In this age of constant information exchange, and with more and more information being made available via social media by an ever-growing number of users, the debate over increased privacy concerns strikes many as hollow and contradictory. But indeed that dichotomy – how to protect consumer privacy interests in the digital marketplace – lies at the heart of the Federal Trade Commission’s current enforcement priorities. The collection, aggregation, storage, parsing, repackaging and utilization of personal information (the “stuff” of social networking) has become big business. Businesses continue to look for advantages in reaching consumers through new media. Regulation of this “new” marketing – online behavioral advertising – remains in its formative stages, but the tone being set is one of serious and aggressive enforcement of privacy rights. In addition to the FTC’s efforts, the Obama administration has been advocating a “privacy bill of rights” and the issue has traction on Capitol Hill as well, with many legislative initiatives under consideration.
Underscoring the FTC’s vigilant attention to internet privacy concerns, it appears a settlement of the FTC’s charges against Facebook, Inc. is imminent. Those charges reflect widespread complaints from Facebook users regarding significant unilateral changes Facebook made to its privacy controls and settings dating back to late 2009, which users complain discloses more personal information of users without giving users sufficient notice of disclosures. An FTC resolution of the charges against Facebook represents the third enforcement action against social networking giants this year. The agency resolved similar complaints earlier in 2011 against social networking sites Google (Google Buzz) and Twitter. For all of the considerable negotiation and debate, the Facebook, Google and Twitter settlements all feature a similar resolution scheme comparable to other FTC consent orders employed in other recent data protection investigations and settlements: (1) implementation of a comprehensive privacy program, (2) regular outside audits for many years, (3) some reconfiguration of privacy controls specific to the social networking tool at issue, and (4) prominent notice to users, with opt-out opportunities.
While efforts to rein in some of the industry-leading social media engines makes for splashy headlines, the question looms, nonetheless: With so much available data, and sophisticated tools for observing and measuring people’s online behavior, and (importantly) a post-recession business community hungry for online behavioral data to build direct strategic marketing – how do you manage the competing interests of a free market economy with a growing demand for increased privacy protections? (The challenges presented by online behavioral advertising are addressed more fully in an article I am preparing along with my colleague Kelly Rethman to appear in an upcoming Winter 2012 issue of The Journal of Internet Law.)
In fact, the tension between privacy advocates and their counsel on the one hand and the online business community on the other has already spawned nearly a dozen class action complaints in calendar year 2011 against some of the nation’s largest retailers and online social networks and businesses. Does this wave of class litigation foretell a rising tide of further litigation? Perhaps so, but possibly not in the class action context. Increasingly, the call seems to be for individual users to have the ability to control how much (or how little) of their data is made available in a “public” fashion. This individual user-specific control element (coupled with the myriad of competing state consumer protection laws) arguably presents a significant hurdle to those seeking to advance common nationwide class allegations (see Brian Wright’s November 11, 2011 post: “Early Class Certification Determinations and Use of Motions to Strike Supported by Sixth Circuit: Court Affirms Striking of Class Allegations and Rejects Certification of Nationwide Consumer Class Action”.)
Meanwhile, there are multiple private party and trade group initiatives underway (such as The Better Advertising Project, Inc., endorsed by the Digital Advertising Alliance), trying to get ahead of impending FTC regulatory schema, to identify voluntary, transparent, consumer/user-friendly “best practices” such that people utilizing social networks and online business sites are apprised of how their data is or may be used, and providing for front-end opt-out opportunities. These “best practices” are, largely, in line with the FTC’s proposed framework, previewed in a December 2010 Preliminary Staff Report.
This area of the law will remain very dynamic and we are watching carefully so as to advise our clients of the necessary risk/benefit analysis when evaluating the utilization of online personal data and behavioral information for advertising and marketing purposes. While the tug-of-war between privacy concerns and online behavioral advertisers has played out thus far among consumers, the FTC and very large social networking sites and retailers, the impact will, eventually, be one felt by all manner and size of businesses seeking to maximize the utilization of the burgeoning amount of personal data available online.