Increasing Scrutiny of Consumer Data Collection

by Morgan Lewis

Recent FTC and California Attorney General actions highlight the need to reassess privacy policies.

The Federal Trade Commission (FTC) recently ordered the data brokerage industry to provide information on the collection and use of consumer data and tightened restrictions on the collection of user data by websites and mobile applications (apps) directed to children. Both the FTC and the state of California have become focused on disclosures about use of consumer data in mobile apps. These recent actions highlight the need to carefully consider privacy disclosures for full compliance, particularly in any mobile or social app or with respect to any information about children.

Compilation of Consumer Data by Data Brokers

On December 18, 2012, the FTC issued orders to nine data brokerage companies, requiring the companies to provide information on their collection and use policies for consumer data.

Data brokers collect personal information about consumers from a variety of public and nonpublic sources in order to compile and sell this information to other companies. Since data brokerage companies typically obtain their consumer information from public records and other data companies, rather than from direct interaction with consumers, many consumers are unaware of the existence and purpose of data brokers. The FTC's goal is to determine the nature and sources of the consumer information collected; the ways in which companies use, maintain, and disseminate this information; and the extent to which companies allow consumers to access and correct their information or to opt out of having their personal information sold. The nine responses will be used to prepare a study and make recommendations on whether, and how, the data brokerage industry can improve its privacy practices. The FTC notes that there are currently no laws requiring data brokers to maintain the privacy of consumer data, unless the data is used for credit, employment, insurance, housing, or other similar purposes.

An FTC report published earlier this year, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, laid out a voluntary framework of best practices for businesses based on the concepts of privacy by design, consumer control, and increased transparency for the collection and use of consumer data.

Children's Privacy – Children's Online Privacy Protection Act

On December 19, 2012, the FTC adopted final amendments promulgated pursuant to the Children's Online Privacy Protection Act (COPPA)(COPPA Rule) that will tighten restrictions on the collection of personal information by websites and mobile apps directed to children under 13 years of age. The final, updated COPPA Rule, scheduled to go into effect July 1, 2013, will broaden the definition of protected "personal information" to include "geolocation information, as well as photos, videos, and audio files that contain a child's image or voice" and "persistent identifiers," such as IP addresses, mobile device IDs, and cookies. Such information cannot be collected from children without parental notice and consent, with the exception of persistent identifiers to the extent they are used for the sole purpose of supporting a website or an online service's internal operations. The rule also modifies the current definitions of "operator" and "website or online services directed to children" under 13. These definitions will now also cover third-party plug-ins integrated on websites directed to children, advertising networks that collect personal information from such websites, and any other outside services that have "actual knowledge" that such information collection occurs. The FTC did clarify that third-party marketplace platforms will not be liable for the child privacy practices of the numerous apps sold on these platforms. According to the FTC, COPPA Rule violators will be subject to fines as high as $16,000 per incident.

The COPPA Rule updates come after a two-year public comment and proposed rule revision drafting process, during which the FTC withdrew several proposals that would have included websites intended for teenagers and young adults. The FTC also withdrew its proposal to impose COPPA responsibilities on third parties that "know or have reason to know" they are collecting personal information through their integration on a site that may have child users, in favor of a much higher "actual knowledge" requirement for such parties.

Mobile and Social Apps – FTC and California Online Privacy Protection Act

Through a December 10, 2012, staff report[1] detailing the FTC's concerns regarding child privacy and mobile apps, the FTC announced[2] its intentions to update COPPA further to address mobile apps. Concurrently, the FTC staff launched nonpublic investigations to determine whether entities in the mobile app marketplace are violating COPPA or engaging in unfair or deceptive practices in violation of the FTC Act.

Mobile apps also have been the focus of enforcement action in California. Under the California Online Privacy Protection Act (CalOPPA), Attorney General Kamala Harris has issued warning letters regarding the state's concern about mobile app privacy policies to scores of companies. Further enforcement of CalOPPA is expected, and the Attorney General has made clear that California intends to strictly apply CalOPPA to mobile and social apps. CalOPPA's impact may, in effect, be national. The California Attorney General's position is that CalOPPA reaches all "operators of a commercial web site or online service" that gather personal information about California residents. Under the act, an "operator" is any person or entity that owns a website located on the Internet or an online service, including mobile and social apps. Thus, for companies with mobile apps, the dispositive question likely is not where they are located geographically but what type of personal information—if any—the app collects from its California users.

If the statute applies, there are two steps for compliance: 1) crafting a compliant privacy policy and 2) posting it "conspicuously" in the manner required by the statute. Although the statute provides options for posting, the options described are geared more toward websites, leaving companies that have mobile apps with the challenge of how to apply them in that context. CalOPPA itself does not mention apps, but the recent enforcement activity underscores the state's position that there is a need for a compliant privacy policy accessible from the app itself and specifically tailored to that app and the personal information it collects—even if a privacy policy already exists on the online website. When an app's privacy policy should appear to a user is unclear in the statute, but the Attorney General's press releases and an agreement struck in February with large platform providers indicate the Attorney General's intent is that consumers should have the opportunity to review an app's privacy policy on the download screen in the platform store before download.

Generally, violations of CalOPPA occur only if the operator fails to conspicuously post its compliant privacy policy within 30 days of being notified of noncompliance, unless failure to comply is "knowing and willful" or "negligent and material." Nevertheless, it is prudent for companies to be proactive in assessing their apps' compliance, as fines of up to $2,500 per download may be imposed.

[1]. View the report here.

[2]. View the press release announcing the report here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.