March 10, 2012

Cookies are one of my favorite things.  Usually, this refers to the oatmeal raisin variety rather than those tiny bits of computer code that empower websites to remember a user’s login, keep items in a shopping cart and greet the user by name when she returns.  Warm and fuzzy, right?

Sometimes, not so much.  I once shopped for a friend on a website that she loves but is not my taste. So years later continuting to be served display ads from that website is irritating.  Another friend tweeted that “it’s creepy” when a product she was reading about on one website appears later in a display ad on a different website.  It seemed someone was spying on her.  Uncanny!  “Creepy” is a term borrowed from robotics to refer to a use of personal information that does not legally invade your privacy but is frightening because of the “stalker-like” appearance that a website knows everything about the user.

In 1890, another new technology was changing the media. Then as now, legal scholars were concerned that existing law would not protect consumers from the heretofore unheard of technology.  In The Right to Privacy inspired by the invention of “instantaneous photographs”, Justices Samuel D. Warren and Louis D. Brandeis identified privacy as the right of an individual to be left alone. William Prosser further developed Invasion of Privacy into a set of four torts (legal remedy for an injury): False Light, Appropriation of Name or Likeness, Intrusion into Seclusion and Public Disclosure of Private Facts. The body of law that developed from Warren and Brandeis’ article served to protect privacy through the 20th Century until the proliferation of electronic information in the Internet age allowed websites to identify users without using their names or likenesses.

Today it is important to understand and take steps to control the personal information tracked by websites and online technology.  Much of the technology is used to provide an internet visitor with a consistent experience across Internet Platforms. Here are descriptions of common types of technology websites use to track users:

  • Cookie. A cookie is a small file containing a string of characters that is sent to a user’s computer when the user requests a website address. When that user later returns to the website, the cookie allows that site to recognize the user’s browser. Cookies are usually discarded when the person ends the session and closes the browser.
  • Persistent Cookie. Cookies that include an expiration date will persist until the arrival of the expiration date, potentially long in the future. Cookies may store user preferences and other information. A user can reset her browser to refuse all cookies or to indicate when a cookie is being sent.
  • Pixel Tag.  A pixel tag, sometimes called a web beacon, is a tiny graphic file placed on a website, in an ad or within the body of an email for the purpose of tracking activity on websites, or notifying a sender when emails are opened or accessed, and often used in combination with cookies to connect an ad to an interested consumer.
  • Server Log.  Website servers automatically record the page requests made by visitors to the website in log files. Server logs typically record web requests, Internet Protocol addresses, browser type, browser language, the date and time of a request and one or more cookies that uniquely identify the user’s browser.
  • IP Address.  Computers connected to the Internet are assigned a unique number known as an Internet protocol (IP) address. Since these numbers are usually assigned in country-based blocks, an IP address can often be used to identify the country from which a computer is connecting to the Internet. Depending on how a user connects to the internet, the IP Address may identify one computer or may change each time the user connects to the internet.
  • Anonymous Identifier.  An anonymous identifier is a random string of characters that is used for the same purposes as a cookie on platforms, including those for mobile devices, where cookie technology is not available.

While each of these technologies may be used for administrative purposes such as noting whether a user is a return visitor, remembering the user’s preferences or providing confirmation that the correct ad was served to a particular website to allow a publisher to correctly charge the advertiser for an ad the user clicked, the same technologies may also be used by third parties to quantify and predict consumer behavior. Aggregating non-personally identifiable information stored on user’s browsers allows third party ad servers to accurately predict when a user will purchase a particular product. These third parties use web beacons to find a likely buyer and scan her cookie and log file information to analyze the value of serving a particular ad to that user.  Advertiser can then bid on the value of the ad to be served to the user.

Although the third party ad server cannot identify the human, it knows many details about the user’s browsing history and product preferences. That’s when things start to feel creepy.  This practice is not an invasion of privacy recognized by Warren, Brandeis or Prosser, but it may be actionable as a deceptive practice under the Federal Trade Commission Act.

Less than one might  think. Online privacy focuses on the use of personal information and how it is contributed, collected, shared and used by the user and other people and companies providing web services.  “Personally Identifiable Information” (a.k.a. “PII”) is protected by a web of laws – but non-personally identifiable information collected by many websites is largely unregulated.

Not all personal information is protected either. A person’s name alone is not privateor protected. A name with a corresponding social security number, driver’s license number, credit/debit card account number or other financial account number is protected as “Personal Information”  under a variety of U.S. state data breach notification laws.  Unauthorized disclosure, theft or breach of  unencrypted personal information triggers notification requirements, and imposes liability for penalties and/or damages on the company whose data was breached. Credit card numbers alone (or when stored with expiration dates) are often not  protected as PII under many state data breach notification laws. No notification to the holder of the account is required despite the ability of criminals to clone fake but functional credit cards with a credit card number and expiration date alone.

 Websites collect both PII and non-personally identifiable information about their users. PII is collected from website visitors when they fill out forms to register for website services or to make purchases from online retail stores.  Non-personally identifiable information is anonymous data about a visitor detected and used by the website for various purposes, such as to remember if a user is a return visitor, or to remember a visitor’s login information or preferences, to operate shopping carts, and serve ads relevant to the consumer’s interests as determined by tracking the user’s browsing habits. In some cases non-personally identifiable information is collected from a user as she browses across multiple sites and provides a detailed picture of the consumer’s habits.  Non-personally identifiable information about a consumer is stored by the website in cookies and log files on the consumer’s own hard drive.

Only a few state laws address protection of privacy online. California’s 2003 Online Privacy Protection Act (OPPA) was one of the first laws to require that websites used by California residents have policies that notify users how the website collects, uses, shares and protects PII collected from visitors and to notify users how to opt-out of collection of PII. OPPA’s definition of PII includes: first and last name, home or other physical address, email address, telephone number, social security number and other identifiers that could permit physical or online contact with the identified user. 

There are numerousU.S.federal laws and federal agency regulations that govern the use of PII and non-personally identifiable information. How personal information is protected online varies by industry and the financial or reputational risk presented by use of personal information.  For online activities, including digital advertising, several federal laws apply including:

  • Children’s Online Privacy Protection Act (COPPA) that requires websites collecting personal information from children under age 13 (whether intentional or not) to provide notice and obtain verifiable consent from parents to the website’s collection and use of a child’s PII. 
  • The CAN-SPAM Act seeks to protect consumers from unsolicited “junk” email by limiting businesses to emailing only those consumers with whom the company has a business relationship.
  • Federal Trade Commission Safe Web Act of 2006 that extends the FTC’s authority over deceptive collection of consumer information on the Internet. If a company’s privacy policy is inaccurate when compared to the company’s actual information collection practices or is confusing to consumers, the FTC may bring an enforcement action requiring changes in data collection and privacy policies, and/or assess monetary penalties.
  • The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and protect sensitive financial information about their customers.
  • The HIPAA Privacy Rule requires healthcare providers to protect the privacy of individually identifiable health information by mandating security standards for the collection and storage of sensitive health information.

As online technology continues its rapid development, experts and government regulators (US and foreign) are calling for changes in privacy laws to protect consumers from invasive collection of non-personally identifiable information.  The FTC issued a report in 2010 calling for “Do Not Track” mechanisms to facilitate consumer choice about online tracking.  The U.S. White House recently released its Consumer Privacy Bill of Rights.

Collection of data about users visiting websites is commonplace online. Digital advertising supports the free web and mobile services people enjoy. Determined to ensurethat privacy concerns not halt technological advances in digital advertising, the industry formed the Digital Advertising Coalition and developed a self-regulatory program, a consumer education program and PII opt-out program and icon to be embedded in ads that collect multi-site data. The FTC and US White House recently commended the industry for its self-regulatory program.