The Center for Digital Democracy (“CDD”), a private consumer privacy advocate, recently filed a complaint and “request for investigation” before the Federal Trade Commission (“FTC”) accusing 30 U.S. companies of violating provisions of the Safe Harbor framework. The 118-page complaint, filed August 14th, urges the FTC to take legal action against the companies, including Adobe Systems, AOL, and Salesforce.
Administered by the Department of Commerce and primarily enforced by the FTC, the Safe Harbor program facilitates data transfers between E.U. and U.S. companies who have agreed to adhere to a set of recommended data privacy practices. For these companies, the failure to adhere to Safe Harbor requirements can constitute an unlawful deceptive trade practice.
The CDD complaint alleges a number of defects in the companies’ data practices and representations under Safe Harbor, including:
Misclassification of Entities as “Data Processors.” E.U. data protection rules distinguish “data processors” from “data controllers,” with “data controllers” subject to potentially more onerous regulatory requirements. The CDD complaint alleges that some companies which ought to be classified as “data controllers” based on their control of personal information instead mis-classify themselves as “data processors.”
Ineffective Opt-Outs. Although companies may offer consumers the ability to opt-out of online profiling and tracking, the CDD alleges that many of these opt-out mechanisms are technically deficient and will not be effective for all tracking technologies.
False Anonymity. The CDD complaint objects to claims that consumer data is anonymized or non-personally identified information. According to the CDD, the absence of “given names or government ID numbers” does not make information anonymous where individual consumers may on the basis of other information readily be targeted or individually identified.
Incomplete Disclosures. The CDD complaint alleges that companies fail to provide adequate or complete disclosures regarding their uses of consumers’ data. The CDD expressed special concern about the ability of companies to “onboard” and combine “vast quantities of consumer data from a wide variety of sources, online and off.” Commenting on these practices, the CDD wrote, “Nowhere in the Safe Harbor documentation or privacy statements that we examined, however, are such developments mentioned and clearly explained, even in passing.”
The CDD has provided a shorter summary of its complaints.
Written by Michael Young, Associate, Technology and Privacy Group | Alston & Bird LLP