Federal Trade Commission

Turn Inc, a Redwood City (CA) company that enables sellers to target digital advertisements to consumers, has agreed to settle Federal Trade Commission charges that it deceived consumers by tracking them online and through their mobile applications, even after consumers took steps to opt out of such tracking. “Turn tracked millions of consumers online and through mobile apps even if they had taken steps to block or limit tracking,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s order will ensure the company honors consumers’ privacy choices.”

According to the FTC’s administrative complaint, Turn’s privacy policy represented that consumers could block targeted advertising by using their web browser’s settings to block or limit cookies. In fact, the complaint alleges that Turn used unique identifiers to track millions of Verizon Wireless customers, even after they blocked or deleted cookies from websites. In addition, the agency charged that Turn’s opt-out mechanism only applied to mobile browsers, and did not block tailored ads on mobile applications as the company claimed.

The Federal Trade Commission announced the agenda for its second PrivacyCon, a public forum that will continue and expand collaboration among leaders from academia, research, consumer advocacy, and industry on the privacy and security implications of emerging technologies.

PrivacyCon 2017 will take place in Washington (DC) on Jan. 12, 2017 and include opening remarks from FTC Chairwoman Edith Ramirez. The conference will feature 18 presentations of original research on important consumer privacy and security issues and a closing panel moderated by Jessica Rich, Director of the Bureau of Consumer Protection. The event will cover five major topic areas: the Internet of Things (IoT) and big data; mobile privacy; consumer privacy expectations; online behavioral advertising; and information security. During each session, panelists will present their privacy research and then participate in a discussion addressing the broader issues raised by the research.

The Federal Trade Commission issued the National Do Not Call Registry Data Book for Fiscal Year 2016. Consumers can use the National Do Not Call Registry to choose not to receive telemarketing calls. Now in its eighth year of publication, the Data Book contains a wealth of information about the Registry for FY 2016 (from October 1, 2015 to September 30, 2016), including:
The number of active registrations and consumer complaints since the Registry began in 2003
FY 2016 complaint figures by month and type
FY 2016 registration and complaint figures for all 50 states and the District of Columbia, by population
Rankings of the number of Do Not Call registrations, by state population
The number of entities accessing the Registry by fiscal year
An appendix with registration and complaint figures organized by consumer state and area code.
According to the Data Book, at the end of FY 2016, the Do Not Call Registry contained just over 226 million actively registered phone numbers, up from the 223 million at the end of FY 2015. In addition, the number of consumer complaints about unwanted telemarketing calls received increased from just under 3.6 million during FY 2015 to just over 5.3 million during FY 2016.

The Federal Trade Commission is providing over $88 million in refunds to more than 2.7 million AT&T customers who had third-party charges added to their mobile bills without their consent, a tactic known as “mobile cramming.” The refunds to consumers relate to 2014 settlements with AT&T, and the companies behind two of the cramming schemes, Tatto and Acquinity. The refunds represent the most money ever returned to consumers in a mobile cramming case.

Through the FTC’s refund program, nearly 2.5 million current AT&T customers will receive a credit on their bill within the next 75 days, and more than 300,000 former customers will receive a check. The average refund amount is $31. According to the FTC’s complaint, AT&T placed unauthorized third-party charges on its customers’ phone bills, usually in amounts of $9.99 per month, for ringtones and text message subscriptions containing love tips, horoscopes, and “fun facts.” The FTC alleged that AT&T kept at least 35 percent of the charges it imposed on its customers.

A Federal Trade Commission staff report provides an in-depth assessment of evolving business models that rely on Internet and app-based “sharing economy” platforms used by millions of Americans. The report summarizes a June 2015 FTC public workshop and highlights a number of competitive benefits and potential consumer protection challenges posed by disruptive business models in markets such as for-hire-transportation and short-term lodging.

The report, The “Sharing” Economy: Issues Facing Platforms, Participants, and Regulators, details how buyers and sellers are increasingly using internet-connected devices – smartphones and tablets – to access a matchmaking platform that allows them to search for new services, secure a price point, and complete a transaction. It discusses several “trust mechanisms,” such as reputation rating systems or money-back guarantees, which help build trust between buyers and sellers, as well as providing confidence that a transaction will proceed as agreed online. The report summarizes concerns expressed by state and local regulators and stakeholders that sharing economy platforms enable new entrants to evade regulations designed to protect consumers and promote public safety. In exploring the tension between the potential competitive benefits that sharing economy business models may provide and the potential consumer harms that they may pose, the report draws on the FTC’s expertise as both a competition and a consumer protection agency.

Smart TVs, streaming devices, game consoles, apps and set-top boxes may track consumers’ viewing habits in one way or another. The benefits of tracking technology are apparent anytime a person follows a “Viewers who watched The Night Manager also enjoyed The Last Panthers” recommendation. But what about the privacy implications? That’s just one of the topics on the playlist at the Federal Trade Commission’s third Fall Technology Series on Smart TV, scheduled for December 7, 2016.

According to the agenda, Bureau of Consumer Protection Director Jessica Rich will set the stage with opening remarks at 1:00 ET. She’ll change the channel to Justin Brookman, Policy Director of the FTC’s Office of Technology, Research, & Investigation, who will discuss the Smart TV ecosystem. The first panel will discuss New Frontiers in Media Measurement and Targeting – how Smart TVs provide key metrics, how the technology can target consumers across devices, and how companies and self-regulatory groups are addressing the challenges of providing consumers with transparency and choice. The second panel will focus on Consumer Understanding and Regulatory Framework. What do consumers know about the new world of smart entertainment – and what do they think about it? What information is collected about them, with whom is it shared, and how can consumers find out more about what goes on behind the scenes? The speakers also will consider the legal protections or regulatory structures relevant to how the information is collected and used.

The Federal Trade Commission’s new outlines the steps to take and whom to contact if you suspect that your business has experienced a data breach. Here’s a glimpse of what’s inside:

You’ll need to move quickly to secure your systems. Some immediate steps include:
Secure physical areas potentially related to the breach. Lock them and change codes, if needed.
Stop additional data loss. Take all affected equipment offline right away, but be careful not to destroy evidence. Monitor all access points to your system. If a hacker stole credentials, you’ll need to change those credentials too, even if you’ve removed the hacker’s tools.
Remove improperly posted information from the web. After you clean up your site, conduct a search to make sure other sites haven’t posted the information. If they have, ask them to remove it.

What about breach notification? That’s where many companies have questions. First, take a look at your state’s data breach notification law. If it’s a breach involving health information, also look at the HIPAA Breach Notification Rule and the FTC’s Health Breach Notification Rule. Notify law enforcement, affected businesses and individuals.
Law enforcement – Call your local police, the FBI or the U.S. Secret Service. The sooner they learn about the breach, the more effective they can be.
Businesses – If account information (like credit card numbers) was stolen and you don’t maintain the accounts, notify the institution that does so they can keep an eye out for suspicious activity.
Individuals – The faster you notify people, the faster they can take steps to protect their information. In deciding who to notify and how, consider state laws, the nature of the breach, the type of information taken, the likelihood of misuse and the potential damage if the information is misused. When notifying people, consult with law enforcement and, depending on the type of information breached, consider offering at least a year of free credit monitoring.

The Federal Trade Commission will host an all-day conference, “Planning For the Future,” examining the state of identity theft now and how it may evolve in the future. The event will take place on May 24, 2017, in Washington, DC.

2017 will mark the ten-year anniversary of the executive order creating the federal Identity Theft Task Force, which was co-chaired by the FTC. Despite numerous advances in combating identity theft, it remains a top consumer complaint each year to the FTC, and Department of Justice statistics show that millions of consumers are victims of identity theft. The conference will bring together academics, business and industry representatives, government experts and consumer advocates to discuss the ways in which identity theft affects consumers and how that has changed in the last decade. The FTC event will look at the full life cycle of identity theft, addressing how identity thieves acquire consumers’ information and what information they seek most often, as well as the cost and ease with which consumers’ data can be acquired. In addition, the conference will examine how identity thieves use information, and how they may attempt to use it in the future. Further, the conference will examine how to quantify the impact of identity theft, from financial and economic harms to the broader impact on public safety. The conference will also assess what resources are available to identity theft victims and their effectiveness in helping victims recover.

In testimony presented to the US Senate Commerce Committee, the Federal Trade Commission described its work, and called for several changes to the FTC Act that would enhance its ability to protect consumers and promote competition. FTC Chairwoman Edith Ramirez and Commissioners Maureen K. Ohlhausen and Terrell McSweeny testified before the Committee. In their written testimony, they estimated that the agency’s antitrust enforcement efforts have saved consumers over $3.4 billion, while its consumer protection actions have saved consumers $717 million.

The Commission called for repeal of the common carrier exception to the FTC Act, which prevents the FTC from taking action to protect consumers in some cases involving telecommunications firms and other common carriers. “As the telecommunications and Internet industries continue to converge, the common carrier exception is increasingly likely to frustrate the FTC’s ability to stop deceptive and unfair acts and practices and unfair methods of competition with respect to a wide array of activities,” the Commission stated.

Here are some things we found in our look at ad libraries:
Most ad libraries require the similar core set of permissions (INTERNET and ACCESS_NETWORK_STATE), which give the app use of the Internet and information about the mobile device’s network connections.
Some ad libraries go a step further and ask – often optionally – for additional information like geolocation (ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION).
Some ad libraries sought optional permissions that may be irrelevant to targeting and serving ads, such as permissions that allow the app to read and write on the user’s calendar data (READ_CALENDAR and WRITE_CALENDAR), connect to paired Bluetooth devices (BLUETOOTH), access the device’s vibrate function (VIBRATE), record audio (RECORD_AUDIO), and get a list of all registered Google and other email accounts (GET_ACCOUNTS).

We also looked at ad libraries’ publicly available disclosures. Here’s what we learned:
Some ad libraries had documentation directed at app developers, which explained the types of information they acquired about users through the apps. Other ad libraries had a privacy policy directed at consumers, but few had both.
A few ad libraries had either documentation or a privacy policy that clearly listed the type of information they obtain from mobile users. For example, some specify they collect information about the mobile device’s carrier, make and manufacturer, operating system, language settings, connection speed, IP address, unique device IDs, browser, and more. Others simply state they collect non-personally identifiable information.
Some ad libraries disclose how long they retain a consumer’s information, such as 90 days or 36 months. Others, however, indicate that they keep information as long as needed, or even indefinitely.
Several ad libraries note in their developer documentation that the app developers should have privacy policies, and some note that developers should obtain the appropriate consumer consent to collect, use, and disclose their data to ad libraries.