`
`PRIVACY ONLINE:
`
`A REPORT TO CONGRESS
`
`FEDERAL TRADE COMMISSION
`JUNE 1998
`
`Smart Mobile Technologieseo LitEdiptanes
`Page 2023 - 1
`IPR2022-00807, AppleInc. et al. v. Smart Mobile Technologies LLC
`
`

`

`FEDERAL TRADE COMMISSION
`
`Robert Pitofsky
`Mary L. Azcuenaga
`Sheila F. Anthony
`Mozelle W. Thompson
`Orson Swindle
`
`Chairman
`Commissioner
`Commissioner
`Commissioner
`Commissioner
`
`BUREAU OF CONSUMER PROTECTION
`
`Authors
`
`Martha K. Landesberg
`Toby Milgrom Levin
`Caroline G. Curtin
`Ori Lev
`
`Division of Credit Practices
`Division of Advertising Practices
`Division of Advertising Practices
`Division of Credit Practices
`
`
`
`SurveyAdvisors
`
`Manoj Hastak
`Louis Silversin
`Don M. Blumenthal
`
`George A. Pascoe
`
`Division of Advertising Practices
`Bureau of Economics
`Litigation and Customer Support Center
`Information and Technology Management Office
`Litigation and Customer Support Center
`Information and Technology Management Office
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 -2
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`TABLE OF CONTENTS
`
`Beecqutive SUMMULY § icc cssre datebiweecadee 1
`
`Bi
`
`TiOGUCHOR:
`
`35 ccc acswaewee eee cece cette eee eee 1
`
`II. History and Overview ............ 0.0002 tte eee 2
`A.|The Federal Trade Commission’s Approach to Online Privacy ................. Z
`B.-
` Corigumer Privacy Omhie 5
`.c225.6bic ace ee v2 es eee eset wane a ee Coes zs FEATS Z
`1,
`Growth ofthe Online Market «2. 20..5.5.64 0005 cada ce hpi eds sna e dela gen 2
`a
`(Privat COMCEMS ow ge ee lee de ee bee e eens 3
`Children’s Privacy Online ...........22..0.0.00 02200002002 4
`1.
`Growth in the Number of Children Online ...........................-. 4
`2.
`Safety and Privacy Concerns ................ 0.0.0.0 02 2c eee eee 4
`
`C.
`
`III.
`
`IV.
`
`V.
`
`Fair Information Practice Principles ................000 0000000 e eee eee eee 7
`A.
`Fair Information Practice Principles Generally ............................. 7
`]
`Notice/Awareness .......-....--20 0020 e eee eee eee 7
`2.
` Choice/Consent ...........0.0.0 0.00002 tees 8
`3.
` Access/Participation ................ 0002.0 9
`4.
` Integrity/Security ..... 0.0.0.0... 002 eee eee 10
`5
`Enforcement/Redress .............00000 000 cece eee eee 10
`Application of Fair Information Practice Principles to Information Collected From
`SHOEI, 6 5.34 Soe GAAS BASS GT ESAE SALE BOK oe Rane e LG aad o.P)S FOES es 12
`1.
`Parental Notice/Awareness and Parental Choice/Consent ................ 12
`2.
`Access/Participation and Integrity/Security .................-.--422-4. 13
`
`B.
`
`Industry Association Guidelines ............... 0.0.0... 0c cee 15
`A.
`Industry Association Guidelines ...............02.00.22000 02002 e eee eee 15
`l.
`Notice/Awareness ............2.0.000 000 cece ee eee 15
`2.
`Choice/Consent ...............00 000000 cee ee 16
`3.
` Access/Participation .............0 0.000020 16
`4.
` Integrity/Security ..........0.00 0.000000 002s 16
`5
`Enforcement/Redress ............00. 00000 cece eee 16
`Guidelines Regarding Children’s Information ...........................-. 17
`
`B.
`
`Survey of Commercial Web Sites ............02.0. 020000220 19
`Fiz*
`NOWGRIOW o Adal edits wajeras fem d ead eee 19
`B.
`General Survey Findings ..............0.. 000.0000 ccc eee 21
`E.
`"Web Sues 2.25 cc2d0.6 8208 -- 0-0 eee 21
`2.
`Personal Information Collection.....................0.-0222-22000055 22
`3.
`Frequency of Disclosures ..............2...020200002 202 e eee eee eee 27
`4.
`Nature of Disclosures
`..............0.000 000000 cece eee 29
`Children’s Survey Findings ...............0.0000 000000 cece eee 31
`
`C.
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 -3
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`1.
`2.
`3.
`4.
`
`Personal Information Collection from Children ....................... 31
`Frequency of Disclosures ................0000000 000 e cece eee 34
`Nature of Disclosures ................... 0.0 eee eee eee ee eee 35
`Parental Involvement ..................20.. 20.2... eee eee eee eee 37
`
`VI. Conclusions .............. 0.0. ce eee eee e cnet eee neeees 39
`
`Endnotes ............ 0... c eee eee cee eee eee e eee eee e eee eeeeeeeeees 45
`
`Appendix A: Methodology
`
`Appendix B: Surfer Instructions (General and Children’s Surveys)
`
`Appendix C: Survey Samples and Results
`
`Appendix D: Supporting Data Tables
`
`Appendix E:
`
`Industry Guidelines
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 -4
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to Congress
`
`EXECUTIVE SUMMARY
`
`°
`
`°
`
`A medical clinic’s online doctor-referral service invites consumers to submit their
`name, postal address, e-mail address, insurance company, any comments concerning
`their medical problems, and to indicate whether they wish to receive information on
`any of a numberoftopics, including urinary incontinence, hypertension, cholesterol,
`prostate cancer, and diabetes. The online application for the clinic’s health education
`membership program asks consumers to submit their name, address, telephone
`number, date of birth, marital status, gender, insurance company, and the date and
`location oftheir last hospitalization. The clinic’s Website says nothing about how the
`information consumersprovide will be used or whetherit will be made available to
`third parties.
`
`A child-directed site collects personal information, such as a child’s full name, postal
`address, e-mail address, gender, and age. The site also asks a child whether he or she
`has received gifts in the form of stocks, cash, savings bonds, mutual funds, or
`certificates of deposit; who has given these gifts; whether monetary gifts were invested
`in mutual funds, stocks, or bonds; and whetherthe child’s parents own mutual funds.
`Elsewhere on the site, contest winners’ full name, age, city, state and zip code are
`posted. The Website does nottell children to ask their parents for permission before
`providing personal information and does not appearto take any steps to involve
`parents. Further, the site says nothing about whether the information is disclosed to
`third parties.
`
`The World Wide Webis an exciting new marketplace for consumers.
`
`It offers easy access
`
`to a broad array of goods, services, and information, but also serves as a source of vast amounts
`
`of personal information about consumers, including children. While the online consumer market
`
`is growing exponentially, there are also indications that consumers are wary ofparticipating in it
`
`because of concerns about how their personal information is used. As the above examples show,
`
`these concernsare real, for both adults and children.
`
`The Commission has been involved in addressing online privacy issues for almost as long as
`
`there has been an online marketplace and has held a series of workshopsand hearings on such
`
`issues. Throughout, the Commission’s goal has been to encourage andfacilitate effective self-
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 -5
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to Congress
`
`regulation as the preferred approach to protecting consumerprivacy online. These efforts have
`
`been based onthe belief that greater protection of personal privacy on the Webwill not only
`
`protect consumers, but also increase consumer confidence and ultimately their participation in the
`
`online marketplace.
`
`In this report, the Commission summarizes widely-accepted principles
`
`regarding information collection, use, and dissemination; describes the current state of information
`
`collection and privacy protection online; and assesses the extent of industry’s self-regulatory
`
`response.
`
`Governmentstudies in the United States and abroad have recognized certain core principles
`
`of fair information practice. These principles are widely accepted as essential to ensuring that the
`
`collection, use, and dissemination of personal information are conducted fairly and in a manner
`
`consistent with consumerprivacy interests. These core principles require that consumers be given
`
`notice of an entity’s information practices; that consumers be given choice with respect to the use
`
`and dissemination of information collected from or about them; that consumers be given access to
`
`information about them collected and stored by an entity; and that the data collector take
`
`appropriate steps to ensure the security and integrity of any information collected. Moreover,it is
`
`widely recognized that fair information practice codes or guidelines should contain enforcement
`
`mechanisms to ensure compliance with these core principles. With respect to the collection of
`
`information from children, a wide variety of public policies recognize the important supervisory
`
`role of parents in commercial transactions involving their children. Parental controlis also the
`
`touchstone for application offair information practice policies to the collection of information
`
`from children.
`
`The Commission solicited industry association fair information practice guidelines to assess
`
`their conformity with these core principles. This assessment showsthat industry association
`
`guidelines generally encourage members to provide notice of their information practices and some
`
`choice with respect thereto, but fail to provide for access and security or for enforcement
`
`mechanisms.
`
`The Commission also examined the practices of commercial sites on the World Wide Web.
`
`The Commission’s survey of over 1,400 Websites reveals that industry’s efforts to encourage
`
`il
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 -6
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to Congress
`
`voluntary adoption of the mostbasic fair information practice principle — notice — havefallen
`
`far short of what is needed to protect consumers. The Commission’s survey showsthat the vast
`
`majority of Web sites — upward of 85% — collect personal information from consumers. Few of
`
`the sites — only 14%in the Commission’s random sample of commercial Web sites — provide
`
`any notice with respect to their information practices, and fewerstill — approximately 2% —
`
`provide notice by means of a comprehensive privacy policy. The results with respect to the
`
`collection of information from children are also troubling. Eighty-nine percent of children’ssites
`
`surveyed collect personal information from children. While 54% ofchildren’s sites provide some
`
`form of disclosure of their information practices, few sites take any steps to provide for
`
`meaningful parental involvementin the process. Only 23% ofsites eventell children to seek
`
`parental permission before providing personal information, fewerstill (7%) say they will notify
`
`parents of their information practices, and less than 10%provide for parental control over the
`
`collection and/or use of information from children. The Commission’s examination of industry
`
`guidelines and actual online practices reveals that effective industry self-regulation with respect to
`
`the online collection, use, and dissemination of personal information has not yet taken hold.
`
`In light of the Commission’s findings and significant consumer concerns regarding privacy
`
`online,it is evident that substantially greater incentives are needed to spur self-regulation and
`
`ensure widespread implementation of basic privacy principles. The Commissionis currently
`
`considering such incentives and possible courses of action to adequately protect the privacy of
`
`online consumers generally. The Commission will make its recommendations on this subjectthis
`
`summer.
`
`In the specific area of children’s online privacy, however, the Commission now recommends
`
`that Congress develop legislation placing parents in control of the online collection and use of
`
`personalinformation from their children. Such legislation would require Websites that collect
`
`personalidentifying information from children to provide actual notice to parents and obtain
`
`parental consent. The timing of such notice and consent would vary depending on the age of the
`
`child, and the nature and uses of the information collected. Such legislation would protect
`
`children and ensure that parents have knowledge of, and control over, the collection of
`
`iti
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 -7
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to € ‘ongress
`
`information from their children.
`
`The development of the online marketplaceis at a critical juncture. If growing consumer
`
`concerns about online privacy are not addressed, electronic commercewill not reachits full
`
`potential. To date, industry has had only limited success in implementing fair information
`
`practices and adopting self-regulatory regimes with respect to the online collection, use, and
`
`dissemination of personal information. Accordingly, the Commission now recommendslegislation
`
`to protect children online and this summerwill recommend an appropriate response to protect the
`
`privacy ofall online consumers.
`
`Iv
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 -8
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to Congress
`
`I.
`
`INTRODUCTION
`
`This report to Congress provides an assessmentof the effectiveness ofself-regulation as a
`
`meansof protecting consumer privacy on the World Wide Web(“the Web”).'
`
`It is based on a
`
`comprehensive online survey of the information practices of commercial Websites, including sites
`
`directed to children, conducted in March 1998; an examination of current industry guidelines
`
`governing information practices online; and the record developed in Commission hearings and
`
`workshopsheld since 1995.
`
`Part II of the report providesa brief history of the Commission’s work in the area of online
`
`privacy, and a summary of the privacy concernsraised by the new online marketplace. PartIII
`
`describes what have cometo be recognized as the core principles of privacy-protective
`
`information practices. Part IV then compares current industry guidelines with these generally
`
`accepted principles, and Part V presents the findings of the Commission’s survey of Websites.
`
`Part VI sets forth the Commission’s conclusions.
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 -9
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to € ‘ongress
`
`II. HISTORY AND OVERVIEW
`
`A. THE FEDERAL TRADE COMMISSION’S APPROACH TO ONLINE
`
`PRIVACY
`
`The Commission has been involved in addressing online privacy issues for almost as long as
`
`there has been an online marketplace.
`
`In April 1995, staff held its first public workshop on
`
`privacy on the Internet, and in Novemberof that year the Commission held hearings on online
`
`privacyas part of its extensive hearings on the implications of globalization and technological
`
`innovation for competition and consumerprotectionissues.
`
`In June 1996, the Commission conducted a two-day workshop to explore privacy concerns
`
`raised by the online collection of personal information, and the special concernsraised by the
`
`collection of personal information from children. The workshop considered an array of
`
`alternatives to address those concerns, including industry self-regulation, technology-based
`
`solutions, consumer and business education, and government regulation. A summary of the
`
`workshop testimony was published by the Commission in a December 1996staff report entitled
`
`ConsumerPrivacy on the Global Information Infrastructure. A second workshop in June 1997
`
`delved more deeplyinto these issues.’
`
`In all of these endeavors the Commission’s goals have
`
`been (1) to identify potential consumerprotection issues related to online marketing and
`
`commercial transactions; (2) to provide a public forum for the exchange of ideas and presentation
`
`of research and technology; and (3) to encourage effective self-regulation.’
`
`B. CONSUMER PRIVACY ONLINE
`
`1.
`
`GROWTH OF THE ONLINE MARKET
`
`The World Wide Webis an exciting new marketplace for consumers.
`
`It offers easy access
`
`not only to a vast array of goods and services, but also to rich sources of information that enable
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 - 10
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to Congress
`
`consumers to makebetter-informed purchasing decisions.
`
`It also offers the convenience of
`
`shopping from the office or home. This information-rich medium also serves as a source ofvast
`
`amounts of personal information about consumers. Commercial Websites collect personal
`
`information explicitly through a variety of means, including registration pages, user surveys, and
`
`online contests, application forms, and order forms. Websites also collect personal information
`
`through meansthat are not obvious to consumers, such as “cookies.”
`
`The online consumer market is growing exponentially.
`
`In early 1997, 51 million adults were
`
`already online in the U.S. and Canada,° and 73% reported that they had shopped for product
`
`information on the World Wide Web.° By December 1997, the numberof adults online in the
`
`U.S. and Canada had climbed to 58 million, and 10 million had actually purchased a product or
`
`service online.’ Analysts estimate that Internet advertising — which totaled approximately $301
`
`million in 1996 — will swell to $4.35 billion by the year 2000.*
`
`2.
`
`PRIVACY CONCERNS
`
`While these figures suggest that the online marketplace is growing rapidly, there are also
`
`indications that consumers are wary ofparticipating in it. Surveys have shownthat increasing
`
`numbers of consumers are concerned about how their personal information is used in the
`
`electronic marketplace. This research indicates that consumers have less confidence in how online
`
`service providers and merchants handle personal information than they have in how traditionally
`
`offline institutions, such as hospitals and banks, handle such information.’ In fact, a substantial
`
`numberof online consumers would rather forego information or products available through the
`
`Webthan provide a Website personal information without knowing whatthe site’s information
`
`practices are.'” Accordingto the results of a March 1998 Business Week survey, consumersnot
`
`currently using the Internet ranked concerns aboutthe privacy of their personal information and
`
`communicationsas the top reason they have stayed off the Internet.'' Clearly, consumerscare
`
`deeply about the privacy and security of their personal information in the online environment and
`
`are looking for greater protections.'? These findings suggest that consumerswill continue to
`
`distrust online companies and will remain wary of engaging in electronic commerceuntil
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 - 11
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to € ‘ongress
`
`meaningful and effective consumerprivacy protections are implementedin the online marketplace.
`
`If such protections are not implemented, the online marketplace will fail to reach its full potential.
`
`C. CHILDREN’S PRIVACY ONLINE
`
`1.
`
`GROWTH IN THE NUMBER OF CHILDREN ONLINE
`
`Children represent a large and rapidly growing segment of online consumers and are being
`
`actively targeted by commercial Websites.'* Children use the Web for a widevariety ofactivities,
`
`including homework, informal learning, browsing, playing games, corresponding with electronic
`
`pen pals by e-mail, placing messages on electronic bulletin boards and participating in chat
`
`rooms.'* Amongthe activities most attractive to children are those that allow them to
`
`communicatedirectly with their peers, for example, chat rooms, bulletin boards and e-mail.'°
`
`Almost 10 million (14%) of America’s 69 million children are now online, with over 4 million
`
`accessing the Internet from school and 5.7 million from home.'® Children are also avid consumers
`
`and represent a large and powerful segment of the marketplace. They are estimated to spend
`
`billions of dollars a year, and to influence the expenditureof billions more.'’ Their growing
`
`presence online, therefore, creates enormous opportunities for marketers to promote their
`
`products and services to an eager audience.'* At the same time, the Weboffers an easy way to
`
`collect large amounts of detailed marketing data from and aboutchildren.
`
`2.
`
`SAFETY AND PRIVACY CONCERNS
`
`A wide variety of detailed personal information is being collected online from and about
`
`children, often without actual notice to or an opportunity for control by parents.'’ This
`
`information may be collected from children at various places on a site: when the childis
`
`registering for a contest, enrolling in an electronic pen pal program, completing a survey, or
`
`playing a game. A child mayalso reveal such personal information in the course of participating
`
`in chat rooms or posting messages on electronic bulletin boards — areas that are publicly
`
`accessible to anyone surfing the Web.” Thesepractices present unique privacy and safety
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 - 12
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to Congress
`
`concerns because ofthe particular vulnerability of children, the immediacy and ease with which
`
`information can be collected from them, and the ability of the online medium to circumvent the
`
`traditional gatekeeping role ofthe parent.
`
`The most potentially serious safety concern is presented by the posting of personal
`
`identifying information by and about children — j.e., information that can be usedto identify
`
`children, such as name, postal or e-mail address — ininteractive public areas, like chat rooms and
`
`bulletin boards, that are accessible to all online users. These activities enable children to
`
`communicate freely with strangers, including adults. The FBI and Justice Department’s “Innocent
`
`Images”investigation has revealed that online services and bulletin boards are quickly becoming
`
`the most powerful resources used by predatorsto identify and contact children.’ Further,
`
`anecdotal evidence indicates that many children surfing the Web claim to have experienced
`
`problems such as attempted passwordtheft and inappropriate advancesby adults in children’s
`
`chat rooms.”
`
`Traditionally, parents have instructed children to avoid speaking with strangers. The
`
`collecting or posting of personal information in chat rooms and on bulletin boards online runs
`
`contrary to that traditional safety message. Children are told by parents notto talk to strangers
`
`whom they meet on the street, but they are given a contrary message by Websites that encourage
`
`them to interact with strangers in their homes via the Web. The dangers in the Web environment
`
`are heightened by the fact that children cannot determine whether they are dealing with another
`
`child or an adult posing as a child.
`
`In addition to these safety issues are privacy concerns raised by commercial Websites’
`
`collection of personal information from children for marketing purposes. As described below,the
`
`practice is widespread and includesthe collection of personal information from even very young
`
`children without any parental involvement or awareness.
`
`There is considerable concern aboutonline collection practices that bypass parents, who
`
`havetraditionally protected children from marketing abuses.” Children generally lack the
`
`developmental capacity and judgmentto give meaningful consent to the release of personal
`
`information to a third party.”* This is an even greater problem whenchildren are offered an
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 - 13
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to € ‘ongress
`
`incentive for releasing personal information, or whenrelease of personal informationis a
`
`prerequisite to registering for a contest, joining a kid’s club, or playing a game.”
`
`Survey data confirm that parents strongly favor limiting the collection and use of personal
`
`information from and about their children. For example, 97% of parents whose children use the
`
`Internet believe Websites should notsell or rent personal informationrelating to children, and
`
`72% object to a Website’s requesting a child’s name and address whenthe child registers at the
`
`site, even if such informationis usedonly internally.”°
`
`In sum, the immediacy and ease with which personal information can be collected from
`
`children online, combined with the limited capacity of children to understand fully the potentially
`
`serious safety and privacy implications of providing that information, have created deep concerns
`
`about current information practices involving children online.
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 - 14
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to Congress
`
`III. FAIR INFORMATION PRACTICE PRINCIPLES
`
`A. FAIR INFORMATION PRACTICE PRINCIPLES GENERALLY
`
`Overthe past quarter century, government agencies in the United States, Canada, and
`
`Europe have studied the mannerin whichentities collect and use personal information — their
`
`“information practices” — and the safeguards required to assure those practicesare fair and
`
`provide adequate privacy protection.*’ The result has beenaseries of reports, guidelines, and
`
`model codesthat represent widely-accepted principles concerningfair information practices.”*
`
`Commonto all of these documents [hereinafter referred to as “fair information practice codes”’]
`
`are five core principles of privacy protection: (1) Notice/Awareness; (2) Choice/Consent;
`
`(3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.
`
`1.
`
`NOTICE/AWARENESS
`
`The most fundamental principle is notice. Consumers should be given notice of an entity’s
`
`information practices before any personal information is collected from them. Withoutnotice, a
`
`consumer cannot make an informed decision as to whether and to whatextent to disclose personal
`
`information.*”? Moreover, three of the other principles discussed below — choice/consent,
`
`access/participation, and enforcement/redress — are only meaningful when a consumerhas notice
`
`of an entity’s policies, and his or her rights with respect thereto.*°
`
`While the scope and content of notice will depend on the entity’s substantive information
`
`practices, notice of some orall of the following have been recognized as essential to ensuring that
`
`consumers are properly informed before divulging personal information:
`
`*—identification ofthe entity collecting the data;*’
`
`*—identification of the uses to whichthe data will be put;*”
`
`-
`
`identification of any potential recipients of the data:**
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 - 15
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to Congress
`
`°
`
`*
`
`°
`
`the nature of the data collected and the means by whichit is collected if not obvious
`
`(passively, by means of electronic monitoring, or actively, by asking the consumerto
`
`provide the information);**
`
`whether the provision of the requested data is voluntary or required, and the
`
`consequencesofa refusal to provide the requested information;** and
`
`the steps taken by the data collector to ensure the confidentiality, integrity and quality
`
`of the data.*°
`
`Some information practice codesstate that the notice should also identify any available
`
`consumerrights, including: any choice respecting the use of the data;*’ whether the consumer has
`
`been given a right of access to the data;** the ability of the consumerto contest inaccuracies;”’ the
`
`availability of redress for violations of the practice code;*° and how suchrights can be exercised.*!
`
`In the Internet context, notice can be accomplished easily by the posting of an information
`
`practice disclosure describing an entity’s information practices on a company’s site on the Web.
`
`To be effective, such a disclosure should be clear and conspicuous, posted in a prominent
`
`location, and readily accessible from both the site’s home page and any Web page where
`
`information is collected from the consumer.
`
`It should also be unavoidable and understandable so
`
`that it gives consumers meaningful and effective notice of what will happen to the personal
`
`information they are asked to divulge.
`
`2.
`
`CHOICE/CONSENT
`
`The second widely-accepted core principle of fair information practice is consumer choice
`
`or consent.” Atits simplest, choice means giving consumersoptions as to how any personal
`
`information collected from them may be used. Specifically, choice relates to secondary uses of
`
`information — i.e., uses beyond those necessary to complete the contemplated transaction. Such
`
`secondary uses can be internal, such as placing the consumeronthe collecting company’s mailing
`
`list in order to market additional products or promotions, or external, such as the transfer of
`
`information to third parties.
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 - 16
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to Congress
`
`Traditionally, two types of choice/consent regimes have been considered: opt-in or opt-out.
`
`Opt-in regimes require affirmative steps by the consumerto allow the collection and/or use of
`
`information; opt-out regimes require affirmative steps to prevent the collection and/or use of such
`
`information. The distinction lies in the default rule when noaffirmative steps are taken by the
`
`consumer.** Choice can also involve more than a binary yes/no option. Entities can, and do,
`
`allow consumersto tailor the nature of the information they reveal and the uses to which it will be
`
`put.* Thus, for example, consumers can be provided separate choices as to whether they wish to
`
`be on a company’s general internal mailing list or a marketinglist sold to third parties.
`
`In order to
`
`be effective, any choice regime should provide a simple and easily-accessible way for consumers
`
`to exercise their choice.
`
`In the online environment, choice easily can be exercised by simply clicking a box on the
`
`computerscreen that indicates a user’s decision with respect to the use and/or dissemination of
`
`the information being collected. The online environmentalso presents new possibilities to move
`
`beyond the opt-in/opt-out paradigm. For example, consumers could be required to specify their
`
`preferences regarding information use before entering a Website, thus effectively eliminating any
`
`need for default rules.*°
`
`3. ACCESS/PARTICIPATION
`
`Accessis the third core principle.
`
`It refers to an individual’s ability both to access data
`
`about him or herself — i.e., to view the data in an entity’s files — and to contest that data’s
`
`accuracy and completeness.*° Both are essential to ensuring that data are accurate and complete.
`
`To be meaningful, access must encompass timely and inexpensive access to data, a simple means
`
`for contesting inaccurate or incomplete data, a mechanism by whichthe data collector can verify
`
`the information, and the means by which corrections and/or consumerobjections can be added to
`
`the datafile andsentto all data recipients.*’
`
`Smart Mobile Technologies LLC, Exhibit 2023
`Page 2023 - 17
`IPR2022-00807, Apple Inc. et al. v. Smart Mobile Technologies LLC
`
`

`

`Privacy Online: A Report to € ‘ongress
`
`4.
`
`INTEGRITY/SECURITY
`
`The fourth widely accepted principle is that data be accurate and secure. To assure data
`
`integrity, collectors must take reasonable steps, such as using only reputable sources of data and
`
`cross-referencing data against multiple sources, providing consumeraccess to data, and
`
`destroying untimely data or convertingit to anonymous form.**
`
`Security involves both managerial and technical measures to protect against loss and the
`
`unauthorized access, destruction, use, or disclosure of the data.*” Managerial measures include
`
`internal organizational measuresthat limit access to data and ensure that those individuals with
`
`access do notutilize the data for unauthorized purposes. Technical security measures to prevent
`
`unauthorized access include encryption in the transmission and storage of data; limits on access
`
`through use of passwords; and the storage of data on secure servers or computers that are
`
`inaccessible by modem.”
`
`5.
`
`ENFORCEMENT/REDRESS
`
`It is generally agreed that the core principles of privacy protection can only be effective if
`
`there is a mechanism in place to enforce them.*! Absent an enforcement and redress mechanism, a
`
`fair information practice code is merely suggestive rather than prescriptive, and does not ensure
`
`compliance with core fair information practice principles. Amongthe alternative enforcement
`
`approachesare industry