activities

• Security a catch-all: encompasses collection limitation, retention– E.g. RockYou, Inc. – Unnecessary data collected; passwords retained when no longer needed– Illustrates adaptability of NZ/Aus principles which include redundancy

Classification/categorisation difficulties

• Application of principles in technological arena problematic• E.g. cookies – what is required for defendant’s business

practices? – FTC able to sidestep by focusing on defective notifications & unauthorised

use/disclosures– E.g. Google Inc. involved software and ability to shield against– Suggests principles such as privacy by design/default more useful

Example• E.g. Epic Marketplace Inc. involved behavioural advertising• Corporate merger resulted in subsidiary in network ”history

sniffing”• Incl. websites visited outside network; deleting cookies

insufficient• Included sensitive browsing: fertility, impotence, disability

insurance & debt relief• Customers segmented into categories: “Pregnancy-Fertility” etc• Exposed by Center for Internet and Society researchers at

Stanford Law School

Weaknesses in FTC approach • Access and correction Achilles heel • E.g. Craig Brittain

– Revenge porn business– Intimate pictures posted w/o consent– Obtained by deception incl. pretexting & “bounty” system (indirect

collection)– Charged takedown fee of up to $500

• E.g Cash Today, Ltd involved “payday loans” – Lack of access to loan balances encouraged harassment

• E.g. Sony Music/ Microsoft – concerned parental ability to monitor children, settings & data quality

Nature of defendants

Technology Service, 8, 7%

Business Service, 4, 3%

Website Operator, 9, 8%

Social Media Service, 6, 5%

Application Provider, 2, 2%

Retailer, 20, 17%

Health-related, 8, 7%Mobile Technology, 1, 1%

Marketing, 10, 9%

Financial Service Provider, 18, 16%

Software Provider, 7, 6%

Data Broker, 14, 12%

Education-related, 2, 2%

Hospitality, 2, 2%Debt Collector, 1, 1% Individual, 1, 1%Entertainment, 2, 2%

NATURE OF DEFENDANTS

Analysis

• Included corporations & individuals • Automatic s 5 sector-specific breaches excluded• Retail sector largest • Financial sector second

– Hints sector-specific laws unable to protect against secondary use• C.f. health-related defendants only 7% (versus 17% of GDP in

2012)– Inclusion of pharmaceutical products in research

• Around third involved technology services –– Website operators, social media, mobile & application providers

Regulating Data Brokers• 12% of defendants• Generally no interaction with consumers• Sources: criminal records, property data, purchase history &

warranty information• Half involved obtaining through pretexting!

– Fairness of collection (NZ/Aus)– Law reform proposals (NZ)

• Examples: – ChoicePoint Inc. – security principle– Rental Research Services Inc. – ID thieves accessed

Data Brokers cont’d

• US Search, Inc. – Name, address, phone no, aliases, maiden name, relatives, neigbours,

marriage/divorce, associates/roommates etc & “reverse lookup” service• Spokeo, Inc.

– “explore beyond the Resume”– HR pitch– “coherent people profiles” & “powerful intelligence”– Defendant employees made up profile content– Accuracy/data quality principle– Note: NZ/Aus distinction between “collect’ & “held”

Nature of settlement remedies

• Civil penalties range from$1000 to $35 million• Real sanction is intrusive auditing process which includes:

– Record-keeping includes subsequent customer complaints– Acknowledgment by management/corporate officers & subsidiaries– Incl. compliance reporting– Privacy/security programme (NZ see Hammond v Credit Union Baywide)– Independent third party assurance of above usually 2-yearly

Conclusions

• Principle-based system can address most conduct targeted by FTC

• Deficiencies in USA approach – lack of transparency template and access/correction & reactive

• Strengths of USA approach includes flexibility to technological environment

• Collection limitation principle strained. Solutions:– Privacy by design/default– New “Trojan Horse” principle of strict liability– PETs & privacy assurance services need to be addresses in NZ/Aus

QUESTIONS/DISCUSSION

• g.gunasekara@auckland.ac.nz