NAI Members and Digital Advertising Companies Should Take Note of FTC Warning on Sensitive Data, Particularly Claims of “Anonymization”
On July 11, 2022, the Federal Trade Commission (“FTC”) published an important blog post that serves as a public warning to the industry, reiterating its commitment to “fully enforcing the law against illegal use and sharing of highly sensitive data,” noting that “[c]ompanies that make false claims about anonymization can expect to hear from the FTC.”
In the post, the FTC notes, “[a]mong the most sensitive categories of data collected by connected devices are a person’s precise location and information about their health.” The FTC also noted that connected devices, such as smartphones, connected cars, fitness trackers, and smart home products can collect precise location information, and that beyond location information, many of these devices generate other sensitive data that could potentially be misused.
While “sensitive data” is not a clearly defined term in statutes or a singular set of regulations, the FTC defines the term generally to include a range of data, and they have long considered precise geographic data (or what the NAI Code calls Precise Location Information1) and health data, defined broadly, as two of the most sensitive categories–for additional information on health data, see this resource provided by the NAI earlier this year.
The FTC noted that claims about data as “anonymous” or “anonymized” are often deceptive2. In particular, the FTC said that “anonymized” data (particularly precise location information) can often be “re-identified.” The FTC said that any false claims about anonymization could result in FTC enforcement action. The blog cites several areas where it has relevant enforcement authority, most notably the FTC Act’s Section 5 prohibition on deceptive and unfair acts, but also the Safeguards Rule, Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.
The NAI has long maintained the highest self-regulatory standards in the industry pertaining to sensitive data, and we have always been very careful in evaluating member companies’ public disclosures and privacy policies. In light of the FTC’s recent post, below is a review of key definitions and issues members should be mindful of, particularly around disclosures referring to any collected data as “anonymized” or “aggregate.”
Relevant NAI Definitions
The NAI Code defines and differentiates between Personally-Identified Information (“PII”)3 and Device-Identified Information (“DII”)4, and it encourages members to use such distinctions in their public disclosures and privacy policies. User-level information that member companies do not associate with personal identifiers like name, phone numbers, or email addresses should be referred to with terms like “Device-Identified Information” or “pseudonymous identifiers.” Of course, the NAI recognizes that in many jurisdictions, both PII and DII are considered to be “Personal Information” or “Personal Data.” However, the NAI makes a distinction between PII and DII, and we place restrictions on the merger of pseudonymous cross-site browsing activity with consumers’ real-world identities. While DII can potentially be linkable to individuals, the NAI continues to believe that one of the integral points in protecting consumer privacy is to encourage the use of pseudonymous identifiers where possible, along with appropriate technological and policy protections to prevent the linking of this information to specific individuals.
The NAI Code also defines “De-identified Information” as “data that is not linked or intended to be linked to an individual, browser, or device.”5 As such, data would be considered “De-Identified Information” under the NAI Code if a member were to take additional steps with respect to DII, such as: (1) taking steps to ensure that the data cannot reasonably be re-associated or connected or associated with an individual or with a particular browser or device, such as by removing the unique user identifiers (e.g., cookie identifier or IP address), or truncating such identifiers; (2) publicly committing to maintain and use the data in a de-identified fashion and not attempting to re-associate the data with an individual or with a particular browser or device; and/or (3) obtaining satisfactory assurance that any other entity that receives the De-Identified Information will not attempt to reconstruct the data in a way such that an individual or browser or device may be re-identified and will use or disclose the De-Identified Information only for uses specified by the NAI member company.
Various statutes provide specific definitions of de-identified data, and the FTC defines de-identification as achieving a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device.6
The NAI Code does not define or refer to “anonymized data,” and we have long instructed members to use more specific terms to help avoid confusion, such as those defined in the Code. As the FTC identifies in their post, the term is commonly used across the digital advertising industry, as well as many other data-centric industries. However, there is a significant lack of clarity in U.S. federal or state laws and regulations, and no clear technical standards to help define “anonymized” data. Therefore, a reference to data that is anonymized does not clearly convey whether such data is “reasonably linked or linkable” to personal information, the standard that various statutes and the FTC seek to meet for defining personally identifiable information. For this reason, the NAI continues to recommend that members refrain from using the term “anonymized” and instead use more specific terms, such as those identified in the Code, to help avoid confusion.
The FTC makes a specific reference to “aggregate data,” drawing a parallel to “anonymous” data and citing research about the potential ability to uniquely identify a high percentage of any dataset based on a certain number of characteristics, such as precise locations and time stamps. While not a defined term under the NAI Code, the NAI considers aggregate data to be a type of data that in most cases poses minimal privacy risks because it is group data, such as monthly aggregate reports on an advertising campaign provided by NAI members to their clients. Aggregate data does not contain individual-level or device-level information that can be linked back to a specific individual or device.7 For example, this type of data could highlight how many people traveled between Philadelphia and Washington during a given timeframe, or the number of people that traveled to a particular retail location.
However, as the FTC identifies, some aggregate data sets, particularly those associated with Precise Location Information, even when not connected to PII or DII, pose unique privacy challenges due to an increased potential for linking directly to individuals. Therefore, while the NAI Code Commentary states that aggregate information can be one type of De-identified Information, NAI members and other companies should be particularly careful in their sharing of such data, and the way that company practices are communicated to users and in privacy policies. Companies should avoid referring to data that is reasonably linkable to specific individuals as “aggregate” or de-identified. For instance, research has demonstrated that in some cases aggregate datasets, particularly with respect to location information, can be used to directly identify an individual, if the individual’s patterns are unique enough, even when they do not contain a name, home address, phone number or other obvious identifier.8
Other Data Misuses Highlighted by the FTC
The FTC blog also highlights several recently settled enforcement actions regarding companies that “over-collect, indefinitely retain, or misuse[d] consumer data.” These settlements include OpenX Technologies, Kurbo/Weight Watchers, and CafePress, which all provide additional insights into how the FTC is equipped to apply its enforcement authority and are worth reviewing, particularly with respect to enforcement related to the Children’s Online Privacy Protection Act (COPPA) and Section 5 of the FTC Act.
- In United States v. OpenX Technologies, Inc., the FTC alleged that OpenX, an ad exchange, improperly collected children’s data without parental consent in violation of the FTC’s COPPA Rule.9 The FTC alleged OpenX did not flag certain apps as directed to children, and as a result received “millions, if not billions” of bid requests containing the personal information of children.10 The federal district court enjoined OpenX from collecting personal information from children without consent.11 OpenX was also required to pay $2 million in civil penalties.12
- The FTC recently took action against Weight Watchers for collecting the personal information of children without parental consent.13 The FTC also alleged Weight Watchers indefinitely retained the data it collected.14 Weight Watchers was ordered to pay $1.5 million in civil penalties.15
- The FTC took action against CafePress, alleging the online retailer stored consumers’ sensitive data (including Social Security Numbers and security questions and answers) in plain, readable text in its databases.16 The FTC also alleged CafePress failed to honor deletion requests from consumers by deactivating consumer accounts, rather than fully deleting the accounts and any associated data.17 CafePress settled with the FTC for $500,000.18
The NAI Code requires that members do not create advertisements specifically targeting children without verifiable parental consent.19 Members are also required to explicitly disclose how long any consumer data collected is retained.20 Members are prohibited from retaining consumer data for longer than is necessary to fulfill the purpose for which the data was collected, or to fulfill another legitimate business need.21
By making clear and accurate distinctions in public disclosures, NAI members can ensure they are being transparent with consumers about the types of data being collected and the use cases for the data. The NAI Code and Guidance are complementary to the FTC Act, COPPA and other laws and rules enforced by the FTC. Therefore, the terminology and requirements do not always align precisely. The NAI encourages members to thoroughly review their data collection, use and disclosure practices, and to be mindful of key distinctions.
While this analysis provides general explanations of certain FTC decisions and federal regulations, it is not legal advice. All NAI members should consult with legal counsel to determine exactly how to comply with laws and rules enforced by the FTC.
1 Network Advertising Initiative, 2020 NAI Code of Conduct § I.L.
2 The Federal Trade Commission Act of 1914 (“the FTC Act” or “the Act”) (15 U.S.C. § 41 et seq.) includes a provision making “unfair or deceptive acts or practices in or affecting commerce” unlawful (commonly referred to as “Section 5”). The FTC has authority under the Act to enforce its provisions, and has developed a doctrinal framework for determining when an act or practice is deceptive: (1) There must be a representation, omission, or practice that is likely to mislead the consumer; (2) the representation must be one a reasonable consumer would consider misleading; and (3) the representation, omission, or practice must be a material one. See Letter from James C. Miller, Chairman, Federal Trade Commission, to the Hon. John D. Dingell, Member of Congress (Oct. 14, 1983), https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf.
3 Network Advertising Initiative, 2020 NAI Code of Conduct § I.K.
4 Network Advertising Initiative, 2020 NAI Code of Conduct § I.F.
5 See 2020 NAI Code of Conduct § I.E (2020).
6 See Fed. Trade Comm’n., Protecting Consumer Privacy in an Era of Rapid Change, (2012), https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf.
7 See 2020 NAI Code of Conduct app. at 20.
8 Yves-Alexandre de Montjoye et al., Unique in the Crowd: The Privacy Bounds of Human Mobility, Scientific Reports (Mar. 25, 2013), https://www.nature.com/articles/srep01376.pdf.
9 See Compl. at 2, U.S. v. OpenX Technologies, Inc., No. 2:21-cv-09693 (C.D. Cal. Dec. 15, 2021).
10 Id. at 10.
11 See Order at 8, U.S. v. OpenX Technologies, Inc., No. 2:21-cv-09693 (C.D. Cal. Dec. 15, 2021).
12 Id. at 16.
13 See Order at 1, U.S. v. Kurbo, Inc., No. 3:22-cv-00946-TSH (N.D. Cal. Mar. 3, 2022).
14 Id. at 7.
15 Id. at 9.
16 See Compl., In re Residual Pumpkin Entity, LLC, F.T.C. Dkt. No. 1923209 (Mar. 15, 2022) at 4
17 Id. at 11.
18 See Order, In re Residual Pumpkin Entity, LLC, F.T.C. Dkt. No. 1923209 (June 24, 2022) at 8.
19 Network Advertising Initiative, 2020 NAI Code of Conduct § II.D.1.
20 Id. § II.B.1.a.v.
21 Id. § II.F.4.