USA Law and Practice Contributed by: Katelyn Patton, Frankfurt Kurnit Klein & Selz
unnecessary or incompatible secondary uses of per - sonal data require separate, affirmative consent. Busi - nesses can only collect, process or share sensitive data when it is strictly necessary to provide or main - tain a requested product or service; selling sensitive data is prohibited. These provisions may drastically reduce marketers’ ability to – without authorisation ‒ use data for purposes related to advertising. Most state privacy laws require written agreements with service providers or third parties that process personal information for the purpose of targeted advertising. These agreements generally must restrict unauthorised data use and mandate compliance with applicable privacy obligations. Under California law, for example, businesses must ensure that service pro - viders do not use personal information for cross-con - text behavioural advertising. The Interactive Advertis - ing Bureau’s Multi-State Privacy Agreement (MSPA) offers a standardised framework to help participants in the advertising technology space meet contractual and disclosure requirements across jurisdictions, par - ticularly when honouring opt-outs for targeted adver - tising. The FTC continues to oversee online behavioural advertising, using its authority to regulate unfair and deceptive practices. Expanding on its 2009 staff report, the FTC has repeatedly enforced against com - panies for alleged unlawful targeted advertising prac - tices. It now requires companies engaged in targeted advertising to provide consumers with clear and con - spicuous notice of data collection practices, along - side easy-to-use mechanisms for opting out of track - ing. Businesses must implement reasonable security safeguards, apply data minimisation principles, and limit retention to what is necessary for legitimate busi - ness or legal purposes. The handling of sensitive per - sonal information ‒ in particular, health data, precise location data, and children’s data ‒ requires affirmative express consent. The FTC has also targeted the use of manipulative “dark patterns” that obscure consumer choice (see 3.3 Dark Patterns ) and has pursued enforcement actions against companies that misrepresent their data practices or fail to uphold privacy commitments. Together, these measures demonstrate the FTC’s
more active regulatory posture and efforts to embed stronger consumer protections into the evolving eco -
system of targeted advertising. 6.5 Marketing to Children
Enacted in 1998, the Children’s Online Privacy Pro - tection Act (COPPA) empowers the FTC to issue and enforce regulations concerning children’s online priva - cy in the USA. The primary goal of COPPA is to place parents in control of what information is collected from their young children online and it applies to both: • operators of commercial websites and online services (including mobile apps) directed at chil - dren under 13 that collect, use or disclose personal information from children or on whose behalf such information is collected or maintained; and • operators of general audience websites or online services with actual knowledge that they are col - lecting, using or disclosing personal information from children under 13. According to the FTC, covered entities’ responsibili - ties include the following: • posting a clear and comprehensive privacy policy describing their practices for personal information collected online from children; • providing direct notice to parents and obtaining verifiable parental consent, with limited exceptions, before collecting personal information online from children; • giving parents the option of consenting to the oper - ator’s collection and internal use of a child’s infor - mation, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service – in which case, this must be made clear to parents); • providing parents access to their child’s personal information to review and/or have deleted; • maintaining the confidentiality, security and integri - ty of information they collect from children, includ - ing by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; • retaining personal information collected online from a child for only as long as is necessary to fulfil the purpose for which it was collected; and
331 CHAMBERS.COM
Powered by FlippingBook