New Jersey’s recent action against PulsePoint demonstrates how State Attorneys General (AGs), as well as federal regulators like the FTC, are using their considerable consumer protection authority to scrutinize new technologies that affect consumer privacy, including marketing practices using new technologies.
This week, the New Jersey AG’s office announced a $1 million settlement with online advertising company PulsePoint resolving allegations that the company improperly accessed consumers’ online browsing habits which they then used to target millions of online advertisements to New Jersey Consumers. PulsePoint is paid to place advertisements with Internet publishers and the New Jersey AG alleges that its predecessor company, ContextWeb Inc., bypassed Safari web browser privacy settings to gather information about consumer’s online browsing and purchasing habits (PulsePoint was formed by the merger of ContextWeb and Datran Media Corp. in 2011). According to the New Jersey AG, the company then used the information it gathered to target ads to specific consumers, even those who had set privacy settings to block “third-party advertiser” cookies, allowing it to improperly place as many as 215 million targeted advertisements on New Jersey computer screens between 2009 and 2012. Under the settlement, PulsePoint will pay a $566,200 penalty, plus $150,000 to be used by the AG’s high-tech investigative division and $250,000 for in-kind advertising to enable the AG’s Office to raise public awareness of the problem.
New Jersey, like other states and the FTC, is increasingly focusing on companies’ practices with respect to collecting and protecting consumer data. The Director of the New Jersey Division of Consumer Affairs, Eric Kanefsky, said his office has devoted additional resources and attention to Internet privacy in the last 18 months, with a team of investigators focused solely on the issue: “Obviously, this is an emerging area – so we are really trying to focus on it.” Kanefsky said he expects mobile privacy issues in particular to become more prominent in future investigations.
A key aspect of AGs and the FTC’s increased focus on data gathering practices and consumer privacy has been online advertising. Earlier this month, the FTC’s revised rule relating to the Children’s Online Privacy Protection Act (COPPA) took effect following two years of agency review to address the new ways children and young adults use and access the Internet. Earlier this year, Maryland AG Doug Gansler urged the state legislature to declare that a COPPA violation is also a violation of the state’s consumer protection laws, which would empower the AG to bring COPPA actions in state courts, as well as federal courts. The FTC is also concerned about protecting adults’ privacy online. Last year, Google agreed to pay $22.5 million to settle allegations of using cookies to track web activity after leading consumers to believe cookies were blocked.
As we have noted before on this blog, states have also increased enforcement actions to protect personal information online. California, Connecticut, Maryland, and a growing number of other states have teams in their consumer protection divisions specifically focusing on Internet and mobile privacy and data issues. In the absence of federal legislation relating to privacy and data protection, AGs are empowered to enforce the HITECH Act for health data breaches, as well as state laws relating to data protection and data breaches. The AGs in Connecticut, Massachusetts, Minnesota, and Vermont already have used their HITECH authority, as well as state laws, to sue hospitals and health care companies over data breaches.
As industries develop and use new technologies, so, too, will state consumer protection investigations evolve to address issues raised by those technologies. New Jersey’s action against PulsePoint is merely one more sign of things to come.