- Online Behavioral Advertising/Tracking Litigation: A Rising Risk Facing Insurers and Insureds
- March 15, 2012 | Authors: Laurie A. Kamaiko; Mark E. Schreiber; Dominique R. Shelton
- Law Firms: Edwards Wildman Palmer - New York Office ; Edwards Wildman Palmer - Boston Office ; Edwards Wildman Palmer - Beverly Hills Office
2012 began with over 100 pending consumer class actions alleging various companies’ improper tracking of customer and other users’ behavior online and via mobile devices. Some 60 class actions were filed in December 2011 alone against the mobile industry for tracking user behavior for internal analytics and measurement purposes, and other industries are likely to be targeted as well. Plaintiffs’ attorneys have vowed to institute more claims of these sorts in the months to come.
Insurers face potential exposure both as insurers of other companies that track consumer activities for targeted advertising and other purposes, and as users of tracking of online consumer activities themselves. In light of these activities and exposures, a careful understanding and nuanced appreciation of these developing issues is essential for insurers.
THE EXPLODING BEHAVIORAL ADVERTISING MARKET
Targeted advertising has become global and ubiquitous. Online Behavioral Advert¬ising (OBA) is the term now used to describe the process of company tracking of consumers’ online activities to target them for advertising directed at their specific interests. Digital advertising is currently an $80.2 billion industry,1 with online ad spending now exceeding that of print advertising. This has generated increasingly scrutiny of the appropriateness of use of OBA, and the level of notice afforded to and consent required of consumers. Other uses of tracking of customer online behavior have also been attacked.
Significant privacy concerns have been raised by regulators, legislators, and in a rash of class actions filed against compa¬nies in a wide range of industries, about user tracking on a variety of mobile devices. Targeted industries include telecommuni¬cations and media companies, internet providers, wireless phone manufacturers and device makers, and software develop¬ment companies.
Given the importance of digital advertising revenue to digital business models, we expect that the issue of tracking and privacy will continue to grow in 2012, with resultant increase in regulatory scrutiny and litigation.
IMPACT ON INSURERS
Insurers may be called upon to address these issues as their insureds tender claims for defense and indemnity. As with many of the claims arising from use of new technologies, such claims can present an unexpected exposure, the challenge of addressing requests for coverage under policies not intended to cover such risks and, in a more positive aspect, an opportunity to develop new products that specifically address these exposures.
As insurers increasingly avail themselves of new technologies and platforms to market their products and connect to their insureds and agents, they too are potentially subject to similar regulatory and legal proceedings as other industries now face. Companies in the insurance industry are or soon will be employing technologies and platforms to engage with or track their insureds, market their products, assess underwriting exposures and identify issues that present significant exposure to both them and their customers. Many are developing technologies that will allow them to combine data from a variety of sources to develop risk profiles for casualty, property and personal line exposures. There is now the potential ability for companies to determine the number of claims filed involving a particular property and the claims filed by or against individuals owning those properties, and to gather information from publicly available sources (including social networks where companies and individuals often have a presence) to be able to develop a risk profile on a potential insured or claimant. Insurers are also using smart phone apps to provide insurance quotes and take down information.
These new practices bring with them new exposures, and companies utilizing online behavioral advertising and other tracking of user behavior should be aware of those exposures and consider protective measures, including updating and redrafting their web privacy policies to take into account their new activities and the developing regulatory and legal landscape.
WEB AND OTHER PLATFORM EXAMPLES
Last year, one credit card brand published patents in which they described advertising databases that could combine consumer purchasing history with other online social networking preferences to be able to develop an advertising profile that could be targeted to particular consumers. Companies in a wide range of businesses operate websites and smart phone applications that contain tracking technology that can identify the websites’ users visit, their specific geographic locations and the pages that they “Like” through Facebook. This tracking has had the benefit of permitting website operators to serve targeted ads which have click through rates that are twice as effective as regular banner ads that users have come to ignore. In addition, tracking for internal analytic purposes has allowed companies to create infrastructure based upon user location, and create new products tailored to users’ interests.
The wide-spread usage of such OBA and tracking has captured the attention of class-action attorneys, who seek the potential financial benefits of asserting violations of various federal and state statutes directed at limiting collection and dissemination of information about individuals and often requiring specific disclosures with statutory penalties and fines for violations, as well as at times alleging common law claims.
THE FEDERAL AND LITIGATION LANDSCAPE
Federal regulators have already taken action based on existing federal statutes, as well as proposed amendments to expand existing legislation to encompass OBA within their scope.
The FTC Recommendations and Enforcement Orders
The Federal Trade Commission (FTC) defines OBA as a process of “tracking consumers’ activities online to target advertising.”2 It often, but not always, includes a review of the searches consumers have conducted, the Web pages visited, the purchases made, and the content viewed - in order to deliver advertising tailored to an individual consumer’s interests. In its December 2010 report titled “Protecting Consumer Privacy in an Era of Rapid Change. A Proposed Framework for Business and Policy Makers,” the FTC proposed a “Do Not Track” option to prevent targeted advertising without consumer consent. The final guidance is expected shortly.
On September 15, 2011, the FTC also recommended amendments to the Children’s Online Privacy Protection Act (COPPA)3 which would expand the definition of “personal information” to include OBA information. Final comments were due the end of December 2011, with the amendments still to be finalized. Privacy public interest advocates and industry groups provided comments.
Meanwhile, in 2011, the FTC announced four enforcement consent orders against companies for delivering OBA without consumer consent. For each of these actions, the FTC alleged “deceptive” acts in violation of the FTC Act, Section 5 (codified at 15 U.S.C. § 45(a)), and imposed on-going reporting requirements for 20 years.4
The Electronic Communications Privacy Act5
The Electronic Communications Privacy Act (ECPA) is being argued by plaintiffs to prevent or restrict access and tracking of user behavior without user consent. Sections within the ECPA have become the basis of claims asserted in many of the pending class actions.
The Federal Wiretap Act6 is part of the ECPA. To prevail on a claim under the Wiretap Act, plaintiffs must prove that the defendants (1) intentionally (2) intercepted or endeavored to intercept (3) the contents (4) of an electronic communication (5) using a device.7 It provides for statutory damages of $10,000 per violation or $100 per day.8
The Stored Electronic Communications Act (SCA)9 is also part of the ECPA. The SCA prohibits “(1) intentionally access[ing] without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceed[ing] an authorization to access that facility; and thereby obtain[ing], alter[ing], or prevent[ing] authorized access to a wire or electronic communication while it is in electronic storage in such system.”10
The Consumer Fraud and Abuse Act 12
The Computer Fraud and Abuse Act (CFAA), plaintiffs allege, makes it unlawful to track user browsing behavior if this causes $5,000 in economic loss. Where economic harm is not specified, Courts have been willing to dismiss CFAA complaints.13
State Law Claims
Plaintiffs in the pending class actions have alleged a wide variety of state law claims, relying heavily on state consumer protection statutes as well as state common law claims. These can impact the class certification issues, as states vary as to whether their consumer protection acts apply to out of state consumers, and can give rise to state law variations among multi-state classes that potentially can be raised as a defense to prevent class certification.
State regulators are also expanding the application of existing state statutes to the new practices. On February 23, 2012, the California Attorney General announced that mobile apps made available to California consumers must include privacy notices in compliance with the California Online Privacy Protection Act.14
Class Action Litigation
The class action bar has filed more than 115 putative class action lawsuits since January 2011, alleging violations of the ECPA, the Federal Wiretap Act, the SCA, the CFAA, and state statutes and common law. Many include allegations of a broad range of violations of other state statutes in addition to ECPA and CFAA, ranging from state wiretap laws to computer crime laws to state consumer protection statutes, as well as common law causes of action for trespass, misrepresentation, unjust enrichment, and violations of rights to privacy, among others.
Damages are already a major issue, with defendants challenging plaintiffs’ standing to pursue the class action claims based on lack of economic harm as required by statutes such as CFAA, and plaintiffs seeking statutory damages as allowed by certain of the statutes allegedly violated. For example, the Federal Wiretap Act,15 which is often cited in these actions, provides for statutory damages of $10,000 per violation or $100 per day. The recent claims against the mobile industry for tracking allege monitoring software was installed on 151,000,000 phones, resulting in a floor of alleged damages of $1.5 billion.
Next Generation Litigation
While the first wave of class actions, filed in 2010, focused on cable companies providing Internet services, in recent months targets of putative class action complaints have included companies ranging from online retailers to financial institutions. Allegations range from assertions of improper use f “spyware, “persistent tracking cookies” and other applications to track consumer behavior, to assertions of failure to provide requisite disclosures and obtain requisite consents, as well as a broad range of statutory and common law violations.16
These class actions are still in the early stages, with issues such as class certification, standing and viability of certain causes of action and alleged damages still to be fully litigated. Some early decisions indicated that plaintiffs may face difficulties pursuing ECPA, CFAA and common law privacy claims in many of the suits, and courts at least initially showed a willingness to infer consent to receive behaviorally targeted advertising if a consumer reviewed privacy disclosures provided by companies. However, these early rulings relate to only a few of the class actions pending, and in many instances portions of the actions have survived and are still pending, or the claims were allowed to be amended.
Proposed “Do Not Track” Legislation
On March 16, 2011, the Obama administration called for a universal privacy bill, and specifically supported the FTC’s “Do Not Track” proposals. Legislators have responded with privacy bills that address tracking.17
In addition, on January 30, 2012, in response to the filing of numerous recent class actions against the mobile industry for tracking for non-OBA analytic purposes, Representative Ed Markey (D. Mass.) announced his intent to introduce the “Mobile Device Privacy Act” that would require companies to disclose to consumers the capability of software to monitor mobile telephone usage and require the mobile phone users’ express consent before tracking their usage, whether or not such tracking was for advertising purposes.18 Thus the act of tracking user behavior online or via mobile devices is being scrutinized if not challenged on privacy grounds apart from the concerns raised about OBA. On February 23, 2012, President Obama released the Administration’s long awaited privacy framework.19 The Framework proposes national legislation focused on required disclosures for OBA.
State legislatures are not far behind. California, which is typically at the forefront of privacy legislation, has proposed a “Do Not Track” bill that contains a private right of action and statutory penalties.20
OBA IS A GLOBAL ISSUE
OBA issues are being grappled with by regulators in other countries as well, including those in the European Union, and Canada.
The European Union, which generally has a greater degree of consumer privacy protection than the U.S., has also been addressing the issues presented by OBA. Effective May 25, 2011, countries in the EU were required to implement regulations to obtain explicit consent before companies collect OBA information. On December 13, 2011, the UK’s Information Commissioner’s Office advised that opt-in consent will be necessary to collect OBA.21 On February 27, 2012, Europe’s largest mobile operators and a U.K.-based industry group (GSMA) unveiled voluntary app privacy guidelines.
Any company that advertises online or through mobile phone applications, has a website, or otherwise collects, uses or stores consumer data is potentially exposed to OBA and other types of “Do Not Track” claims.
Insurance companies face exposures from OBA and tracking claims both from practices of their insureds and their own. Insurers as well as their insureds may be engaged in marketing their products online and through smart phone apps, and in tracking customer data for their own internal analytic purposes. Companies in the insurance industry use sophisticated databases to track claims history and merging data into databases to create underwriting profiles. Many of these activities likely entail or in the future will include some component of tracking technology. Thus, it is important for companies in the insurance industry, as well as those in other industries, to be aware of the developing regulatory and legal landscape governing tracking of customer and other users’ behavior on line and via mobile devices.
1. www.emarketer.com (June 2011). Digital spending is expected to exceed $94 billion in 2012. Id.
2. FTC Staff, FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising ( Feb. 2009), at p. 2 http://www.ftc.gov/os/2009/02/P0085400behavadreport.pdf.
3. Children’s Online Privacy Protection Rule 16 C.F.R. § 312 (located at http://www.ftc.gov/os/2011/09/110915coppa.pdf). Comments were originally due on November 28, 2011 but the comment period was extended to Friday December 23, 2011 https://ftcpublic.commentworks.com/ftc/2011copparulereview/. Also, on November 8, 2011, the FTC issued its new guidance on November 8th regarding consumers and cookies. See http://onguardonline.gov/articles/0042-cookies-having-trail-web.
4. In the Matter of Chitika, Inc., the FTC pursued Chitika for having an “opt out” for behavioral advertising that expired after ten (10) days - alleging this was a “deceptive” practice because the opt out was not meaningful. Chitika now has a 20 year reporting requirement to the FTC. In August 2011, the FTC pursued its first mobile app complaint, resulting in a consent decree against a mobile advertiser that served targeted ads to children under the age of 13 in violation of COPAA. United States of America, Plaintiff v. W3 Innovations, LLC, also d/b/a Broken Thumbs Apps http://www.ftc.gov/opa/2011/08/w3mobileapps.shtm. Most recently, on November 8, 2011, the FTC entered into issued a consent order against a digital third party advertiser Scanscout, for its alleged due of flash cookies to target advertising. And, on November 29, 2011, the FTC released its consent agreement with Facebook for alleged deceptive practices pertaining to tracking.
5. 18 U.S.C. § 2510.
6. 18 U.S.C. §2511.
7. 18 U.S.C. § 2511(3)(a ).
8. Id. at §2520.
9. 18 U.S.C. § 2701.
10. Id. at § 2701(a).
11. See e.g., Mortensen v. Bresnan Communications LLC, 1:10-cv-00013 (D. Montana) (December 2010 Order, Dkt. 30 at p. 12, dismissing plaintiffs’ class action allegations based upon the federal ECPA on grounds that Bresnan’s privacy disclosures disclosed its collection and tracking of user “browsing behavior” and concluding that by using “... Bresnan’s Internet Service, ...[plaintiffs] gave or acquiesced their consent to such interception.” ); and In re Facebook Privacy Litigation (N. D. Cal. ) (where on May 12, 2011, Judge Ware dismissed the plaintiffs’ ECPA claims with leave to amend); and In re Facebook Privacy Litigation (N.D. Cal. November 22, 2011) (where J. Ware dismissed the plaintiffs’ claims with prejudice on the ground, among other things, that no harm had been shown).
12. 18 U.S.C. § 1030.
13. See e.g., In LaCourt v. Specific Media, Inc. 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011), the court held plaintiffs failed to allege economic harm as required by the CFAA. Similarly, in Bose v. Interclick; McDonald’s USA, LLC; McDonald’s Corporation; CBS Corporation; Mazda Motor of America, Inc. and Microsoft Corporation, Case No. 1:10-cv-9183 (S.D.N.Y. August 2011), the court dismissed with prejudice the plaintiff’s claims of alleged violations of the CFAA for failure to allege harm. See Order, Dkt. 36 dated August 17, 2011). See also, In Re iPhone App. Litigation 11-MD-02250-LHK, Order Granting Defendants’ Motions to Dismiss for Lack of Article III Standing With Leave to Amend, Dkt. 8 (N.D. Cal. September 20, 2011).
14. CA Bus. and Prof. Code Sec. 22575.
15. 18 U.S.C. § 2520.
16. See footnotes 11 and 12 above.
17. H.R. Bill Nos. 611, 653 and 654, recommend “do not track” without consumer consent (introduced by Representatives Jackie Speier and Bobby Rush In February 2011). Also, Senators Kerry and McCain introduced similar legislation on the Senate side. See Commercial Privacy Bill of Rights Act (introduced March 2011) at http://kerry.senate.gov/imo/media/doc/Commercial%20Privacy%20Bill%20of%20Rights%20Text.pdf. Senator Rockefeller introduced the Do-Not-Track Online Act of 2011 (which would create a “universal legal obligation” for companies to honor users’ opt-out requests on the Internet and mobile devices).
18. Rep. Markey’s proposed draft “Mobile Device Privacy Act” (released for discussion purposes only) is located online at http://markey.house.gov/sites/markey.house.gov/files/documents/Mobile%20Device%20Privacy%20Act%20--%20Rep.%20Markey%201-30-12&under;0.pdf.
19. The Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and promoting Innovation in the Global Digital Economy.
20. In California, a “do not track” bill is pending. The bill was introduced by state Senator Alan Lowenthal introduced (SB 761), in April 2011. It would require the state attorney general to issue regulations that would require Web companies to notify state residents about online data collection and allow them to opt out. In addition, the California bill contains a private right of action and $1,000 statutory violation per violation.
21. Must Try Harder on Cookie Compliance Says ICO http://www.ico.gov.uk/news/latest&under;news/2011/must-try-harder-on-cookies-compliance-says-ico-3122011.aspx.
22. Guidelines located at http://www.priv.gc.ca/information/guide/2011/gl&under;ba&under;1112&under;e.pdf.
23. See footnote 3, above.