An example of behavioral marketing is advertising popular related items next to a news story that readers might find interesting. Another example is how large e-commerce sites, such as Amazon, will list products that other customers have also purchased when browsing. The objective of behavioral marketing is to identify and advertise to your target audience, to ensure that marketing efforts are directed towards individuals who are most likely to purchase the product.

FTC Report on OBM Principles

On February 12, 2009, the FTC issued its Staff Report on Self-Regulatory Principles for Online Behavioral Advertising. The report defined online behavioral advertising as “the tracking of a consumer’s online activities over time – including the searches the consumer has conducted, the Web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests.”

The report went on to outline principles that ensure:

• Transparency and consumer control
• Reasonable security and limited data retention for consumer data
• Affirmative express consent for material changes to existing privacy promises
• Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising

These principles apply equally in the context of mobile devices.

Responses to FTC Report

In response to the FTC’s guidelines, consumer privacy advocate groups began to claim that the document was not stringent enough and that the commission does not sufficiently investigate privacy threats and wrongful practices targeting children, adolescents and multicultural consumers. According to Pam Dixon, executive director of the World Privacy Forum,

“I think that the issue of self-regulation has been on the FTC’s plate for ten years and it’s disturbing that only one commissioner chose to question the self-regulatory model. I think my disappointment in the FTC approach is there weren’t specific renegotiations on the self-regulation model.”

According to Chris Hoofnagle, director of information privacy programs at the Berkeley Center for Law and Policy Center, Berkley, CA. “The FTC failed to address the clearest examples of sensitive information and that there is certain user data that should never be used for targeting.”

Cory Wright, senior counsel and adjunct professor at Georgetown Law commented, “The commission’s report does not heed the concerns we have been having. The policy is not meaningful. The document fails to define children in terms of what age group can be referred to as children. The FTC says affirmative consent will work but does not go into detail about what that means. The guidelines don’t go far enough to protect kids.”

Mobile OBM

Many advertisers are looking eagerly at the potential of the online mobile market. Perhaps companies could then connect with clients on the go to let them know about their nearby products and services. In response, the FTC and Congress have voiced their concerns regarding the potential for abuse and misuse of consumer information in this context. Furthermore, there is a quickly-diminishing distinction between personally identifiable information (PII) and non-PII, including a user’s IP address and other computer/mobile device identifiers.

It has been discussed that the FTC’s guidelines regarding mobile marketing does not do enough to control applications. It is challenging to create effective disclosures, especially given the size limitations in the mobile context, as well as continuous developments in mobile-based products and services.

Summary

This article takes a look at online behavioural marketing practices and how these are used in e-commerce. The article explores the FTC’s report on Self-Regulatory Principles for Online Behavioral Advertising, which was released in early 2009. It also looks at responses to the principles, from privacy rights groups in the United States. Finally, the article explores possible privacy issues inherent to mobile online behavioural marketing.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

• Online Behavioral Marketing (OBM) (III.B.j.ii.)

On May 19, 2011, the US Senate Committee on Commerce, Science and Transportation had a hearing that focused on “Consumer Privacy & Protection in the Mobile Market Place.” Present were representatives from Google, Apple and Facebook, as well as David Vladeck, director of the Bureau of Consumer Protection of the Federal Trade Commission (FTC).

Voicing Concerns

At the subcommittee hearing, Senator John Rockefeller expressed concerns about the amount of information mobile devices are actually able to collect about their owners. He demanded stronger controls over how and when such personal data is shared, saying, “As smartphones become more powerful, more personal information is being concentrated in one place. Consumers want to understand and have control of their personal information. ” Senator Rockefeller is the chairman of the US Senate Committee on Commerce, Science and Transportation.

According to Senator Al Franken, the chairman of the judiciary subcommittee on Privacy, Technology and the Law, “Consumers have a fundamental right to know what data is being collected about them. I also believe they have a right to decide whether or not they want to share that information and with who they want to share it and when.”

Jessica Rich from the FTC expressed worries about mobile device safety, saying, “These concerns stem from the always-on, always-with-you personal nature of mobile devices.” She also pointed out the possible hazards of “invisible collection and sharing of data with multiple parties, the ability to track consumers – including children and teens – to their precise location.”

Responding to the Fears

In response to the increased concerns regarding mobile data collection, Catherine Novelli, Apple’s VP of worldwide government affairs explained that the company currently provides tools allowing customers to control the collection and use of data on its mobile devices, including location data. Novelli said, “Apple does not track users’ locations – Apple has never done so and has no plans to ever do so.” However, the recent flurry of activity over the company’s iPhone and 3G-enabled iPads speak to the contrary.

Alan Davidson, Google’s director of public policy for the Americas responded that Google supports the development of a legal privacy framework that ensures broad-based user trust and that will support continued innovation.

Bret Taylor, the Chief Technology Officer of Facebook, warned that too much regulation may stifle innovation amongst mobile technology and service providers: “Adopting overly restrictive policies will prevent our social features from functioning in the way that individuals expect and demand.”

FTC Suggestions

In its statement to the subcommittee, the FTC suggested extending the application of its Do-Not-Track mechanism. Introduced in December 2010, the Do Not Track feature for internet browsers would allow users to opt out of sharing browsing data completely and protect their privacy. This suggestion was made in order to give end users increased control over the amount and type of personal data stored by companies, preventing the sharing of sensitive data with third parties, or the use of sensitive data against the individual’s wishes.

The FTC recommended that this Do-Not-Track mechanism should apply to mobile and desktop devices: “At least for purposes of web browsing, the issues surrounding implementation of Do Not Track are the same on mobile devices and desk top computers.” Currently, FTC staff is developing ways to implement Do Not Track mechanisms on mobile apps.

Summary

This article takes a look at the May 19, 2011 Senate Subcommittee hearing on “Consumer Privacy & Protection in the Mobile Market Place.” As mobile phones and location-based apps are becoming more ubiquitous, this has raised a number of consumer concerns regarding the amount and type of sensitive information that is being collected, stored and shared by developers and third-parties. The subcommittee hearing was an opportunity for those on both sides of the debate to express their opinions. The FTC suggested extending the Do Not Track mechanism for web browsers to include mobile devices as well.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Sensitive Personal Information (SPI) (I.A.b.)
• Data accountability (I.B.c.)
• Consumer privacy concerns (II.A.a.)
• Government and citizen surveillance (II.A.k.)
• Social networking services (VI.C.)
• Location-based services (VI.E.)

Crucial Evidence

In his statement before the Subcommittee on Crime, Terrorism, and Homeland Security, Jason Weinstein, deputy assistant attorney general at the Justice Department, pointed out that retaining data from ISPs and cell phone service providers can help provide crucial evidence in cases “including child exploitation, violent crime, fraud, terrorism, public corruption, drug trafficking, online piracy, computer hacking, and other privacy crimes.”

According to Weinstein, many of the Justice Department’s current criminal investigations are being hindered by its inability to monitor and store the online activity of users. He provided numerous examples in which the retention policies of service providers were obstructing federal, state and local law enforcement investigations. Weinstein said, “These decisions by providers to delete records are rarely done out of a lack of desire to cooperate with law enforcement; rather, they are usually done out of an understandable desire to cut costs.  Some providers also seem to delete records out of a concern for customer privacy.”

Current Practices

At this point, ISPs are required to preserve usage data only at the request of law enforcement authorities. Many ISPs are also collecting and maintaining “non-content records,” for instance a subscriber’s login records, information on who is using their services and how. ISPs have widely varying policies and practices regarding the storage of non-content records. In some cases, it will be deleted within days, while others may retain the data for months. Weinstein would like to see this retention period standardized, so that authorities are guaranteed to be able to access such data, should they require it.

There is currently no law that requires ISPs to retain user data. However, the push for extensive data retention legislation is not a new issue. In the past, FBI director Robert Mueller requested that Congress consider such legislation for similar reasons.

Critics Say…

Undoubtedly, the January 25^th hearing has brought to the surface a number of privacy and freedom of speech concerns. The notion of law enforcement authorities tracking and retaining large amounts of information on over 230 million Americans is an unacceptable outcome for many. This may significantly impact free and anonymous speech and will change how individuals use the internet.

Jim Harper, the director of information policy studies at the Cato Institute, commenting on the issue of mandatory data retention, says “I fail to see where the Fourth Amendment permits the government to require dragnet surveillance of Internet users.”

Another issue is that while the federal government is pushing for pro-privacy laws, it is also contradicting itself with anti-privacy laws, such as this data retention legislation. Recently, the FTC proposed that browsers include Do-Not-Track features, which would help users ensure that their information is not being retained while they browse the internet. At the same time, the Justice Department has asked for more extensive retention laws, though the two are seemingly in conflict with each other.

According to John Morris, the general counsel for the Washington DC-based think-tank Center for Democracy and Technology, the hearing does not necessarily mean that a data retention bill is on the way. It is also uncertain what kind of data ISPs would be expected to retain, or if other online services (e.g. e-mail providers) might be included in the new legislation. Morris said:

“In the best-case scenario, a data retention bill will only require ISPs to track and store Internet Protocol (IP) address allocation data to help law enforcement better link Internet use to specific users. In the worst-case scenario, it could require ISPs and all sorts of online service providers to store and track everything from IP addresses to source data involving e-mail, instant messaging (IM), social media interactions and Web sites visited.”

Summary

On January 25, 2011, the US Department of Justice brought the issue of mandatory data retention to the House Subcommittee on Crime, Terrorism, and Homeland Security. Currently, there is no law requiring internet service providers (ISPs) to retain user data, and ISP retention practices are inconsistent in terms of type of data and retention period. Law enforcement authorities have long argued that mandatory data retention would advance criminal investigations, especially those dealing with child pornography and sexual predators. Critics argue that retention of user data would result in numerous privacy and freedom of speech concerns.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Methods of Data Collection (I.B.a.)
• Privacy Concerns – Consumer Perspective (II.A.a.)
• Government and Citizen Surveillance (II.A.k.)
• Privacy Expectations – Consumer Behaviors (II.B.a.)
• Online Privacy (V.D.i.1.)

Applications of phone-home software

Phone-home features have been integrated into numerous software titles for reasons including:

• Anti-piracy measures
• Tracking lost/stolen hardware
• Access control
• Marketing purposes

Often, the traffic on the end-user’s network is encrypted, so it can be difficult to determine exactly what data is being transmitted back to the manufacturer.

A well-known example of phone-home software is Windows Genuine Advantage (WGA). In 2005, Microsoft launched this application as part of an anti-piracy program. The installation of the application was required if users wanted to download further Windows updates. It checked if users were working from a licensed copy of Windows XP. Should a user be running a pirated version, the user would receive notifications. Finally, if no action was taken, the user would be blocked from downloading some updates.

WGA garnered much criticism in mid-2006 as users learned that it would “phone home” on a daily basis, without informing users of this function. In response to the controversy, Microsoft made significant adjustments to the phone home activities of WGA. Once systems were validated, WGA would cease connection attempts altogether. Systems that could not be validated would be restricted from certain automatic updates, downloads, installation procedures and some program executions. Microsoft also changed its End User License Agreement (EULA) to include more explicit information regarding the WGA. The EULA presented users with the choice to accept or reject the WGA procedures.

Microsoft was not the only one receiving criticism for its phone home practices at this time. Users of Apple’s Mac OS X were also noticing network activity, which was supposedly for the purposes of verifying Dashboard widgets. According to users, Apple did not inform them of the new feature or its activities. Such activity was only determined through the use of firewalls, which informed users when the program would attempt to establish outgoing internet connections. Although it was unclear what exactly was being communicated between the client and the server, users were obviously uncomfortable with the fact that their computers were automatically checking in with Apple.

Another example of phone-home software is the iTunes MiniStore, which introduced a feature that suggested music from the iTunes Music Store based on users’ song selections. This was one of many downloadable updates from Apple. However, the EULA for iTunes did not inform users that the application would transmit information about the user’s music preferences back to Apple. With the new feature, whenever a user selected a song, iTunes connected to the internet to update the MiniStore. User information would be passed to Apple through a third party.

Although the iTunes MiniStore feature could be disabled easily enough (by closing the pane), users were enraged that their personal information was being passed through third party without their consent. Even though this information was relatively harmless, users demanded that Apple make this feature clear and explain how it could be turned off.

Windows Activation Technologies

In February 2010, Microsoft announced a new anti-piracy initiative, referred to as Windows Activation Technologies (WAT) update KB971033 for Windows 7. This would involve an automatic phone-home procedure to Microsoft servers every ninety days. The purpose of the WAT is to ensure that users are not using pirated versions of Windows. Critics have voiced concerns regarding the repeated authentication checks. These quarterly checks would mean that systems need to meet a certain set of criteria, or be subject to restrictions, even if that same system had previously been verified.

This could result in previously verified systems being downgraded to a non-genuine level. Such systems would still be able to function normally, but users may face some annoying changes. For instance, desktop backgrounds will periodically change to black, users would only have limited access to updates and piracy notifications will appear frequently.

The incentive for downloading and running WAT is still unclear to many users. While it may be important to identify if systems are running illegitimate versions of Windows 7, the downgrade process is largely unnecessary. Certain users may be concerned if their system is running a pirated version of Windows, which may have a chance of allowing viruses or other malware into their system. However, it may be more common that people are using legitimate copies that simply have not been authenticated yet.

While Microsoft insists that the WAT upgrade is completely voluntary, critics argue that consumers should not be tied to application manufactures as a result of cradle-to-grave authentication processes. This sort of surveillance regime is an unacceptable intrusion on the privacy of individuals and could potentially harm a large number of innocent computer users.

Other uses

Not all phone home applications receive a negative response from end-users. Certain tracking technology allows police to locate stolen computers across the world. One of the most effective types of tracking software is embedded within the BIOS of a computer’s motherboard. This software cannot be wiped or removed from the system. If the stolen computer attempts to connect to the internet, the phone home software transmits information to a monitoring center, reports the IP address and allows law enforcement officials to find its location. One such application, ComputraceOne, created by Absolute Software, claims to have helped recovered over 5,000 stolen computers.

Summary

This article explores the issue of phone-home features embedded in certain software. While phone-home features are found in spyware and other forms of malware, they are also integrated in legitimate software, such as Microsoft Windows, Apple OS and other applications. The feature may be used as an anti-piracy measure, to track lost or stolen hardware, to control access or for collecting information for marketing purposes. Security issues that are raised by such a feature include lack of disclosure to users, lack of consent, scope of functionality and level of surveillance.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy concerns and the consumer perspective (II.A.a.)
• System monitoring (II.A.l.)
• Phone-home software (II.A.l.i.)
• Privacy expectations and consumer behaviors (II.B.a.)

With the rapid growth of e-commerce, companies are able to experiment with and implement different price discrimination strategies. Online consumers consciously and unconsciously provide vendors with information that helps them to split the market into segments for price discrimination. This article introduces basic concepts involved in price discrimination, as well as some of the impacts on consumers’ privacy.

What is Price Discrimination?

Price discrimination is also referred to as yield management. This takes place when a company charges varying prices to different groups of customers, for the same goods or services. This variation in price is not related to the cost of the good or service provided. The different groups of customers are referred to as segmented markets.

Price discrimination is a strategy that is employed by almost every industry that has some power to determine prices. There are a number of different types of price discrimination:

1. Optimal Pricing:  This is also referred to as perfect price discrimination. With this type of price discrimination, the vendor charges each individual the price that they are willing and/or able to pay. This heavily depends on how much information the vendor has regarding the consumer’s preferences. For the most part, this type of price discrimination is considered unattainable.
2. Second Degree Price Discrimination:  With this form of price discrimination, vendors sell a product that is surplus capacity at a lower price than the standard or advertised price. This type of price discrimination is independent of any personal information from consumers. An example of this is the sale of standby airline seats. Second degree price discrimination has been advanced by developments in e-commerce.
3. Third Degree Price Discrimination:  This is also referred to as multi-market price discrimination. With this type of price discrimination, the market is segmented, for instance in terms of time or geography. It is a common type of price discrimination that depends on charging different prices, depending on the segment of the market.

Price discrimination is not a new strategy; it has been applied throughout history. However, it is often not publicized, as it incites negative public responses. However, proponents argue that despite the inequitable treatment of individuals, on a larger scale, the practice may offer a more efficient use of resources. With the development of new technologies, companies are finding ways to price discriminate that may not have been possible before.

E-Commerce & Price Discrimination

With the rise of e-commerce, there has been a steady erosion of privacy. Privacy professionals and other observers have identified this as a continuing trend with the internet. The vast majority of privacy invasions stem from the private sector. Seemingly, with better information about consumers, vendors can more appropriately target their advertising dollars. In the past, companies needed to invest heavily into gathering personal information and monitoring the spending habits of consumers, current technology makes price discrimination a commercially feasible practice.

With ubiquitous computer systems, vendors can engage in more “intelligent” transactions, recording information about the environment and consumer conditions. Information about consumers may be collected through repeated interactions between vendor and seller. For instance, cookies may be used to track consumer purchasing habits. This allows vendors to refine the information about their customer base and dynamically change pricing schemes to respond to the information.

This practice may bring about both positive and negative results. For instance, customers may enjoy personalized treatment, such as discounts, suggested products and individualized content. On the other hand, many customers are wary of potential privacy invasions. Consumers are generally not pleased to learn that a vendor engages in price discrimination; no one wants to pay more than someone else for the same item.

Common examples of price discrimination include:

• Dell Computers selling the same model laptop to different markets (i.e. individuals, small businesses, enterprises and governments) at different prices.
• Vendors charging customers at different rates, depending on their IP address.
• Amazon.com drawing on customer’s past purchases and spending habits to charge different prices for DVDs.

Web Coupons

Coupons retrieved from the internet are a rapidly growing segment of the coupon industry. Such coupons are accessed and printed from the internet and may carry with them a lot of consumer information, such as their IP address, personally identifiable information and the search terms used to find the coupon. While this form of tracking may be invisible to consumers, vendors may be able to collect such information simply by scanning the bar code of the coupon.

Many web coupons are handled by third party service providers, who may collect and analyze vast amounts of information about clients for the retailers. Well-known web coupon companies include RevTrax, FatWallet and Ebates.com. Vendors may also be able to narrow down their customer base by sending specific keyword searches to different web addresses. These addresses may be invisible to the consumer, who may only be able to see a simple, standard web address. Information collected online may be combined with data from offline databases that could significantly be harmful to consumers. Such information is collected, not only without individual consent, but without any form of transparency or accountability.

Legal Issues

The issues that have been raised by e-commerce and other online practices have significant implications on law and technology. Currently, the US antitrust law specifically addresses price discrimination. The Robinson-Patman Act of 1936 states that it is illegal for vendors to treat their customers differently, unless they have an acceptable legal justification for such treatment. However, the FTC has hardly applied the Act in the recent past. The Robinson-Patman Act has even been considered irrelevant in terms of dynamic pricing in an e-commerce context.

Critics have argued that the Act is not really designed to protect consumer rights. This is highly problematic for privacy advocates, who believe that private sector interests are unfairly targeting and classifying individuals without their consent. Recently, the US PIRG (United States Public Interest Research Group) has partnered with the Center for Digital Democracy and World Privacy Forum in order to urge the FTC to review online consumer tracking practices.

Summary

This article explores the issue of price discrimination. It discusses three main types of the price discrimination practice: optimal pricing; second degree price discrimination and third degree price discrimination. The article examines how price discrimination has become more prominent with the developments in e-commerce and how practices such as web coupons intensify the risk of privacy intrusions. The lack of relevant, up-to-date legislation around this issue is also discussed.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• E-commerce personalization (II.A.d.)
• Price discrimination (II.A.h.)
• Privacy expectations and consumer behaviors (II.B.a.)

The memorandum issued the following recommendations:

Data Breach Guidance to Agencies

The Office of Management and Budget should issue a memorandum guiding agencies on when and how notice must be given to individuals at risk for identity theft due to a security breach. The suggested memorandum, titled “Recommendations for Identity Theft Related Data Breach Notification” was released almost concurrently with the Task Force’s memorandum.

Development of Universal Police Report for Identity Theft Victims

Identity theft victims my require official police reports to contest fraudulent information on their credit reports. A universal identity theft police report ensures that all necessary information is collected. It also allows identity theft victims to print the report from online, fill it out and bring it to their local enforcement agency for verification. Currently, individuals may also file an official complaint with the Federal Trade Commission on the FTC website. A universal form of filing complaints, reduces the strain on law enforcement agencies and  allows streamlining of investigations.

Extending Restitution for Victims of Identity Theft

The Task Force recommended to Congress that defendants be required to pay their identity theft victims monetarily for the time lost due to investigating, responding to and correcting fraudulent activity on their credit reports. This created extra penalties for committing identity theft, as well as allowed some renumeration to be paid to identity theft victims for their troubles, in addition to settling any financial disputes related to the fraudulent activity.

Reducing Access of Identity Thieves to Social Security Numbers

All agencies in the public sector should limit the use of Social Security Numbers as an individuals main identifier in an information system. The Office of Personnel Management was instructed to assign employee identification numbers for common use to eliminate the widespread use of SSN as the primary identifier for government employees. The OPM was also instructed to develop policies for the appropriate use and protection of Social Security Numbers. Further more all agencies were asked to review their use of SSNs in physical and electronic records systems to eliminate and restrict its usage where possible.

Developing Alternative Methods of Authentication Identities

The Task Force recommended that agencies confer with privacy and security experts in the private sector to create and implement technologies that use identifiers such as biometrics to authenticate identity. Biometric identifiers are harder for identity thieves to replicate or abuse. Using biometric identifiers in order to access personally identifiable information would significantly increase the protection to sensitive data.

Improving Data Security in the Government

The Task Force asked that the Office of Management and Budget and the Department of Homeland Security work together to investigate privacy practices in the Federal government and develop a list of the top mistakes that affect an agency’s ability to adequately protect data. This document was published in 2007 under the title “Common Risks Impeding the Adequate Protection of Government Information.”

Improving the Agencies’ Ability to Respond to Data Breaches in the Government

Agencies were instructed to develop and publish a “routine use” policy for their systems of records under the Privacy Act. These “routine use” policies would allow agencies to share PII–without the prior consent of the individual–with other agencies in order to respond effectively to security breaches.

Summary

In 2006, the Presidential Identity Theft Task Force allowed the U.S. Government to quickly analyze federal information security practices and create appropriate recommendations and plans to increase protection. Of the seven recommendations put forth by the Identity Theft Task force in 2006, several have been fulfilled and/or implemented in to government practice. Today, the Task Force continues to discuss ways in which the U.S. Government can increase the protection of its data holdings to prevent unauthorized disclosure and expose citizens to the threat of identity theft. While only the Federal Government was required to implement many of the guidelines, they serve as a model for institutions in the private sector concerned with identity theft.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Recommendations of the Identity Theft Task Force, September 2006

FTC and Fair Information Practices

The Federal Trade Commission developed a set of guidelines to govern the collection, use, maintenance, and disclosure of personal information in order to protect personal privacy. While the principles in themselves are not law, they have been incorporated into many privacy laws which allow the principles to be enforced. The Gateway Learning Company was found to be in violation of the first two principles, notice and consent.

The Fair Information Practice Principles require:

• Notice to the individual regarding the privacy policies of the organization including how information is used and any disclosure to third parties. Notice must also be provided to the individual for any alteration in the privacy policies.
• Consent from the individual regarding the use of their information for secondary uses and its disclosure to third parties.

Allegations

The FTC brought the following allegations against the Gateway Learning Company:

• That they violated their own privacy policies by renting personally identifiable information (PII) collected from customers to third parties without the customer’s consent.
• That they violated their own privacy policies by renting personal information (age/gender) about children under the age of 13 to third parties without the customer’s consent.
• They committed unfair trade practices by retroactively applying a new privacy policy to information collected under the old privacy policy.
• They committed unfair trade practices by failing to provide adequate notice to consumers regarding privacy policy changes.

The Privacy Policies in Question

The original privacy policy stated:

We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive a customer’s explicit consent. We do share information with third parties that help us run our operations or provide services to customers (e.g., credit card processing and shipping companies), but only to the extent necessary to provide these services.

It also stated the following regarding children’s personal information:

The Site does not sell products for purchase by children; we sell children’s products for purchase by adults. Children under 13 years of age may not submit personal information without the consent of their parents. We do not provide any personally identifiable information about children under 13 years of age to any third party for any purpose whatsoever.

We may in the future offer products to be used by children online, some of which may require you to enter additional information such as a child’s age, gender or reading ability in order to deliver a quality experience. A child’s participation in such a program will be entirely at your discretion. Again, no personally identifiable information about children under 13 years of age will be shared with any third party for an purpose whatsoever.

It also stated the following regarding changes to the privacy policy:

If at some future time there is a material change to our information usage practices that affect your personally identifiable information, we will notify you of the relevant changes on this Site or by email. You will then be able to opt-out of this information usage by sending an email to: webmaster@hop.com. You should also check this privacy policy for changes.

In April, 2003 the Gateway Learning Company violated its privacy policies by disclosing, name, address, telephone numbers, purchasing history, and the names and ages and genders of the customer’s children with telemarketers and direct mail marketers.

On June 20, 2003 a new privacy policy was placed in effect:

The new privacy policy did not alter its policies regarding the use of children’s personal information or providing notice regarding changes to the policy. It did however change the policies regarding sharing information with third parties.

From time to time, we may provide your name, address, and phone number (not you e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at webmaster@hop.com with the word do-no-share in the subject line.

Despite their stated privacy policies, no email was sent or special notices posted to the website to alert customers to a change in the policies.

On July 17, 2003 another revised policy was posted:

The new policy changed the process for opting out of third party disclosures.

From time to time, we may provide your name, address, and phone number (not you e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at do-not-rent@hop.com with your full name in the subject line. Please be sure to include your first name, last name, address, city, state, zip code and phone number to ensure we can process your request. We will process your request promptly. Please be aware that  you may receive another contact before your name removal takes effect. We regret any inconvenience this may cause.

The new policy also changed its statement regarding children’s privacy.

The Site is not targeted to children, and we not knowingly collect personally-identifiable information from children under the age of 13 on this site. We do not sell products for purchase by children; we sell children’s products for purchase by adults. This site is entirely aimed at adults.

FTC Consent Agreement

After investigations, the FTC found the Gateway Learning Corporation to have used unfair and deceptive trade practices and brought enforcement actions against the company. The Consent Agreement was the settlement reached to resolve the issue.

Bar on Misrepresentation

The bar on misrepresentation reinforces the rules regarding the Fair Information Practice principles which the company had violated. Under the agreement, Gateway Learning was banned from:

• Misrepresenting the use of collected information including whether it is sold, rent, or loaned to third parties
• Misrepresenting whether information about children under the age of 13 will be disclosed to third parties
• Misrepresenting how customers will be notified by changes to privacy policies
• Misrepresenting how the company will collect, use or disclose information

Ban on Disclosure of Personal Information to Third Parties

The ban on disclosure reinforced the protection of privacy for consumers whose personal information was collected prior to June 20, 2003 when the privacy policy was changed. The ban requires:

• Express, affirmative (opt-in) consent of the individual prior to the disclosure of any information to third parties
• The new privacy policies may not be applies to information collected prior to the June 20, 2003 policy change without the express affirmative consent of the individual.

Maintenance of Relevant Documents

This part of the agreement set up a way to ensure compliance for a period of 5 years. Under this provision, Gateway Learning must provide the FTC with the following documents:

• A copy of each different privacy statement or communication including the date, full text, URL and graphics
• A copy of the document sent to consumers to obtain their express affirmative consent and any documents provided by customers confirming their consent
• All invoices, communications and documents that relate to the disclosure of personally identifiable information to third parties.

Delivery of Order

This part of the agreement dealt with the administrative task of ensuring enforcement in the work force.  The Gateway Learning companies was required to deliver a copy of the FTC agreement to all present and future employees with managerial responsibility related to the subject matter of the order.

Reporting

This part of the agreement requires Gateway Learning to notify the FTC 30 days before a corporate change which might affect compliance with the order. It also required Gateway Learning to file a report with the FTC setting forth their compliance within 60 days of service of the order and periodically after that, as requested.

Duration

Unless otherwise indicated, the order terminates after 20 years. Each violation of the final order may result in a civil penalty of up to $11,000

Fine

Gateway Learning was fined $4,608 which was the total profits received from the renting of personal information.

In Conclusion:

The Gateway Learning Case holds a significant place in privacy law because it demonstrated that the Federal Trade Commission is willing to pursue and enforce privacy violations. Since the Gateway Learning Case the FTC has continued to enforce privacy issues, especially any violations of the Children’s Online Privacy Protection Act which protects the personal information of children.