Lost in Translation? Privacy and Unfair or Deceptive Acts or Practices in Commerce in the USA
Gehan Gunasekara and Jingyi XiongDepartment of Commercial Law
The University of Auckland Business SchoolAsian Privacy Scholars Network 5th International Conference
University of Auckland Business School, 14 December2016
Introduction
• Only selected private-sectors covered by US privacy laws • Rest under prohibition against unfair/deceptive acts or
practices• Paper examines 200+ settlements brought by Federal Trade
Commission (FTC) • Compare with principles-based privacy legislation (e.g. NZ)
Goals of research
• FTC actions address privacy issues at cutting edge of technology– Actions include those against largest and most popular players in Internet
space e.g. Google, Facebook, Snapchat• NZ Law Commission recommendations for addressing systemic
issues• Terms of settlements potential model for content of compliance
notices– E.g. ongoing monitoring, reporting and privacy programmes
• Does conduct targeted fall within NZ-type privacy rules• Case-specific or principles-based approach preferable?
FTC section 5 Jurisprudence
• Unfair or deceptive practices contains 2 limbs:– Conduct likely to mislead; or– To cause or likely to cause substantial injury to consumers, not avoidable
& outweighed by benefits• Majority under first limb• Mandate under other laws e.g. rule-making & enforcement
under COPPA• Overlap with sector legislation
– E.g. under Fair Credit Reporting Act breach deemed to contravene s 5 FTC Act
FTC Jurisprudence cont’d
• Farrar: strong discretion gives right to create standards• C.f. weak discretion latitude to apply concepts to circumstances• FTC example of first• No strict stare decisis
– Solove & Hartzog argue settlements = new “common law” of privacy • Importance of “soft law” analogous to obiter comments
– E.g. reports see Protecting Consumer Privacy in an Era of Rapid Change (2012)
• Settlement process involves other stakeholder unlike stare decisis
FTC Jurisprudence cont’d
• Deception limb includes insufficient notice of invasive practices• Lack of certainty criticism: Bentham's “dog law”? • Contrast NZ prescriptive notice requirements
– Application to novel technological contexts also problematic• Unfairness limb includes inadequate data security even where no
promises made– E.g. Rental research Services, Inc.
FTC Jurisprudence cont’d
• Characterisation of harm = tangible c.f. emotional (see Spokeo, Inc. v Robins 578 US (2016) SC)
• Contrast NZ/Aus “injury to feelings/humiliation”• Substantive standards (5):
– Retroactive policy changes– Deceitful collection– Improper use– Unfair design– Unfair security practice
• Access/correction rights largely missing hence proposed legislation
Research methodology
• Settlements 1995 – January 2016• FTC website under Legal Resources• Filters to avoid sector specific overlap e.g. Safe Harbor, children
etc• Target filters used: Privacy and Security, Consumer Privacy &
Data Security• Sector specific included where separate s 5 breach alleged
(63%)• Automatic s 5 breaches not examined except for statistical
comparisons (41%)
Methodology cont’d
• Targeted settlements quantified into 10 key areas (NZ/Aus):– collection limitation, indirect collection, notice of collection, fairness of
collection, data security, data access and correction, data quality, data retention, data use and disclosure & unique identifiers
• Quantified by type of industry or business• Quantified whether linked to online/mobile environment• Examined remedial action required in terms of settlements
Impugned conduct
Yes76%
No24%
ONLINE ACTIVITY
Value of personal info. In digital economy
• Settlements illustrate business models/economies of scale – E.g. Consumerinfo.com. Inc (consumers to monitor own credit worthiness)– LifeLock, Inc. (ID theft prevention service $10 a month and >1 million
customers, monitoring credit reports, changes to address etc)– Latter’s own security deficient facilitating ID theft!
• “Trojan Horse” phenomenon – access to some info. all info.– E.g. Upromise Inc. (cash rebates into college savings fund; toolbar to ID
partners & advertising preferences)– In fact collected info. On all websites visited, links visited, usernames,
passwords & search terms)– Special software and expertise to detect/remove
Agency problem
• Potential deficiency in NZ/Aus regime• Agency must collect/hold data• Many settlements against those providing technology/services to
others doing collection/holding• Problematic if user/holder invokes domestic affairs exception• E.g. Snapchat, Inc.
– False assurance message would disappear after user-set period– promise of notification of screenshot by recipient to sender not kept– Current wording (see s 3(4) PA) strained to view individual as agent of
Snapchat
Privacy Enhancing Technologies (PETs)
• Snapchat also involved other collection for own use hence would have breached NZ law
• NZ law reform recommendations:– Strict liability for domestic outsourcing– Would catch Microsoft Corporation (Passport Wallet, Kids Passport
services)• PETs problematic
– E.g. Bonzi Software Inc.– E.g. Snapchat Inc.
Translating conduct to NZ/Aus principles
• Impugned conduct could be classified under these• Overlap: more than one principle contravened
– E.g. inadequate notice, data security, retention & disclosure– Vindicated redundancy in NZ/Aus approach – Some areas difficult to pigeonhole e.g. use of cookies (security)
• Graph depicts breakdown
Breakdown of conduct by NZ/ Aus principles
9 8
51
20
57
48
11
47
10
10
20
30
40
50
60
No.
of S
ettl
emen
ts
Privacy Principles Attributed to Defendant Conduct
Criticisms of FTC approach
• Lack of standard notice of collection template – E.g. Google Inc. promise to follow self-regulatory online advertisers Code
(NAI).– Placed “DoubleClick” advertising cookies on safari browsers – Told default settings would shield web browsing activities
• Security a catch-all: encompasses collection limitation, retention– E.g. RockYou, Inc. – Unnecessary data collected; passwords retained when no longer needed– Illustrates adaptability of NZ/Aus principles which include redundancy
Classification/categorisation difficulties
• Application of principles in technological arena problematic• E.g. cookies – what is required for defendant’s business
practices? – FTC able to sidestep by focusing on defective notifications & unauthorised
use/disclosures– E.g. Google Inc. involved software and ability to shield against– Suggests principles such as privacy by design/default more useful
Example• E.g. Epic Marketplace Inc. involved behavioural advertising• Corporate merger resulted in subsidiary in network ”history
sniffing”• Incl. websites visited outside network; deleting cookies
insufficient• Included sensitive browsing: fertility, impotence, disability
insurance & debt relief• Customers segmented into categories: “Pregnancy-Fertility” etc• Exposed by Center for Internet and Society researchers at
Stanford Law School
Weaknesses in FTC approach • Access and correction Achilles heel • E.g. Craig Brittain
– Revenge porn business– Intimate pictures posted w/o consent– Obtained by deception incl. pretexting & “bounty” system (indirect
collection)– Charged takedown fee of up to $500
• E.g Cash Today, Ltd involved “payday loans” – Lack of access to loan balances encouraged harassment
• E.g. Sony Music/ Microsoft – concerned parental ability to monitor children, settings & data quality
Nature of defendants
Technology Service, 8, 7%
Business Service, 4, 3%
Website Operator, 9, 8%
Social Media Service, 6, 5%
Application Provider, 2, 2%
Retailer, 20, 17%
Health-related, 8, 7%Mobile Technology, 1, 1%
Marketing, 10, 9%
Financial Service Provider, 18, 16%
Software Provider, 7, 6%
Data Broker, 14, 12%
Education-related, 2, 2%
Hospitality, 2, 2%Debt Collector, 1, 1% Individual, 1, 1%Entertainment, 2, 2%
NATURE OF DEFENDANTS
Analysis
• Included corporations & individuals • Automatic s 5 sector-specific breaches excluded• Retail sector largest • Financial sector second
– Hints sector-specific laws unable to protect against secondary use• C.f. health-related defendants only 7% (versus 17% of GDP in
2012)– Inclusion of pharmaceutical products in research
• Around third involved technology services –– Website operators, social media, mobile & application providers
Regulating Data Brokers• 12% of defendants• Generally no interaction with consumers• Sources: criminal records, property data, purchase history &
warranty information• Half involved obtaining through pretexting!
– Fairness of collection (NZ/Aus)– Law reform proposals (NZ)
• Examples: – ChoicePoint Inc. – security principle– Rental Research Services Inc. – ID thieves accessed
Data Brokers cont’d
• US Search, Inc. – Name, address, phone no, aliases, maiden name, relatives, neigbours,
marriage/divorce, associates/roommates etc & “reverse lookup” service• Spokeo, Inc.
– “explore beyond the Resume”– HR pitch– “coherent people profiles” & “powerful intelligence”– Defendant employees made up profile content– Accuracy/data quality principle– Note: NZ/Aus distinction between “collect’ & “held”
Nature of settlement remedies
• Civil penalties range from$1000 to $35 million• Real sanction is intrusive auditing process which includes:
– Record-keeping includes subsequent customer complaints– Acknowledgment by management/corporate officers & subsidiaries– Incl. compliance reporting– Privacy/security programme (NZ see Hammond v Credit Union Baywide)– Independent third party assurance of above usually 2-yearly
Conclusions
• Principle-based system can address most conduct targeted by FTC
• Deficiencies in USA approach – lack of transparency template and access/correction & reactive
• Strengths of USA approach includes flexibility to technological environment
• Collection limitation principle strained. Solutions:– Privacy by design/default– New “Trojan Horse” principle of strict liability– PETs & privacy assurance services need to be addresses in NZ/Aus