Client Update – Recent development in the US, both by the Federal Trade Commission (“FTC”) and the California Attorney General

Client Update – Recent development in the US, both by the Federal Trade Commission (“FTC”) and the California Attorney General

Dear Client,
We would like to bring to your attention recent development in the US, both by the Federal Trade Commission (“FTC”) and the California Attorney General.

The FTC initiated action against Avast (well know anti-virus security company), accusing Avast of unfairly collecting consumers’ browsing data through Avast’s safe-browsing browser extension/add-on and antivirus software. Avast collected and stored this information indefinitely and proceeded to later sell such data or insights based on such data, to marketers, without proper notice or consumer consents.

The complaint highlighted that Avast not only omitted informing consumers about the data collection and sale but paradoxically claimed that its products would prevent “annoying” online tracking. Subsequently, Avast was met with a $16.5 million settlement and an order to cease selling or licensing web browsing data for advertising purposes.

In the complaint, Commissioner Khan asserted a case of “Consumer Harm Related to Browsing Information.” Notably, the Avast extensions and Avast antivirus software were found to collect sensitive browsing information, encompassing web searches, visited webpages, and details such as religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and an interest in prurient content. This sensitive browsing data, revealing various facets of consumers’ personal information, underscores its sensitivity and cannot be sold or shared without explicit affirmative consent. Avast claimed to anonymize data, but the FTC found that it failed to sufficiently do so. Moreover, when selling the data, Avast failed to ensure (at least contractually) that the buyers are prohibited from re-identifying the data.

Exploring the implications of this recent complaint, we present vital insights that warrant your attention:

  1. Cease Unauthorized Data Sales:
    • Conduct a thorough review of data-sharing practices.
    • Enforce policies prohibiting the sale or licensing of user browsing data without explicit consent to the extent such data includes sensitive data. Otherwise, if sensitive data can be filtered this is indeed recommended (in addition to providing consumers with applicable disclosures).
    • Legally bind buyers to refrain from reidentifying the data when purchasing from marketing agencies.
  2. Implement Transparent Consent Protocols:
    • Update privacy policies to explicitly outline data-sharing practices.
    • Establish mechanisms for obtaining affirmative, explicit consent before sharing sensitive browsing data for advertising purposes.
  3. Regulatory Compliance:
    • Adhere to regulatory requirements for consumer notification.
    • Foster transparency and accountability in data practices.
  4. Develop a Comprehensive Privacy Program:
    • Design and implement a privacy program tailored to your company’s operations.
    • Periodically assess and update the program to align with evolving legal standards and concerns.

Another interesting case from last week, the California Attorney General (“AG”) announced a settlement with DoorDash, a San Francisco-based company that operates a website and mobile app through which consumers may order food delivery, over allegations of the California Consumers Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) violations, imposing a $375,000 civil penalty and injunctive terms as well as enforceable privacy compliance plan.

This case particularly emphasizes the broad definition of “sale” under the CCPA (which applies in various “data sharing” events, not only while using analytic and marketing cookies) and the strict requirements for transparency and consumer choice.

According to the California AG, DoorDash sold its consumers personal information, including names, addresses and transaction histories, as part of its marketing cooperative, in which businesses contribute their customers’ personal information and, in exchange, receive opportunity to advertise its services directly to the customers of the other participating businesses, without providing appropriate disclosures or opt-out opportunities. DoorDash received “valuable consideration” in exchange for disclosing its customer data to the co-op, namely the “opportunity to advertise its services directly to the customers of the other participating companies.” Meaning, selling is broader than use of cookies.

The CCPA requires business that sell personal information (i.e., receive valuable considerations in exchange for such personal information) to provide appropriate disclosures under its privacy policy and offering consumers two or more easy mechanisms to opt out from selling their personal information. The complaint alleges that DoorDash has violates the CCPA and the CalOPPA by failing to state in its posted privacy policy that it disclosed personal information to the marketing cooperatives, or offering an opportunity to opt-out.

This settlement serves as a critical reminder of the importance of compliance with current and emerging state privacy laws while considering (for both your business website and app, if applicable):

  1. Review and update your business’ privacy policy (at least annually) and ensure appropriate disclosures regarding the sale or share of personal information to third parties for cross contextual behavioral advertising or targeted advertising are provided and not only through the use of cookies.
  2. Ensure the requirements for opt out from sale and share are met, including providing a “Do Not Sell or Share my Personal Information” link and respecting opt out signals such as the Global Privacy Control (“GPC”).
  3. Comply with consumers’ deletion of personal information requests within the allotted time mandated by the CCPA.
  4. Review contracts with marketing and analytics vendors and use of technology to evaluate if it is selling or sharing consumer personal information. Companies participating in marketing co-ops and other third-party data sharing engagements should carefully review their agreements with the data recipients to ensure they restrict the recipients’ ability to further disclose or sell consumer personal information.

Most importantly, following this case and other recent cases in the California is seems that the Apps are on the radar, companies that collect personal information via an App and engage in “backend” selling of personal information should ensure that the App includes sufficient CCPA disclosures and a mechanism for users to easily opt-out of the sale of their personal information.

We are at your service for any questions or clarifications via email or phone at 03-370-5000

With regards,
Cyber, Data Protection & Privacy Department
Shibolet & Co.

This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding of applicable regulations.

Related News