The rumored impending deluge of privacy investigations in the advertising industry may have already begun. Similar to Washington’s wholesale rout of Wall Street’s hedge funds in the early 2000s, the Federal Trade Commission is heading, it seems, towards a fine-toothed comb deconstruction of the advertising industry’s practices, starting with its most unmanageable beast, data.
Coupled with recent settlements by Apple around mobile data in apps, brands and content companies that use applications to connect with consumers may find themselves vulnerable to what appears to be a gathering storm of legislation and FTC-led movements towards multi-platform data standards enforcement.
On Tuesday the Wall Street Journal reported that federal prosecutors are launching a criminal investigation around how popular mobile apps access, maintain and share data. The paper also quoted an unnamed source stating that Apple and Google, which host digital storage and operating systems for some mobile applications, had also been contacted in conjunction with another federal investigation centering on privacy issues.
The investigations are based on the FTC’s interpretation of the amended Computer Fraud and Abuse Act
to include the access to any consumer information without explicit permission, including unique device identifiers.
This interpretation, if successfully employed in court may have a severely restrictive effect on the use of data-driven applications and the operations of third-party data providers, creating potential liability for any company that handles a consumer’s digital identity.
The question remains if the FTC can draw the largest digital entities, and their myriad partners, into a full-scale war on consumer data collection. The seeds have already been planted, and lawyers are now harvesting a few settlements from lawsuits that have pitted individuals using mobile applications against the manufacturers of their devices and their partner developers. An example is Freeman vs. Apple (2010), which brought to light the case logic which could have far reaching effects for any company that does business online or employs social media.
, submitted in what seems to be a test case, is interesting reading. Test cases are launched by lawyers seeking to lay the legal foundation for industry-wide class action lawsuits. The lawsuit’s argument outlines what might be a mirror of the government’s eventual argument against all forms of third-party data collection, encompassing advertising agencies, third-party data collectors, research firms and device manufacturers.
The complaint colorfully describes the advertising industry as an all-seeing, shadow legion of the powerful, seeking to spy on Americans’ “every online move” and to monetize virtually every aspect of private life via the creation of newer and more technically invasive methods of tracking.
Advertisers, according to the complaint, create “supercookies” by integrating the use of UDID’s in location-based applications and non-location based applications. “Traditional efforts to prevent internet tacking, such as deleting cookies, have no effect on apps’ access to an UDID”. The complaint doesn’t insinuate that apps are getting names, phone numbers and addresses and selling them on an open market. The argument attacked the mere ability of the application to access this information and It held the device manufacturer and partner developers responsible.
The complaint goes on to state that the “ultimate goal” of advertising networks using apps is to ascertain the personal identity of particular users in order to tailor advertising to their preferences to and track them on an individual level.
The complaint goes on to list applications which are alleged to have accessed UDID information: “Plaintiffs’ valuable UDID information, demographic information, location information, as well as their application usage habits is a valuable commodity that they could have sold to research firms. Such information was taken without their knowledge or consent. Plaintiff’s should be compensated for this harm.”
The idea that companies might have to pay individuals for UDID, or other perceived privacy infractions based on new interpretations of the law, is a chilling one for those who deal with consumer data in any format. The investigations, coupled with the recently settled lawsuit and current legislation before the Senate may have the following effects:
- Third-party data collection, unless completely transparent to all sides, may be over. No brand will expose itself to such risk to get at a flow of anonymous data for a marketing strategy that may or may not work.
- Companies that supply strictly opt-in consumer data will rise rapidly. While the industry still struggles with the scope of self-regulation, the government, and a pack of hungry lawyers, are marching on. There isn’t a lot of time to debate the after-effects of an opt-out button if not posting one can land you with a lawsuit from a plaintiff named “precious” seeking to hawk her data on the open market.
- Companies that use applications of any kind will have to rewrite their privacy policies. The phrase “informing the consumer” has always been murky. Brands may end up tethered to an elaborate opt-out education program and a bunch of icons far more onerous than the “advertising options” icon proposed by the Digital Advertising Association.
This isn’t really an apocalyptic scenario. Advertisers can take control now by creating effective privacy policies that satisfy, or exceed those recommended by the DAA. The law, and the lawsuits which have been successfully settled for plaintiffs signify how dire things can become for advertisers, agencies and even device manufacturers if privacy issues aren’t dealt with on micro and aggregate levels.