Avoiding an FTC Privacy Investigation (and What To Do When You Find Yourself the Target of One)

IAPP Global Privacy Summit

March 9, 2012

Alysa Z. Hutnik

Benita A. Kahn

2

Topics of Discussion

5 FTC Privacy triggers to avoid

Tips for avoiding FTC scrutiny

Tips for responding to an FTC CID/access letter

Key Proposed Changes to FTC’s Rules of Practice

3

Sources That Trigger FTC Scrutiny

Media

Media Coverage Congress Consumer Complaints FTC’s Top 10 List

“All companies involved in information

collection and sharing on mobile

devices – carriers, operating system

vendors, applications, and advertisers

– should provide meaningful choice

mechanisms for consumers.

- FTC Staff, December 2010

“Companies that fail to implement

reasonable security safeguards to

protect consumer information will come

under our scrutiny.”

- FTC Commissioner Julie Brill, January 26, 2012

“[FTC] Staff has a number of active

investigations into privacy issues

associated with mobile devices,

including children’s privacy.”

- Jessica Rich, Deputy Director of FTC Bureau

of Consumer Protection, April, 2011

5

5 Privacy Triggers to Avoid

1. Material misrepresentation in privacy policy

2. Inadequate PII safeguards

3. Inadequate consumer choices/control re: use of their PII

4. Inadequate/ disclosures about PII sharing

5. Unauthorized third party access

Usually a combination of more than one of these that triggers attention

6

Lessons Learned: FTC v. Google

Misrepresentation in privacy policy

Automatic user enrollment

Public default settings

Deceptive opt-out provisions

7

Lessons Learned: FTC v. Twitter

Misrepresentation in privacy policy and other statements

Inadequate safeguards

Unauthorized third party access

8

Lessons Learned: FTC v. Facebook

Misrepresentation in privacy policy

and in other statements

Inadequate safeguards

Unauthorized access by third-party

apps and advertisers

Unauthorized access to deleted

user information

Failure to certify security of apps

9

The List Keeps Going….

FTC v. Upromise, Inc.

Accused of misleading users about the

extent to which it collected and transmitted

personal information

Allegedly failed to adequately secure the

user information that was collected

FTC v. Chitika, Inc.

Accused of tracking consumers’ online

activities even after they opted out of online

tracking

FTC v. ScanScout, Inc.

Accused of advising that Flash cookies

could be removed through browser settings.

10

Practical Tips To Avoid Becoming a Target

“Bake It In” – Privacy by Design

Empower Consumers with Real Choices

Say what you do and Do what you say

Transparency

Disclosure

Consent

11

“Bake It In”: Privacy by Design

Means Actually Having A Privacy Program

Designate trained employees

Identify risks to PII (both in product design & PII use)

Assess current safeguards

Implement controls and procedures

Select and retain service providers

Hire independent auditors

12

Empower Consumer Choice

Controls

Simplify choice

So people can understand the choice and act on it

Opt-out provisions

Cautionary tale:

Congressional scrutiny

over upcoming changes to

Google’s privacy policy that

limits consumers’ ability to

opt-out

13

Say What You Do & Do What You Say

Transparency

Collection and protection of information

Consumer control and access

Accessibility to third parties

New or Additional Sharing

Disclosures

Consent

14

Responding to a CID/Access Letter

Initial Steps

CID/Access Letter Scope

ESI

Production

Privilege Log

Advocacy

15

Initial Steps

20-day clock is ticking: take it seriously and take action immediately

Review the document

Nature and scope of the Investigation

Definitions

Instructions

Interrogatories / Document Requests

Hire expert counsel in FTC consumer protection matters

Identify key internal team w/ knowledge

16

Assess Investigation Scope

Creating a Response Framework

What information

do we have that is

responsive?

How difficult will

it be to access the

information?

What information

is the FTC seeking?

Would compliance

with the CID

violate other

statutes?

17

CID Scope cont.

Burden Letter

Identify which requests present an

unreasonable burden (& get realistic on what is

actually going to be considered burdensome)

Develop a detailed narrative and quantify the

burden

Propose reasonable alternatives

Submit to the FTC early in the process and

keep it rolling – Need to demonstrate

cooperation and taking the CID seriously

Also have a good idea of what you can produce

soon and when that production will occur

18

CID Scope cont.

Petition to Limit or Quash

File no later than 20 days after service of the CID unless written extension from appropriate FTC personnel providing extension

Must include all assertions of privilege and objections

Motion to Quash rarely granted

More effective to have detailed discussion with staff to limit scope of CID response based on reasonable alternatives if burdensome

Future note: FTC’s proposed rule revision: meet-and-confer

requirements within 10 days after receipt of process or before deadline

for filing petition to quash, whichever is first

19

Accounting for ESI

Legal Hold Memo

Immediately prepare & send to

relevant employees and officers

Specify dates and types of

information covered by the hold

Suspend auto-delete features

where applicable

Identify internal email

custodians &

databases/systems

20

Production of Responsive Documents

Follow the new BCP Production

Guide or work to resolve with Staff

if there are issues with compliance

Provide a letter that explains the

scope of your response to each

request for information within the

CID

Respond on time

Assert confidentiality protections

and protections against FOIA

requests and SAFE-WEB ACT

sharing

21

Privilege Log

Rules requiring filing no later than production date; see if you can move this to a later date so focus can be on gathering responsive materials

Produce schedule of items withheld

Include type, subject matter, date, names, addresses, positions, organizations of all authors and recipients, and specific grounds for privilege

Future Note: FTC proposed rule revision requires a detailed

log and parties to meet and confer on privilege issues 10 days

after receipt of process or before deadline for filing petition to

quash, whichever is first [MORE STRINGENT THAN Fed

Rules]

22

Advocacy – Tell Your Side of the Story

Proactive Follow-up

Communications with Staff

Gather “Good Facts” for Narrative; work with client to truly gather all facts that may be helpful (usually requires interviews and multiple follow-ups)

Work with client if you need to develop some proactive, remedial steps after further review of business practices

23

Advocacy

Provide Written Narrative (the white paper)

Craft a positive story

Should hit all the key facts that the staff would need to consider in

determining if a violation has occurred

Visually walk through the key disclosures (if a disclosure case) and

the consumer experience in the most positive light

If remedial changes have been incorporated, be upfront about that

Avoid data dump; whitepaper is an investment but it is your chance to

tell the story from the position as the most knowledgeable on the facts

Make it Timely

Send soon after you’ve completed the final document production

24

Advocacy

Built-in Privacy Protections (Privacy by Design)

Data collection, purpose, and retention

Secure consumer and third-party access

Consumer experience

Default settings

Notice and consent

25

Advocacy

Compliant Company Practices

Scope of data collected and permitted uses

Contractual protections/monitoring

Risk assessment

New Initiatives

Based on industry guidelines/best practices

Meeting

Ask for a meeting with staff to discuss the case (and your side of

the story) (should occur well before any decision on a complaint)

26

Key Proposed Changes to FTC Rules of Practice

ESI

“Any writings, drawings, graphs, charts, photographs, sound recording, images and other data or data compilations stored in any electronic medium …”

Mandatory Meet-and-Confer

Within 10 days after receipt of process or before the deadline for filing a petition to quash, whichever is first

Deposition Guidelines

No witness consultation allowed

Privilege Log

Detailed log required at time of production

27

Key Proposed Changes to FTC Rules of Practice

Attorney Misconduct

Reprimand, suspension, or disbarment from practice before

the FTC for conduct that is unethical or obstructionist, or for

knowingly or recklessly giving false/misleading information

Imputed responsibility for attorneys who order, ratify or fail to

mitigate improper conduct

28

Questions?

Alysa Z. Hutnik

PARTNER

Kelley Drye & Warren LLP

Advertising, Privacy &

Information Security

Phone: (202) 342-8603

ahutnik@kelleydrye.com

Connect with Kelley Drye

web: www.kelleydrye.com

blog: www.adlawaccess.com

Benita Kahn

PARTNER

Vorys, Sater, Seymour and Pease LLP

Chair, Technology and Intellectual

Property Group

Phone: (614) 464-6487

bakahn@vorys.com

Connect with Vorys

web: vorys.com