The details of the 2009 data breaches and the security holes that enabled them are summarized in the FTC’s press release, which you can find here. The data breaches stemmed from two incidents. In the first one, an intruder used an automated password-guessing tool to enter an administrative password (a weak lower-case password consisting of a common dictionary term) on the site’s main login page. Using the password, the intruder reset several passwords and posted some of them on a website where they could be used by others. In the second incident, an intruder hacked a Twitter employee’s personal e-mail account and was able to derive an administrative password from similar passwords that were stored in plain-text. Twitter’s privacy policy at the relevant times used common boilerplate to describe its data security procedures:

“Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

It is important to note that Twitter never guaranteed the security of its site. Indeed, tech lawyers like myself routinely warn clients again calling their sites “secure” and making similar unqualified assurances. A cynic might remark that “weasel language” like Twitter’s is designed to stimulate a cozy feeling in users without committing the site to any concrete obligations or precautions.

The FTC’s explanation of the charges against Twitter crystallizes its thinking and underlines the agency’s increasingly aggressive approach to regulating privacy and data security on the Internet and especially on social media sites:

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”

There seems to be little question here that Twitter screwed up. The FTC’s complaint recites a litany of data security lapses that have been no-no’s for at least three or four years in the wake of the FTC’s prosecution of TJX for its data breaches and the advent of the Payment Card Industry Data Security Standard (PCI DSS). These no-no’s include Twitter’s failure to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
* prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
* restrict access to administrative controls to employees whose jobs required it; and
* impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Again, it’s hard to argue Twitter didn’t screw up. However, this case demonstrates beyond a shadow of a doubt that the FTC will nail you for failing to use generally accepted data security best practices regardless of how you characterize your security measures in your privacy policy. In other words, saying that there are risks beyond your control no longer provides a get out of jail free card. Before the TJX case, the FTC targeted its wrath at sites that explicitly promised better security than they delivered. Now, however, there is an absolute minimum standard of data security: according to the FTC, inviting users to submit information which they can designate as private without complying with best practices is inherently misleading and deceptive. Furthermore, FTC scrutiny is no longer confined to privacy policies and “advertising” or “marketing” messages; the wording of social media categories, designations and preferences, such as privacy preferences, is now fair game.

Under the settlement Twitter is prohibited from misleading consumers about its data security practices for 20 years and must implement a comprehensive information security program, which will be audited by the FTC every other year. The FTC and Twitter, in other words, will be best buddies for years to come.

You’ve met the dramatis personae on this blog over the past year or so: the Federal Trade Commission, which issued a staff report in February 2009 containing “self-regulatory” guidelines for online behavioral advertising and now is panting to go further; the State of California, one of several that requires the posting of a website privacy policy and use of data security safeguards, including vendor oversight; the State of Nevada, which requires the encryption of personal information; and the Commonwealth of Massachusetts, source of the most comprehensive information security regulation in the nation (201 CMR 17.00, which went into effect on March 1, 2010).

The patchwork is so befuddling that a reporter once barked at me in frustration: “You mean a business has to hire someone like you to keep track of all of this?” No offense meant, of course. None taken, I replied, but the answer was yes. In an indirect way, the FTC funds my Philly Beer Week expenditures.

Now the federal bear is beginning to growl. After reading the draft legislation unveiled by U.S. Representatives (D-VA) and Cliff Stearns (R-FL) on May 4 — which has attracted strong comments by the Direct Marketing Association, along with criticism from the Technology Liberation Front and others — I’m trying to decide whether things just got better or worse for my clients. Actually, scratch that. This bill needs to be rewritten, since it takes a top-down, process-heavy Gramm-Leach-Bliley type of approach and tries to plaster it onto the vast domain of cyberspace. (The Gramm-Leach-Bliley Act is the seminal 1999 financial privacy bill that requires financial institutions to provide initial and annual privacy notices to their customers and a way for them to opt out of having their personal information shared with unaffiliated marketers. No doubt you read every line of the GLBA privacy notice your bank sends you every year. Anyway, there is a real strong musty whiff of GLBA in the Boucher-Stearns draft.)

Cowpunk pioneer Dan Baird exercises his right to opt out of data-sharing. (Actually, this is from his 1991 album Love Songs for the Hearing Impaired).

On the plus side, the draft legislation would set a single national online privacy and data security standard that preempts (supersedes) state privacy and data security laws — one-stop shopping, unless you’re unfortunate enough to also be covered by GLBA, HIPAA, the CAN-SPAM Act or the Children’s Online Privacy Protection Act, in which case it’s unclear how the inconsistencies with the draft legislation would be resolved.

Data Security

The data security requirements generally follow those in the FTC Safeguards Rule promulgated under GLBA and are flexible and risk-based (appropriate administrative, technical and physical safeguards, as determined by the FTC, for protecting the security, confidentiality and integrity of covered information and preventing unauthorized loss, destruction, disclosure or misuse) as opposed to the one-size-fits-all prescriptive approach used by the encryption-happy legislature in Nevada. There is no notification requirement in the event of a data breach, although the safeguards must be sufficient to determine the scope of the breach and remediate its effects. The data security provision of the draft bill also contains a rather bizarre clause that, without any further explanation, requires a covered entity to establish reasonable measures to “assure the accuracy” of the information it collects.

Here’s the kicker, though: the Boucher-Stearns draft does not track state data security laws like Massachusetts’ in limiting its coverage to first and last name (or first initial and last name) combined with financial account number or government-issued identification number (e.g., Social Security number or driver’s license number). In fact, “covered information” as defined in the bill includes name, address or contact information. Practically speaking, then, this represents a potentially onerous expansion of existing data security regulation, even though the security requirements themselves resemble existing rules.

What information is “covered” by the bill?

Covered information includes any of the following: first name or initial together with last name; postal address; phone or fax number; e-mail address; unique biometric data; government-issued identification number; financial account number and any code or password necessary to permit access to the account; unique identifier (such as an IP address or customer number) if used to collect, store, or identify information about a specific individual or a computer, device or software application owned or used by a particular user or that is otherwise associated with a particular user; and “preference profile” (defined as “a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity”).

The draft bill therefore abandons the current regulatory focus on “personal” or “personally identifiable” information in favor of the FTC position that any data that is linkable to a specific web user or device requires protection.

Privacy: And Now for Something Completely Different

The privacy requirements of the draft legislation would drastically reshape the state of the world. Here’s a high-level overview:

The bill would generally preserve the current practice of providing notice of a site’s privacy practices and an ability to opt out prior to any collection, use or sharing of information online BUT would require affirmative express consent (that is, an opt-in) before covered information could be shared with unaffiliated third parties. These requirements would not apply to information collection, use and sharing for transactional or operational purposes (i.e, as necessary to effectuate a transaction between the site and an individual). Sharing of information with a service provider which assists the site to effectuate a “first-party transaction” with the individual is also permitted, subject to an opt-out consent requirement. Finally, the bill includes a behavioral advertising exception whereby information could be shared with online advertising networks without opt-in consent, but subject to certain notice and opt-out requirements, such as the prominent display of a notice or seal on the covered entity’s website and on or near targeted advertisements, along with a link to information about behavioral advertising and how consumers can opt out.

For the required “notice,” every site that collects covered information would need to post clearly and conspicuously (and make accessible via a link on its home page) a privacy policy containing the mandatory disclosures. (The draft bill also contains privacy notice requirements for covered information collected offline, so if it is passed, businesses should consider adopting an integrated, holistic privacy policy covering all aspects of their operations.) Some of these disclosures are already standard practice, such as a description of the information collected, purposes for collecting and using the information, how the information is collected, categories of third parties with which the information may be shared, and how individuals may obtain access to their information. Other disclosure requirements break new ground, such as:

◊ how information may be merged, linked or combined with other information from unaffiliated sources
◊ how information is stored by the entity
◊ how long the information is retained in identifiable form
◊ how the entity disposes of (or renders anonymous) covered information after the end of the retention period
◊ a means to contact the entity with an inquiries or complaints about the handling of covered information
◊ consent mechanism as required by the bill

Notably the draft legislation would codify the FTC’s diktat that material changes in privacy practices cannot be applied retroactively (i.e., to information collected prior to their posting), and information cannot be shared for purposes previously undisclosed that an individual would not reasonably expect, unless the entity gets the individual’s opt-in.

Finally, in its February 2009 staff report on behavioral advertising, the FTC posited that certain information might warrant special protection due to the increased risk of harm or embarrassment to the individual. Sure enough, the draft legislation would also create a special category of “sensitive information” for which an opt-in is required prior to collection. “Sensitive information” includes, when associated with covered information of an individual, information about medical history or condition; information about financial accounts; information about sexual orientation, race, ethnicity or religious beliefs; and — interestingly — “precise geolocation information.”

Am I Gonna Get Hit by This?

If it passes, and if you collect covered information (which you probably do) either online or offline, then yes, unless you have a very small customer or user base or are a government agency. Excluded from the draft legislation’s reach are government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period. However, if you collect any sensitive information at all, you are covered even if your customer or user base is under 5,000.

Who Is Going to Come After Me If I Don’t Comply?

The primary enforcer would be the FTC, the big 900-pound gorilla in this draft legislation, since it would have the power to prosecute violations as unfair or deceptive acts or practices and would also acquire broad rulemaking authority to regulate online privacy and data security (although the draft bill prohibits the FTC from requiring specific technologies or software). Based on the FTC’s activity to date in these areas, the agency would not be shy about using this power. State attorney-generals and consumer protection agencies could also enforce the law. Private actors, however, have no right of action.

Undoubtedly the Boucher-Stearns draft legislation will be heavily changed before it is passed, if it is even passed. Significant problem areas, as pointed out by the DMA and other commenters, are the expansive definition of covered information (which would lump mere name and contact information into the same protected category as Social Security numbers) and the requirement of an opt-in to share covered information with unaffiliated marketers. This regime is even more restrictive than GLBA and is a huge departure from how business is currently conducted on the Internet. If the bill passes in anything resembling its current form, expect to be bathed in disclosure and to paddle through a profusion of annoying click-throughs.

Carpenters Hall at Yuletide

According to the PTO, the average time between filing and the first office action (PTO response) on a green technology patent application is 30 months, with the final action on the applications coming after 40 months on average. The PTO estimates that participation in the pilot program will shave a year off the time to get a green technology patent. Green technology eligible for the pilot program is defined as patent applications relating to environmental quality, energy conservation, development of renewable energy resources or greenhouse gas emissions reductions. You can download detailed eligibility and petition requirements on the PTO website here.

2. Online Privacy and Behavioral Advertising. Check out Yahoo!’s new Ad Interest Manager, which enables you to see information about your online browsing activities that Yahoo collects for targeted advertising purposes. The new site feature was unveiled with great fanfare on December 7, which — coincidentally? — was the same day the FTC kicked off the first of three new Privacy Roundtables examining online data collection for behavioral advertising and similar topics and the adequacy of current privacy rules and industry self-regulation.

Yahoo! may be ahead of the curve. The noises the FTC is making seem to indicate impatience and dissatisfaction with the current state of self-regulation in behavioral advertising (supposedly based on notice and choice, as provided in the behavioral advertising self-regulatory guidelines issued by the FTC in February 2009). More aggressive privacy regulation, as well as stepped-up administrative enforcement, may be on the way. Of course, this is exactly what I predicted last summer.

I am monitoring this situation closely, and if there is a new rulemaking, I am considering participating in the public comment process. I acknowledge the concern in government and academic circles about the ability to build profiles and derive personal information by associating and combining data on the Internet and applying behavioral analytics (connecting the dots to tease out or guess specific attributes of an Internet user, such as demographic information, based on browsing activity and clickstream data). However, as a matter of personal opinion I tend to fall into the “what privacy?” camp and am not convinced we are dealing with a full-scale public emergency that warrants shackling innovative new technologies and communication channels.

3. Workplace Internet Privacy Before the NJ Supreme Court. Stengart v. Loving Care Agency, Inc., a New Jersey appellate court case I blogged about this past summer, was argued before the New Jersey Supreme Court on December 2. The issue in Stengart is whether an employee’s e-mails to her attorney using her personal web account are still covered by the attorney-client privilege in her suit against the employer where she accessed the account from a work computer. (The defendants’ counsel found the e-mails when imaging the computer’s hard drive during discovery.) The employer had a poorly drafted Internet use policy that (arguably) rendered all communications over the computer subject to monitoring, although the policy also allowed limited personal use of the computer.

The case is important, because if the Supreme Court agrees with the appellate court that the employee did have an expectation of privacy in the e-mails to her attorney, notwithstanding the Internet use policy, it could curtail employers’ previously untrammeled ability to regulate the use of their IT resources.

A finding for the employee seems likely, since the New Jersey Supreme Court is a liberal bench that has often taken a broadly protective approach to the attorney-client privilege. Also, at least two of the justices, including Chief Justice Rabner, seemed troubled by the employer’s reliance on the policy as support for its position that it could monitor anything transmitted using its computers.

The big question, then, is how broad or narrow the ruling will be. Was this a badly drafted policy that on its terms shouldn’t be construed to apply to such personal communications? Or going forward do all Internet use policies need to specifically call out the right to monitor communications using web-accessed personal e-mail accounts? Or (most radical) will an employer’s “unilateral” reservation of the right to monitor its IT resources be held unenforceable as a matter of public policy when applied to certain types of communications — such as e-mails to a “spouse, a physician or a cleric”? (The possibility of such employer monitoring appeared to disconcert Justice Albin.) If the court were to take the most radical approach, this might scare employers into slamming the door on ANY personal use of workplace computers and Internet access.

4. Data Breach Dixie-Style. Several restaurants in Louisiana and Mississippi, including the rustically named Mel’s Grill, Sammy’s Diner and Crawfish Town USA, have sued Radiant Systems, a provider of point-of-sale (POS) hardware and software, and the distributor Computer World, Inc. to recover fines and penalties imposed by Visa and MasterCard after a foreign hacker exploited security vulnerabilities to access the systems remotely. The plaintiffs, whose claims include negligence and breach of contract, allege that the POS solution was not compliant with the Payment Card Industry Data Security Standard (PCI DSS) and that the distributor also was also out of compliance (according to the plaintiffs, among other things, the system retained sensitive credit card information unnecessarily and the distributor used the same password for 200 different systems). The plaintiffs also alleged that Radiant had, in fact, been warned about by Visa about the vulnerability of the POS system in 2007.

The negligence claims are significant because of the plaintiffs’ attempt to use PCI compliance to set the baseline for reasonableness in order to show that the defendants’ behavior was negligent. However, the plaintiffs will face an uphill battle if their contracts with the defendants contain the typical technology vendor/service provider legalese limiting product- and service-related claims to breaches of the narrow warranties given in the contract, disclaiming damages for lost or stolen data, characterizing third-party criminal acts as force majeure for which the vendor is not responsible, and limiting the customer’s recoverable damages to direct damages no greater than the fees paid for the defective product or service.

However this case unfolds, the loss suffered by the restaurants highlights the need to carefully scrutinize and negotiate technology agreements covering products that store or process sensitive personal information. The customer should strongly consider requiring the vendor/service provider to warrant that they have validated compliance with PCI and will update their product or service as needed to maintain compliance. The customer should also seek indemnification against claims and losses resulting from a data breach where the breach is attributable to a defect in PCI compliance. (Many vendors/service providers will scream at this, protesting that their prices don’t reflect assumption of these risks. The proper response to this is “why not?”, especially if a vendor/service provider hypes itself as being PCI-certified.)

Of course, don’t place absolute trust in having a strong contract; make sure you do your due diligence too.

In my view, the disclosure requirements don’t apply to a typical sponsored ad run by an affiliate site because someone looking at the ad is likely to understand it as advertising for which the site is (presumably) being compensated. The disclosure requirements apply to an “endorsement,” which the new rules define as an advertising message that consumers will likely believe reflects the opinions, beliefs, findings or experience of a party OTHER THAN THE SPONSORING ADVERTISER, whether the endorser’s statements are the same as or different from the sponsoring advertiser’s. If a consumer perusing a site is likely to think it is the site owner or blogger speaking, not the seller of the product being written about, then there may be a disclosure obligation if the site owner or blogger is being comped or incentivized somehow for making the posts.

If disclosure is required, it must be “clear and conspicuous.” In FTC parlance, this requires, among other things, putting the disclosure somewhere near the post that constitutes the “endorsement” (i.e., the advertising). I would NOT bury it in the site T&C’s — the FTC has criticized this practice in other contexts (such as behavioral advertising) where it favors clear disclosures. So if there are multiple posts that constitute endorsements, you may need to include a short disclosure at the end of each post (unless you can associate a single disclosure with multiple posts in a way that makes it clear the disclosure relates to all of them).

Having said that, I also don’t think it is necessary to include a paragraph of legalese in each case. You might think about including a simple link entitled “Advertising Disclosure” after each post that causes a pop-up box to appear with a one-sentence disclosure (e.g., “The product reviewed here was provided by ____ free of charge.”). The bottom line is that I don’t believe the FTC is going to take a hard line on bloggers, particularly where there is some good-faith attempt to comply (as described above). The FTC itself has signaled that its primary target for enforcement will be advertisers, not bloggers. On the other hand, the product sellers may end up dictating what sort of disclosure they want, since they are also liable if bloggers don’t make the required disclosure.

Finally, with regard to affiliates who are also bloggers, a big question is what kind of incentive are they getting for writing favorable blog posts? Is it merely the affiliate advertising revenue (i.e., they want to say good things about the product they are running affiliate ads for) or are they getting something else too?

The latter case is easy — I would say include disclosure near the relevant blog posts, as discussed above. In the former case, one could make the argument that the presence of the ad means consumers are likely to suspect that the site owner has a compensated relationship with the product seller and therefore that the blog posts are sponsored advertising; ergo, no additional disclosure is needed. To be safe, I would probably still include some kind of short disclosure about the relationship, but the point is at least arguable. I think an ordinary blogger/affiliate running a site out of his house who isn’t realizing a significant amount of revenue and hasn’t previously been warned by the FTC is not facing a huge risk. (That said, if the FTC reads this blog or my article and comments on ReveNews, they may disagree with me!)

Now for my own disclosure: the foregoing is provided for informational purposes only and does not constitute legal advice on a specific matter. You should consult with an attorney (hopefully me!) before taking any definite action on this or any other legal matter.

On October 5, the FTC issued its final revised Guides Concerning the Use of Endorsements and Testimonials in Advertising (available for download here), the first rewrite of the Guides since 1980. While their title is not particularly noteworthy, these new rules broadly extend the concept of endorsements and testimonials to include as sponsored advertising all sorts of loose new media relationships that are increasingly used by marketers in place of traditional radio and television advertising and paid endorsements. (They also include changes in other areas, such as disclosures that must be made when advertising the results of using a product.) The Guides do not purport to be binding law, but are rather administrative interpretations of the law, issued to provide guidance on what the FTC considers to be deceptive behavior. However, violations are punishable by civil penalties of up to $11,000 per violation. The revised Guides will become effective on December 1, 2009.

For example, a marketer may provide unsolicited samples of its products to members of a blogger network who sign up for the network so that they can review the products on their sites. Or a marketer may supply a product, such as a video game, to one particularly well-read blogger known as an expert or authority in his area in the hope of gaining a positive review. Or the marketer may institute a word-of-mouth or viral marketing scheme where participants receive something of value (such as a payment or an entry in a sweepstakes) to e-mail their friends or send out tweets about the marketer’s product. All of these relationships may now be characterized by the FTC as endorser-advertiser relationships, wherein both the “endorser” (i.e., the person generating the content about the product) and the “advertiser” (the marketer) must ensure the absence of false or misleading statements and the “clear and conspicuous” disclosure of connections that are not reasonably expected by the target audience and are likely to influence purchasers’ assessment of the credibility of the statements.

When is a Favorable Post an “Endorsement”?

The threshold question is obviously what level of incentive turns blogger commentary about a marketer’s product into an “endorsement,” thereby rendering both the blogger and the marketer potentially liable for failure to disclose material connections and for deceptive statements. The FTC notes:

“[A] blogger could receive merchandise from a marketer with a request to review it, but with no compensation paid other than the value of the product itself. In this situation, whether or not any positive statement the blogger posts would be deemed an “endorsement” within the meaning of the Guides would depend on, among other things, the value of that product, and on whether the blogger routinely receives such requests. If that blogger frequently receives products from manufacturers because he or she is known to have wide readership within a particular demographic group that is the manufacturers’ target market, the blogger’s statements are likely to be deemed to be “endorsements,” as are postings by participants in network marketing programs. Similarly, consumers who join word of mouth marketing programs that periodically provide them products to review publicly (as opposed to simply giving feedback to the advertiser) will also likely be viewed as giving sponsored messages.”

As an example, the Guides posit a consumer who purchases a new brand of dog food and reviews its favorably on her personal blog. If she purchases the dog food with her own money or gets it for free because the store routinely tracks her purchases and generates a coupon for a free trial bag of the new dog food, there is no endorsement. However, if the consumer gets the dog food as a result of joining a network marketing program under which she periodically receives various products about which she can write reviews if she wants to, her positive review will be considered an endorsement. As another example, a college student who has earned a reputation as a video game expert receives (as he has in the past) a copy of a newly released video gaming system along with a request from the manufacturer to write about it on his blog. He tests it out and gives it a favorable review. This is also an endorsement, and the FTC comments that because the review is disseminated via a form of consumer-generated media in which his relationship to the advertiser is not inherently obvious, and given the value of the gaming system, the blogger should clearly and conspicuously disclose that he received it free of charge. Furthermore, “[t]he manufacturer should advise him at the time it provides the gaming system that this connection should be disclosed, and it should have procedures in place to try to monitor his postings for compliance.” (Presumably, the Guides’ additional rules on the use of expert endorsements in advertising would also apply here.)

In yet another example given by the FTC, a skin care product manufacturer participates in a blog advertising service that matches up advertisers with reviewers. The marketer requests that the blogger try out its new body lotion and write a review. The blogger, totally on her own initiative and without any direction from the manufacturer, makes an unsubstantiated recommendation that the product cures eczema. Both the manufacturer and the blogger will be liable for the unsubstantiated claim and any failure to disclose that the blogger is being paid.

The FTC has explained that the purpose of the new rules is to treat new media in the same manner as traditional journalistic and advertising outlets. However, as a practical matter, many businesses treat these channels differently and will have to scramble to implement the necessary monitoring and enforcement mechanisms. For example, it is not uncommon for a business to buy a sponsorship from a non-profit organization where one of the benefits of the sponsorship is a favorable mention on the organization’s blog. In many cases, the sponsorship agreement is spotty and does not include detailed restrictions on what the organization can and cannot say about the sponsor’s products, and it is doubtful that anyone at the sponsor is giving the non-profit organization’s Web 2.0 chatter a compliance review. Indeed, the whole point of marketing to bloggers and through social media is to support a spontaneous and unforced style of commentary that has greater authenticity for cynical, tech-savvy consumers. Of course, in response to such comments the FTC has countered that its rules are designed precisely to protect consumers’ ability to rely on this quality of the blogosphere in making purchasing decisions. Liability depends, then, not on the existence of direct control over bloggers, but on whether “the advertiser initiated the process that led to [the] endorsements being made – e.g., by providing products to well-known bloggers or to endorsers enrolled in word of mouth marketing programs ….”

Design a Compliance Program

Unfortunately, corporate legal departments will now have to extend the long arm of compliance over a whole host of Web 2.0 marketing activities that until now may have been loosely policed, if at all. “In employing this means of marketing,” the FTC dryly observes, “the advertiser has assumed the risk that an endorser may fail to disclose a material connection or misrepresent a product, and the potential liability that accompanies that risk.” However, it also states that in the exercise of prosecutorial discretion it will consider “the advertiser’s efforts to advise these endorsers of their responsibilities and to monitor their online behavior ….”

The first step for companies, then, is to get a handle on what their marketing departments are doing to curry favor with bloggers and create buzz through viral online marketing. It is especially important to get a firm handle on the activities of advertising and PR agencies, since the FTC will hold companies responsible for the actions of these third-party agents. If compensation, free products or other valuable incentives (such as sponsorships) are being offered in the hope of stimulating positive reviews, then the company should institute and document a process of advising bloggers and other new media commenters about their duty to disclose material connections and the limits on the factual claims they can make about a products and its beneficial effects. There should also be periodic monitoring of the resulting posts, with documented follow-up action if necessary, to make sure they comply with the FTC’s endorsement guidelines.

If blogger relationships are managed through an advertising agency or other third party, the written contract with that third party should specifically address each party’s rights and obligations with respect to monitoring and compliance. At the very least, a company should reserve the right to audit and pre-approve an advertising agency’s solicitation of bloggers so that the company knows which bloggers the agency is dealing with and whether the relationships are of a type that could lead to advertiser-endorser liability and can monitor the bloggers’ posts about the company’s products.

If all this sounds like overkill (and no doubt it will meet with fierce resistance in some online marketing departments), it is critical to remember that incentivized blogger buzz is now treated the same as any paid endorsement: according to the FTC, both are advertising subject to disclosure requirements and prohibitions on misleading or unsubstantiated claims. The compliance burden may, in fact, prove too onerous for some companies. In this case, their best bet is to implement policies that prohibit the payment of compensation or giving away of valuable products in the hope of generating positive online buzz. Favorable reviews are not “endorsements” within the meaning of the Guides unless they have been incentivized in some way.

Implement a Social Media and Blogging Policy

Promoting compliance within organizations also it makes it essential, now more than ever, to have a social media and blogging policy that covers both references to the company and its products in employees’ personal posts as well as the use of social media and blogs for marketing and other business purposes. Not only is it a best practice to treat company-initiated social media and blog posts as official corporate communications that require consideration of regulatory, securities, litigation and reputational risk issues, and possibly prior legal or regulatory review; the possibility that third-party posts may now be deemed company-initiated endorsements makes it vital to bring all Web 2.0 activities under one comprehensive policy. Furthermore, according the Guides, a company employee who posts messages on an online message board promoting the company’s product (a common practice) must clearly and conspicuously disclose his or her relationship to the company. This requirement should be specifically spelled out in the company’s social media and blogging policy.

Tips for Bloggers

As for bloggers and other online commenters, they should be sure to disclose any compensation or benefits they receive to comment on products and, if they do have such a connection to a marketer, should be very careful to follow the guidelines furnished by the marketer (which the marketer is required to provide) and not make general or sweeping factual claims about the product or any claim that can’t be easily substantiated. If a blogger chafes at submitting to this degree of oversight and control, he always has the option of buying the product himself, for example, rather than receiving it as a freebie. The FTC has indicated that advertisers and not bloggers will be its main enforcement target. However, a blogger who runs a “substantial operation” that violates the rules and who receives a warning will still be at risk. Moreover, the FTC can adopt a more aggressive enforcement stance at any time.

The FTC’s rulemaking will heavily influence the way marketers generate buzz on the Internet and warrants close scrutiny of participation in blogger and viral incentive programs by all parties involved.

In mid-May I made a post on this blog and wrote an article for www.revenews.com discussing the FTC’s new “self-regulatory” principles for businesses engaged in online behavioral advertising. Some of the key take-aways from the FTC’s staff report were that it wants to provide consumers real transparency and control (i.e., a prominent notice and opt-out ability) over the collection of personally identifiable (or computer- or device-identifiable) data for behavioral advertising, and that it does not like the required disclosures and “choice mechanism” to be buried in a privacy policy or similarly lengthy legal document. I also warned readers not to be fooled by the “self-regulatory” moniker — it was only a matter of time before the FTC started filing complaints against violators for unfair or deceptive advertising practices under Section 5 of the FTC Act.

And so it has. On June 4 the FTC announced the settlement of an administrative action against Sears Holdings Management Corporation for allegedly encouraging website users to join an interactive community for which they would be required to download and install “research software” that Sears told them would confidentially track their “online browsing.” Actually, according to the FTC’s complaint, the software, which, unbeknownst to computer users, was always running in the background, tracked just about everything they did and viewed using their computers, both on and off the Internet, including the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and header and size information for web-based e-mails, and relayed this information back to Sears’ servers.

Initial disclosures, a linked privacy policy and buoyant statements encouraging consumers to become part of an interactive “My SHC Community” failed to communicate adequately the scope of the data collected or the unceasing operation of the tracking software. Only in a labyrinth of more detailed terms buried within the subterranean folds of a typically legalistic privacy policy and user license agreement (presented in a scroll box at the end of a lengthy registration process) was there full and accurate disclosure of what the software actually did and the types of data it collected.

From a privacy standpoint, Sears’ two cardinal sins appear to be (1) using general and harmless-sounding language like “online browsing” to describe the software’s tracking when it also tracked secure web sessions, sessions on third-party websites and (most misleading) certain computer activities not related to the Internet; and (2) burying the specifics in a legal document which was presented late in the process so that consumers were unlikely to see the pertinent information before they made the decision to download and install the software.

In the proposed settlement agreement submitted for public comment, the FTC requires Sears to stop collecting data from consumers who had previously installed the tracking software and to destroy all data collected to date. Notably, it also requires Sears, when advertising or disseminating such tracking software in the future, to clearly and prominently make highly detailed privacy disclosures, including the types of data and Internet interactions captured or monitored, how the data will be used and whether the data may be used by third parties.

These super-granular privacy disclosures must appear not only prior to the downloading and installation of the tracking software, but also “prior to the display of, and on a separate screen from” any final privacy policy, license agreement or terms of use. Consumers must also be prompted to opt-in to initiate the software download and collection of data by clicking a button or link where this option is clearly described and is not pre-selected. (This opt-in requirement actually goes further than the self-regulatory principles, which require an opt-in only for the collection of “sensitive” information, such as Social Security numbers, financial data, data about children and health information, for behavioral advertising purposes.)

To read the FTC’s complaint and the proposed settlement agreement and consent order, please click here.

As if the Nevada and Massachusetts laws weren’t fun enough, on August 1 the FTC will start enforcing the new Red Flags Rule, which requires “financial institutions” and “creditors” (as defined in the Rule) to develop and implement programs that identify and detect the warning signs (or “red flags”) of identity theft and provide for appropriate responses to prevent and mitigate identity theft. The Red Flags Rule applies to a wide range of businesses and organizations beyond banks and others under the supervision of a federal regulatory agency (who were required by their respective regulators to comply as of November 1, 2008), including any business that regularly defers payment for goods or services or provides goods or services to be billed later. Utility companies, mobile telecommunications providers and even ambulance services may have to comply. Accordingly, businesses which offer accounts, or are in any way involved in providing or servicing accounts, that may involve credit (even short-term payment deferral) and exposure to the personal information of consumers or individuals should determine whether they are subject to the Red Flags Rule. More information about the Red Flags Rule can be found on the FTC’s website here.

On a happier note, it’s Friday….

The FTC’s revised “self-regulatory” principles (failure to comply with which may result in FTC enforcement proceedings!) include the ability for consumers to opt out of having personally identifiable (or computer- or device-identifiable) data collected for behavioral advertising and to opt in for the collection of “sensitive” data (such as Social Security numbers, financial data, data about children and health information) for such purposes. Please check out my recent article for www.revenews.com, which can be viewed here, for a full summary and discussion of the new FTC requirements.